I have several times requested a certificate using CertReq.exe tool from Windows. However I have never documented all the options, that I use for this purpose and how I actually do it, so here goes.
CertReq.exe is a built-in command-line tool and can be used to request certificates from a certification authority (CA), to retrieve a response to a previous request from a CA, to create a new request from an .inf file, to accept and install a response to a request, to construct a cross-certification or qualified subordination request from an existing CA certificate or request, and to sign a cross-certification or qualified subordination request. Right now I'll only use it to create a new offline request from an .inf file.
Since we use an infile (.inf) to supply information, we need to create and adapt this file to our needs. The file is basically a text file containing all the necessary information to generate the certificate request.
Run the command:
certreq.exe -new [infile [outfile]]
certreq.exe -new cert1.inf cert1.req
This will generate a cert1.req file like this:
Send the cert1.req file to the certificate provider and wait to get the .cer file back.
When the .cer is returned from the certificate provider, install it using this command:
Certreq.exe -accept certnew.cer
If, for some reason, the private key is not matched with the installed certificate, you can try to repair it using following command:
Certutil.exe -repairstore my "thumbprint"
CertReq.exe is a built-in command-line tool and can be used to request certificates from a certification authority (CA), to retrieve a response to a previous request from a CA, to create a new request from an .inf file, to accept and install a response to a request, to construct a cross-certification or qualified subordination request from an existing CA certificate or request, and to sign a cross-certification or qualified subordination request. Right now I'll only use it to create a new offline request from an .inf file.
Since we use an infile (.inf) to supply information, we need to create and adapt this file to our needs. The file is basically a text file containing all the necessary information to generate the certificate request.
[Version]Save the text file as cert1.inf, make sure it's ANSI encoded, and start a command prompt (or PowerShell prompt) as Administrator.
Signature="$Windows NT$"
[NewRequest]
Subject = "CN=ap01.fabrikam.com,OU=IT,O=Fabrikam,L=City,C=Country" ; Modify to match your requirements and organisation
Exportable = TRUE ; Private key is exportable
KeyLength = 2048 ; Valid key sizes: 1024, 2048, 4096, 8192, 16384
KeySpec = 1 ; Key Exchange – Required for encryption
KeyUsage = 0xA0 ; Digital Signature, Key Encipherment
MachineKeySet = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
RequestType = PKCS10
[EnhancedKeyUsageExtension]
; If you are using an enterprise CA the EnhancedKeyUsageExtension section can be omitted
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
OID=1.3.6.1.5.5.7.3.2 ; Client Authentication
[Extensions]
; SANs can be included in the Extensions section by using the following text format. Note 2.5.29.17 is the OID for a SAN extension.
; Multiple alternative names must be separated by an ampersand (&).
2.5.29.17 = "{text}"
_continue_ = "dns=ap01.fabrikam.com&"
_continue_ = "dns=sip.fabrikam.com"
Run the command:
certreq.exe -new [infile [outfile]]
certreq.exe -new cert1.inf cert1.req
This will generate a cert1.req file like this:
-----BEGIN NEW CERTIFICATE REQUEST-----You can check the file using a CSR decoder e.g. from www.sslshopper.com or www.entrust.com.
MIIEiTCCAXECAQAwXTEQMAXGAXUEBhMHQXXXbnRyeTENMAsGAXUEBwwEQXlXeTER
MAXGAXUECgwIRmFicmlrYWXxCzAJBgNVBAsMAklUMRowGAYDVQQDDBFhcDAxLmZh
YnJpaXFtLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOZFtXOw
ZXGYew+lTXzsPXGYPpsTsndggpPgXKXzEXUASXCtnOlbtmXemdkXXGXyjkISXOAY
BXrSeRBXrX+HbXLLiJvbsLAzmXzpXwHepwWECQfUPZIXOnjOXHlXfXagszYlZ+Ol
umBqVZPWEvhRiuuXVbJXUJOXtvZXXolXdbzRaXXXazXOnHXX+XXrdUhWEXIfs+Gj
ZNtBdrXlTiP+fDcXomKXXDz/zDZQXlCMLtlYyFsDrUybcXjHZxcXKHZzXkSdXQFC
heXbidhZAdVNYBoHLKrvC+XBDhNIXUQPwNMmULYTpnKVsSOyLlUXktFtL/XieBVp
XTXHXXFVDMYthGcCAwEAAaCCAeUwGgYKKwYBBAGCNwXCAzEMFgoXLjIuOTIwMCXy
MEYGCSsGAQQBgjcVFDEXMDcCAQkMFkhPUXQwMyXwcmXhYXRpdmUubGXjYWwMDVBS
TXFDVElWRVxrbWwMCXNlcnRyZXEuZXhlMHIGCisGAQQBgjcNAgIxZDBiAgEBHloA
TQBpAGMAcgBvAHMAbwBmAHQAIABSAFMAQQAgAFMAQwBoAGEAbgBuAGUAbAAgAEMA
cgBXAHAAdABvAGcAcgBhAHAAaABpAGMAIABQAHIAbwBXAGkAZABlAHIDAQAwggEJ
BgkqhkiGXwXBCQXxgfswgfgwDgYDVRXPAQH/BAQDAgWgMBXGAXUdJQQWMBQGCCsG
AQUFBwMBBggrBgEFBQcDAjAuBgNVHREEJzAlghFhcDAxLmZhYnJpaXFtLmNvbYIQ
cXlwLmZhYnJpaXFtLmNvbTBXBgkqhkiGXwXBCQXEazBpMAXGCCqGSIbXDQMCAgIA
gDAOBggqhkiGXwXDBAICAIAwCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBLTALBglg
hkgBZQMEAQIwCwYJYIZIAWUDBAEFMAcGBSsOAwIHMAoGCCqGSIbXDQMHMBXGAXUd
DgQWBBThybXXXasmqWzDXeXM+ItXUiMTwzANBgkqhkiGXwXBAQUFAAOCAQEAHkBi
aXXLFvXSbLbXXWAVoVgbkmEyqQDVHObXSaYuKgTRGEQNCXXhrhSXXHH/GCAklkaM
cehXVcPXvhXzXHXcnvsfHTI/yZhpqrXPwXamXSiSTUZXIaJXOXXnbyGZLXAtKphc
XqbXtGoVgXHSmUznxZlxbXXvCpgRXdXfkfmkVuXoJVHzXFFyXjxVfNnXws+pzuIw
QhXPBNZOi//XoX/OUwXeW+bFjwXipw/IVXVnzbtDXge+oXtyXyYdXwX+zMSjbEWq
RkDXhIGJNpyQhGATMMUExUXOErXIqFDmPZoLXCXVaJqlqGpobhJXrAXPdfHWNWuZ
IpSoNmXQyXRouVyfFA==
-----END NEW CERTIFICATE REQUEST-----
Send the cert1.req file to the certificate provider and wait to get the .cer file back.
When the .cer is returned from the certificate provider, install it using this command:
Certreq.exe -accept certnew.cer
If, for some reason, the private key is not matched with the installed certificate, you can try to repair it using following command:
Certutil.exe -repairstore my "thumbprint"
