How to Generate a Code Signing Csr on Windows Using certreq

Important Update!

Starting from June 1st, 2023, a new security measure is in place for code signing certificates. All code signing certificates must now be stored on hardware meeting specific security standards such as FIPS 140 Level 2, Common Criteria EAL 4+, or their equivalents.

As a result, the process of obtaining and installing certificates has changed. Certificate Authorities no longer support browser-based key generation, creating CSRs, and installing certificates on laptops or servers. Instead, if you opt for token + shipment as your code signing delivery method, the CA will handle CSR generation. Alternatively, if you prefer to use your Hardware Security Module (HSM), check the guides below or follow your HSM provider’s instructions for CSR generation.

• YubiKey 5 FIPS CSR Generation and Attestation
• Luna Network Attached HSM v7.x: CSR & Attestation Guide

---

The following text contains outdated information, no longer applicable to CSR generation for code signing certificates.

Starting from June 1, 2021, code signing certificate applicants must abide by the CA/Browser Forum Code Signing Baseline Requirements, which require the RSA Key bit length to be no less than 3072-bit. For better security, we recommend creating a Certificate Signing Request (CSR) with a 4096-bit key.

There are numerous methods to create a CSR for a code signing certificate, and in this article, we will show you how to generate a CSR using the CertReq command in Windows.

Create the CSR With certreq

To use the “certreq”command, you must first construct a “request.inf” file with a text editor like Notepad. Follow the instructions below to construct a request.inf file and generate a CSR for your code signing certificate.

Build the request.inf File

The request.inf file should contain the “Subject Details” required to be included in the CSR. After building the request.inf file, you can create a CSR using it.

Copy the contents below into a text document and save them as “request.inf”. You must replace only the “Subject” line to include your Company details.

[NewRequest]

;Change to your country code(C), common name(CN), company name(O), locality(L), state/province name (S)

Subject = “CN=Your Company Name, O=Your Company Name, L=City, S=State, C=US”

KeySpec = 1

KeyLength = 4096

Exportable = TRUE

MachineKeySet = FALSE

SMIME = False

PrivateKeyArchive = FALSE

UserProtected = FALSE

UseExistingKeySet = FALSE

ProviderName = “Microsoft RSA SChannel Cryptographic Provider”

ProviderType = 12

RequestType = PKCS10

KeyUsage = 0xa0

HashAlgorithm = SHA256

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.3 ; this is for code signing

Generate the CSR via the request.inf File

Once you have saved the request.inf file, you can use the Windows Command Prompt to generate a CSR by entering the following command:

CERTREQ -new request.inf codesign.csr

After running this command, a new CSR will be generated and saved as a file named “codesign.csr”. You can then submit this CSR to the CA in order to request a code signing certificate.

Final Steps

Once you have received your code signing certificate, you must install it on the same computer. Run the following command: 

certreq -accept certificate.crt

After installing the certificate, you can export it to a PFX file. The process for exporting the certificate may vary depending on the operating system and your specific software. Generally, you can export the certificate by opening the certificate manager, selecting the certificate, and choosing to export it as a PFX file.

Once you have exported the certificate to a PFX file, you can use it to sign your code and ensure its authenticity.