CSR Generation for Code Signing - using CertReq

As of June 1, 2021, in compliance with the CA/Browser Forum Code-signing Baseline Requirements, bit length of a RSA Key should be greater than or equal to 3072. We recommend you to generate a CSR with 4096 bit key. There are many ways that you can generate a CSR for Code Signing.

In this article, we guide you through generating a CSR for Code Signing Certificate using Windows ‘certreq’ command.

In order to use ‘certreq’ command, you have to build a ‘request.inf’ file using a simple text editor like, notepad. The request.inf file contains the Subject Details that should be included on the CSR. You can then build a CSR using the ‘request.inf’. Please follow the instructions below to build a ‘request.inf’ and generate CSR.

Step 1: Building the ‘request.inf’ file.
Copy the following contents (in green) and save them as ‘request.inf’ using a notepad. You must change only the ‘Subject’ line to include your Company details.


[NewRequest]
;Change to your country code(C), common name(CN), company name(O), locality(L), state/province name (S)

Subject = "CN=Your Company Name, O=Your Company Name, L=Locality, S=City, C=US"

KeySpec = 1
KeyLength = 4096
Exportable = TRUE
MachineKeySet = FALSE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
HashAlgorithm = SHA256

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.3 ; this is for code signing


Step 2: Generating a CSR using the ‘request.inf’
After saving the 'request.inf' file, you can execute the following command on CMD prompt to generate a CSR.

CERTREQ -new request.inf codesign.csr

  • This command will generate a new CSR and saves it in “codesign.csr” file.
  • You can then submit the CSR to Sectigo for requesting a Code Signing Certificate.

Note: After receiving the Certificate, you have to install the certificate on the same computer using “certreq -accept certificate.crt”. You can then export the certificate into a PFX file.

See Also: Exporting a certificate into a PFX file