I am trying to generate a custom CSR using the certificates snap-in for mmc on Windows 10. The certificate I want to create is a client authentication cert using ECC. However, I have run into a persistent issue that is preventing me from generating the CSR. No matter the content of the request if I use (No template) CNG key I get the error "One of more of the object's properties are missing or invalid", and the private key generation dialog is completely insensitive. So no CSR is generated.
On the other hand, if I choose (No template) Legacy Key. Then no problem but the Legacy providers don't do ECC and their protection for private keys is weaker.
I suspect that this is not a problem with the certificates snap-in but rather with the underlying certificate infrastructure for Active Directory. In researching the problem I found articles that seem to indicate that some changes were made to the certificate infrastructure of Windows Server. These links are not directly relevant to my issue but they may provide hints to someone more familiar with Windows than I.
https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/cng-templates-not-appear-certificate-web-enrollment
https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/ca-cant-use-certificate-template
https://learn.microsoft.com/en-us/microsoft-identity-manager/certificate-manager-for-software-certificates
I've run out of ideas. If I can't get this to work I may resort to generating the CSR with openssl and importing the resulting cert and keys into windows.
