Skip to main content

Use certreq.exe to request certificate

ยท 3 min read
James Yip
James Yip

In this article, I will explain how to use certreq.exe and certutil.exe to request certificate from Windows CA.

A lot of time when we need to obtain SSL certificates to help secure the communications or use for authentications. For public certificate, it's quite simple as many tools to generate the CSR. But if we are using Windows Certificate Authority (CA), it may not be that simple.

Request Certificate from Windows CAโ€‹

You first need get the CA name (typical format Server name\CA Name) and template name you need.

  1. Prepare a text document with content like the following and save as <file name>.txt in a folder. Also check the Cert Template to use for this certificate request.
[NewRequest]
Subject = "CN=server.local,c=HK"
Exportable = TRUE
KeyLength = 2048
KeySpec = 1
RequestType = PKCS10
ProviderName = "Microsoft Enhanced Crytographic Provider v1.0"
[RequestAttributes]
CertificateTemplate=Machine
HashAlgorithm = Sha256
[Extensions]
2.5.29.17 = "{text}"
_continue_ = "dns=server.local&"
  1. Open Command Prompt with Admin Right and enter the following to create CSR
certreq -new -q -config "<CA Name>" .\<file name>.txt <file name>.csr
  1. Run the following command to submit the request to CA
certreq -submit -q -config "<CA Name>" .\<file name>.csr <file name>.cer <file name>.p7b
  1. The result should be looks like this and note the Request Id generated

  1. If your CA is Run the following command to approve the request, type the follow command we use certutil.exe to approve the request. Otherwise, skip to next step
certutil -config "<CA Name>" -resubmit <Request Id>
  1. Run the following command to extract the approved request from CA
certutil -config "<CA Name>" -view -restrict "requestid=<request ID>" -out rawcertificate
  1. Copy the text generated (between the --- BEGIN CERTIFICATE--- and --- END CERTIFICATE---) and save to a file with cer extension (like server.cer).

  1. The certificate would then be saved to local machines' certificate store and ready for export

Export Certificate as PFXโ€‹

  1. Start MMC and add Certificates (Local Computer snap-in)
  2. Navigate to Personal -> Certificates
  3. Locate the certificate and right click choose Export

  1. Click Next

  1. Select Yes, Export the private Key and click Next

  1. Click Next on format to accept default

  1. Check the Password box and specify the password for the pfx exported. Then click Next

  1. Specify the path for the PFX and click Next

  1. Click Finish

Summaryโ€‹

You can then remove the certificate from the local machine store and take the PFX to install to your servers/applications.