On Windows, unless you use third-party tools, everything about certificates is incredibly confusing.
- Whether AD is required for a certification authority - I don’t know, the idea of ​​deploying it without AD never occurred to me. AD is used and very widely used.
- All certificate issuance is based on templates. If the certificate must have some atypical OIDs, it is better to first see if they are in the required templates and if there are such templates at all, if not, you will have to create them.
- There is no separate CSR creation program. Well, in the sense, Windows, graphical with whistles and squeakers, there is only a text program that uses a text ini file, called, if I'm not mistaken, certreq.exe Windows believes that the CSR should be generated on the fly, the request immediately goes to the certificate center and the certificate is issued discreetly - so that the user does not have access to the certificate key :) Which, of course, will not work for you - the certificate will need to be installed on the yabble.
- To use certificates at least somewhere other than on the computer where the CSR was generated, you will have to generate it (CSR) with a third-party tool and transfer it as base64 to the certification authority through the center's web face - I do it myself, although it is crooked, inconvenient and pretty ridiculous. But on the other hand, the process of forming .p12 is completely under control.
A request from the device is optional. You can also generate on the server - if there is anything. Is there something like this in powershell - I never thought, maybe there is