As of June 1, 2021, in compliance with the CA/Browser Forum Code-signing Baseline Requirements, bit length of a RSA Key should be greater than or equal to 3072. We recommend you to generate a CSR with 4096 bit key. There are many ways that you can generate a CSR for Code Signing.
In this article, we guide you through generating a CSR for Code Signing Certificate using Windows ‘certreq’ command.
In order to use ‘certreq’ command, you have to build a ‘request.inf’ file using a simple text editor like, notepad. The request.inf file contains the Subject Details that should be included on the CSR. You can then build a CSR using the ‘request.inf’. Please follow the instructions below to build a ‘request.inf’ and generate CSR.
Step 1: Building the ‘request.inf’ file.
Copy the following contents (in green) and save them as ‘request.inf’ using a notepad. You must change only the ‘Subject’ line to include your Company details.
[NewRequest]
;Change to your country code(C), common name(CN), company name(O), locality(L), state/province name (S)
Subject = "CN=Your Company Name, O=Your Company Name, L=Locality, S=City, C=US"
KeySpec = 1
KeyLength = 4096
Exportable = TRUE
MachineKeySet = FALSE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
HashAlgorithm = SHA256
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.3 ; this is for code signing
Step 2: Generating a CSR using the ‘request.inf’
After saving the 'request.inf' file, you can execute the following command on CMD prompt to generate a CSR.
CERTREQ -new request.inf codesign.csr
Note: After receiving the Certificate, you have to install the certificate on the same computer using “certreq -accept certificate.crt”. You can then export the certificate into a PFX file.
See Also: Exporting a certificate into a PFX file