It's been quite a while since my last post due to different reasons. :-)
Today I would like to show you how to manually create a certificate signing request (CSR).
The Internet Information Server (IIS) and many other
applications which make use of or require certificates provide wizzards in the
administration user interface to request and install certificates.
I would like to explain two different ways how to request a certificate manually. The manual steps are required if web
enrollment is not available, the current logged on user or computer has no
enroll permissions on a certificate template or the certification authority
(CA) is not available (e.g. no Active Directory integrated Enterprise CA or not
in the same forest as the leveraging computer)
Method 1 – Use certreq to create a CSR and certreq to issue the certificate
1. Creating an INF file to set the certificate properties
Use Notepad or any other text editor to create the following
sample INF file according to your needs. Safe the file as myCSR.inf for example
[Version]
Signature="$Windows NT$"
[NewRequest]
Subject = "CN=MyServer.christianlechner.blogspot.de" ;For a wildcard
use "CN=*.christianlechner.blogspot.de" for example
; For an empty
subject use the following line instead or remove the Subject line entierely
; Subject =
Exportable =
FALSE ; Private key is
not exportable KeyLength = 2048 ; Common key sizes: 512,
1024, 2048, 4096, 8192, 16384
KeySpec = 1 ; AT_KEYEXCHANGE
KeyUsage = 0xA0 ;
Digital Signature, Key Encipherment
MachineKeySet = True ; The
key belongs to the local computer account
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
SMIME = FALSE
RequestType = CMC
; At least
certreq.exe shipping with Windows Vista/Server 2008 is required to interpret the
[Strings] and [Extensions] sections below
[Strings]
szOID_SUBJECT_ALT_NAME2 = "2.5.29.17"
szOID_ENHANCED_KEY_USAGE = "2.5.29.37"
szOID_PKIX_KP_SERVER_AUTH = "1.3.6.1.5.5.7.3.1"
szOID_PKIX_KP_CLIENT_AUTH = "1.3.6.1.5.5.7.3.2"
[Extensions]
%szOID_SUBJECT_ALT_NAME2% = "{text}dns=computer1. christianlechner.blogspot.de&dns=computer2.
christianlechner.blogspot.de"
%szOID_ENHANCED_KEY_USAGE% = "{text}%szOID_PKIX_KP_SERVER_AUTH%,%szOID_PKIX_KP_CLIENT_AUTH%"
[RequestAttributes]
CertificateTemplate= WebServer
Notes:
If you don’t know the template name or want to specifie it
when issueing the certificate, remove the RequestAttributes section.
The specification of the enhanced key usage OID is not
explicitly required since the EKU is defined in the certificate template. The
OID in the INF file above is for explanatory purposes
You can click on “OK” for the template not found UI from certreq if the client
has no access to templates.
You can ignore the unreferenced “[Strings]” section dialog
when it appears
2. Useing the INF file when creating the REQ file
The following command-line command will generate key
material and turn the INF file into a certificate signing request (CSR) which
can then be handed over to the CA to issue the certificate.
certreq –new MyCSR.inf
CSR.req
Once the certificate request was created you can verify the
request with the following command:
certutil –dump CSR.req
3. Submitting the REQ file to the CA
If the CA is reachable via RPC over the network (computer
and CA are member oft he same Active Directory domain and computer or user hast
he permissions to enroll a certificate), use the following command to submit
the certificate request directly to the CA:
certreq –submit CSR.req
You will get a selection dialog to select the CA from. If
the CA is configured to issue certificates based on the template settings, the
CA may issue the certificate immediately.
If RPC traffic is not allowed or the CA is not member of the
same Active Directory or maybe not a Windows based CA, transfer the certificate
request to the CA and perform the above command locally at the CA (if it is a
Windows CA otherwise you the respective command on the Linux/Unix based CA).
If the certificate template name was not specified in the
certificate request above, you can specify it as part of the submission command:
certreq -attrib
"CertificateTemplate:webserver" –submit CSR.req
4. Installing the certificate at the IIS or ISA computer
Once the certificate was issued copy it to the target
computer. Run the following command to install the certificate.
certreq –accept
ssl.cer
The installation actually puts the certificate into the
computer’s personal store. The certificate will be linked to the key material
created in step #1 and builds the certificate property. The certificate
property stores information such as the friendly name which is not part of a
certificate itself.
After performing steps 1 to 4 the certificate will show up
in the IIS or any other application and can be bound to the application or a
website.
Method 2 – Use the MMC to create a CSR
Open the MMC and add the „Certificates“ snap-in. Open the „User“
or „Computer“ store depending on your required certificate.
Under „Advanced Operations“ select „Create Custom Request“.
Confirm the „Before you Begin“ page by clicking „Next“.
Click „Proceed without enrollment policy“ on the „Select
Certificate Enrollment Policy“ page and click „Next“.
Depending on the use case select „CNG key“ or „Legacy key“
on the „Custom request“ page and click „Next“.
Open the „Properties“ window from the „Certificate
Information“ page to enter all required certificate properties to the request.
After you’ve entered all required properties (e.g.
SubjectName, Organization, Key length, …) finally click „Next“ and save the CSR
somewhere.
You can now submitt the CSR according to method 1 or
directly via MMC on the CA itself.
Have fun
Chris