Generating Certificate Requests With Certreq

Hey there,

SSL/TLS and the certificates it comes with are becoming more ubiquitous every day.  The system is not without its flaws, (BEAST, hash collision attacks, etc.,) but it's still generally regarded as "pretty good," and it's downright mandatory in any network that needs even a modicum of security.

One major downside is the administrative burden of having to keep track of and renew all those certificates, but Active Directory Certificate Services does a wonderful job of automating a lot of that away.  Many Windows administrator's lives would be a living hell if it weren't for Active Directory-integrated auto-enrollment.

But sometimes you don't always have the pleasure of working with an Enterprise CA. Sometimes you need to manually request a certificate from a non-Microsoft certificate authority, or a CA that is kept offline, etc.  Most people immediately start thinking about OpenSSL, which is a fine, multiplatform open-source tool.  But I usually seek out native tools that I already have on my Windows servers before I go download something off the internet that duplicates functionality that already comes with Windows.

Which brings me to certreq.  I use this guy to generate CSRs (certificate requests) when I need to submit one to a CA that isn't part of my AD forest or cannot otherwise be used in an auto-enrollment scenario. First paste something like this into an *.inf file:

;----------------- csr.inf -----------------
[Version]
Signature="$Windows NT$

[NewRequest]
Subject = "CN=web01.contoso.com, O=Contoso LLC, L=Redmond, S=Washington, C=US" 
KeySpec = 1
KeyLength = 2048
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication
;-----------------------------------------------

Then, run the command:

C:\> certreq -new csr.inf web01.req

And certreq will take the settings from the INF file that you created and turn them into a CSR with a .req extension.  The certreq reference and syntax, including all the various parameters that you can include in your INF file is right here. It's at this moment that the private key associated with this request is generated and stored, but it is not stored within the CSR so you don't have to worry about securely transporting the CSR.

Now you can submit that CSR to the certificate authority. Once the certificate authority has approved your request, they'll give you back a PEM or a CER file. If your CA gives you a PEM file, just rename it to CER.  The format is the same.  Remember that only the computer that generated the CSR has the private key for this certificate, so the request can only be completed on that computer.  To install the certificate, run:

C:\> certreq -Accept certificate.cer

Now you should see the certificate in the computer's certificate store, and the little key on the icon verifies that you do have the associated private key to go along with it.

So there you have it.  See you next time!

Comments are closed