Manually create certificate signing requests

It's been quite a while since my last post due to different reasons. :-)
Today I would like to show you how to manually create a certificate signing request (CSR).

The Internet Information Server (IIS) and many other applications which make use of or require certificates provide wizzards in the administration user interface to request and install certificates.

I would like to explain two different ways how to request a certificate manually. The manual steps are required if web enrollment is not available, the current logged on user or computer has no enroll permissions on a certificate template or the certification authority (CA) is not available (e.g. no Active Directory integrated Enterprise CA or not in the same forest as the leveraging computer)

Method 1 – Use certreq to create a CSR and certreq to issue the certificate

1. Creating an INF file to set the certificate properties

Use Notepad or any other text editor to create the following sample INF file according to your needs. Safe the file as myCSR.inf for example

[Version]
Signature="$Windows NT$"

[NewRequest]
Subject = "CN=MyServer.christianlechner.blogspot.de" ;For a wildcard use "CN=*.christianlechner.blogspot.de" for example

; For an empty subject use the following line instead or remove the Subject line entierely
; Subject =

Exportable = FALSE                  ; Private key is not exportable KeyLength = 2048                    ; Common key sizes: 512, 1024, 2048, 4096, 8192, 16384
KeySpec = 1                         ; AT_KEYEXCHANGE
KeyUsage = 0xA0                     ; Digital Signature, Key Encipherment
MachineKeySet = True                ; The key belongs to the local computer account
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
SMIME = FALSE
RequestType = CMC

; At least certreq.exe shipping with Windows Vista/Server 2008 is required to interpret the [Strings] and [Extensions] sections below

[Strings]
szOID_SUBJECT_ALT_NAME2 = "2.5.29.17"
szOID_ENHANCED_KEY_USAGE = "2.5.29.37"
szOID_PKIX_KP_SERVER_AUTH = "1.3.6.1.5.5.7.3.1"
szOID_PKIX_KP_CLIENT_AUTH = "1.3.6.1.5.5.7.3.2"

[Extensions]
%szOID_SUBJECT_ALT_NAME2% = "{text}dns=computer1. christianlechner.blogspot.de&dns=computer2. christianlechner.blogspot.de"
%szOID_ENHANCED_KEY_USAGE% = "{text}%szOID_PKIX_KP_SERVER_AUTH%,%szOID_PKIX_KP_CLIENT_AUTH%"

[RequestAttributes]
CertificateTemplate= WebServer

Notes:

If you don’t know the template name or want to specifie it when issueing the certificate, remove the RequestAttributes section.

The specification of the enhanced key usage OID is not explicitly required since the EKU is defined in the certificate template. The OID in the INF file above is for explanatory purposes
You can click on “OK” for the template not found UI from certreq if the client has no access to templates.

You can ignore the unreferenced “[Strings]” section dialog when it appears

2. Useing the INF file when creating the REQ file

The following command-line command will generate key material and turn the INF file into a certificate signing request (CSR) which can then be handed over to the CA to issue the certificate.

certreq –new MyCSR.inf CSR.req

Once the certificate request was created you can verify the request with the following command:

certutil –dump CSR.req

3. Submitting the REQ file to the CA

If the CA is reachable via RPC over the network (computer and CA are member oft he same Active Directory domain and computer or user hast he permissions to enroll a certificate), use the following command to submit the certificate request directly to the CA:

certreq –submit CSR.req

You will get a selection dialog to select the CA from. If the CA is configured to issue certificates based on the template settings, the CA may issue the certificate immediately.

If RPC traffic is not allowed or the CA is not member of the same Active Directory or maybe not a Windows based CA, transfer the certificate request to the CA and perform the above command locally at the CA (if it is a Windows CA otherwise you the respective command on the Linux/Unix based CA).

If the certificate template name was not specified in the certificate request above, you can specify it as part of the submission command:

certreq -attrib "CertificateTemplate:webserver" –submit CSR.req

4. Installing the certificate at the IIS or ISA computer

Once the certificate was issued copy it to the target computer. Run the following command to install the certificate.

certreq –accept ssl.cer

The installation actually puts the certificate into the computer’s personal store. The certificate will be linked to the key material created in step #1 and builds the certificate property. The certificate property stores information such as the friendly name which is not part of a certificate itself.

After performing steps 1 to 4 the certificate will show up in the IIS or any other application and can be bound to the application or a website.

Method 2 – Use the MMC to create a CSR

Open the MMC and add the „Certificates“ snap-in. Open the „User“ or „Computer“ store depending on your required certificate.

Under „Advanced Operations“ select „Create Custom Request“.

Confirm the „Before you Begin“ page by clicking „Next“.

Click „Proceed without enrollment policy“ on the „Select Certificate Enrollment Policy“ page and click „Next“.

Depending on the use case select „CNG key“ or „Legacy key“ on the „Custom request“ page and click „Next“.

Open the „Properties“ window from the „Certificate Information“ page to enter all required certificate properties to the request.

After you’ve entered all required properties (e.g. SubjectName, Organization, Key length, …) finally click „Next“ and save the CSR somewhere.

You can now submitt the CSR according to method 1 or directly via MMC on the CA itself.

Have fun

Chris