To use the Certreq.exe utility to create and submit a certificate request, follow these steps:
- Create an .inf file that specifies the settings for the certificate request. You can use the following sample code to create an .inf file.
[Version] Signature="$Windows NT$ <br /><br />[NewRequest]<br />Subject = "CN=corpdc1.fabrikam.com" ; must be the FQDN of domain controller EncipherOnly = FALSE Exportable = FALSE ; TRUE = Private key is exportable KeyLength = 1024 ; Common key sizes: 512, 1024, 2048, ; 4096, 8192, 16384 KeySpec = 1 ; Key Exchange KeyUsage = 0xA0 ; Digital Signature, Key Encipherment MachineKeySet = True ProviderName = "Microsoft RSA SChannel Cryptographic Provider"<br />ProviderType = 12<br />RequestType = CMC<br /> <br />; Omit entire section if CA is an enterprise CA<br />[EnhancedKeyUsageExtension]<br />OID=1.3.6.1.5.5.7.3.1 ; Server Authentication<br /> <br />[RequestAttributes]<br />CertificateTemplate = WebServer ;Omit line if CA is a stand-alone CA<br />SAN="dns=corpdc1.fabrikam.com&dns=.fabrikam.com&dns=ldap.fabrikam.com"</span><br /></span><br /></pre> </div> </div> </li> <li>Save the file as Request.inf.</li> <li>Open a command prompt.</li> <li>At the command prompt, type the following command, and then press ENTER: <div class="indent">certreq -new request.inf certnew.req</pre> </div> This command uses the information in the Request.inf file to create a request in the format that is specified by the RequestType value in the .inf file. When the request is created, the public and private key pair is automatically generated and then put in a request object in the enrollment requests store on the local computer.</div> </li> <li>At the command prompt, type the following command, and then press ENTER: <div class="indent"><span class="userInput">certreq -submit certnew.req certnew.cer</pre> </div> This command submits the certificate request to the CA. If there is more than one CA in the environment, the <strong>-config</strong> switch can be used in the command line to direct the request to a specific CA. If you do not use the <strong>-config</strong> switch, you will be prompted to select the CA to which the request should be submitted.<br /><br />The <strong>-config</strong> switch uses the following format to refer to a specific CA: <div class="indent">computername\Certification Authority Name
For example, assume that the CA name is Corporate Policy CA1 and that the domain name is corpca1.fabrikam.com. To use the certreq command together with the –config switch to specify this CA, type the following command:
certreq -submit -config „corpca1.fabrikam.com\Corporate Policy CA1“ certnew.req certnew.cerIf this CA is an enterprise CA and if the user who submits the certificate request has Read and Enroll permissions for the template, the request is submitted. The issued certificate is saved in the Certnew.cer file. If the CA is a stand-alone CA, the certificate request will be in a pending state until it is approved by the CA administrator. The output from the certreq -submit command contains the Request ID number of the submitted request. As soon as the certificate has been approved, it can be retrieved by using the Request ID number.
- Use the Request ID number to retrieve the certificate. To do this, type the following command, and then press ENTER:
certreq -retrieve RequestID certnew.cer
You can also use the -config switch here to retrieve the certificate request from a specific CA. If the -config switch is not used, you are prompted to select the CA from which to retrieve the certificate.
- At the command prompt, type the following command, and then press ENTER:
certreq -accept certnew.cer
After you retrieve the certificate, you must install it. This command imports the certificate into the appropriate store and then links the certificate to the private key that is created in step 4.