Hey

I had posted this under "Directory Services" earlier, but I was told that this might get answered in 'Security' so here I am :)

Maybe this question has come up multiple times but I have struggling to get all the pieces together.

Looked up various sites, but no avail. So here I am

Requirement:

I have setup an Root Enterprise CA on Windows 2012 R2 server.

I want to generate CSR from other windows client using MMC ( I don't want to go the command line way).

Then submit this CSR to my CA and get it signed. Bring it back on my client and install it.

Also export the Signed Cert and the Private Key for backup

The queries ( there are multiple of those ):

I go to "Certificates" snap-in on my client(Windows 2008 R2). Choose personal -> certificates -> Request new certificate and it says 'No certificate types available'

Then I choose 'Create custom request' under 'Advanced operations' . Choose 'No template (CNG key)', and define everything else(CN etc). Also choose 'make key exportable' ( Don't know what that means) ? but there is no option to define 'validation period' ?

As I know this generates a CSR at my defined location.

Why does the certificate now appear under 'Certificate Enrollment Request' and says signed by self ?

If now I take this CSR to the CA I setup, I can get it signed through 'Web Enrollment' but can the same be done using MMC on CA ?

Once I take the signed cert back to my client and install it, how to extract the 'Public Cert' and 'Private key' back through the MMC on client ?

-------------------------

So you see there are multiple queries :)

- Why are there no templates on the client

- What is 'make key exportable' option

- How to define 'validity' on CSR

- Why does it appear under 'Certificate Enrollment Request' as self signed

- How to get the CSR signed by CA through MMC

- How to extract the 'Public Cert' and 'Private key' through MMC on client

I think I may have got a working setup, but these questions are troubling me