In this article, I’m going to show how creating a certificate request for a third-party certification authority can be automated with PowerShell.

Alex Chaika

Alex Chaika is a Microsoft Certified Solution Expert (MCSE) with more than 15 years of experience in IT systems engineering. He currently focuses on PowerShell and VMware PowerCLI.

The usual procedure for creating a certificate request is to launch the IIS or certificates MMC and use the wizard shown below:

New certificate request wizard

New certificate request wizard

As usual, the GUI is good for a one-time request. However, if you need to create several requests, PowerShell is the better option. The certreq.exe command line utility could also be used to do the same thing, and I've shown that help screen below.

Certreq utility help screen

Certreq utility help screen

As with the GUI, you have to run the tool on each server individually. However, since this utility can work with the preconfigured .inf file while creating certificate requests, it can be used with a PowerShell script to speed up the process:

I decided to run this script from an admin workstation to save the time it takes to log on to a remote computer. Thus, I’m using the Invoke-Command cmdlet to run the entire script on the remote machine.

The first variable sets the certificate name, or friendly name, and the next two variables are the paths to the certificate request files, one for the path to the INF file that will be used as a template for the certreq.exe utility and one for the signature that is used in the INF file.

Then, I create the INF file content and save the data to the $INF variable, which I’ll use later for creating the file itself. This involves a few sections and a lot of key words.

First, there is the [Version] section, with the Signature key under it. This section is mandatory, and there is no way to create a working certificate request without it. The Signature key indicates the operating system family for which this INF is valid. Although this key is required, for testing purposes, I could create the INF file without it and successfully process it with the certreq utility. However, in production, stick with the documented method of using this key to be on the safe side.

Next is the [NewRequest] section, which consists of the following parameters: Subject – certificate name, Organization, Organization Unit, Location, State (for the US), and Country.

KeySpec – Determines if the key can be used for signatures, for encryption, or for both. The "1" I assigned to it means that the key could be used for both signatures and encryption.

KeyLength – Defines the length of the public and private key.

Exportable – If this attribute is set to TRUE, the private key can be exported with the certificate.

MachineKeySet – If this is set to TRUE, it tells the tool that the certificate request should be created on behalf of a computer; the key material must be created in the machine’s security context and not the administrator’s security context.

SMIME – If this parameter is set to TRUE, an extension with the object identifier value 1.2.840.113549.1.9.15 is added to the request. I don’t need this extension, so I set it to FALSE.

PrivateKeyArchive – The PrivateKeyArchive setting works only if the corresponding RequestType is set to "CMC" because only the Certificate Management Messages over CMS (CMC) request format allows for securely transferring the requester’s private key to the CA for key archival. Since I’m using PKCS10, I set this to FALSE.

UserProtected – This option gives additional protection and is set to TRUE if you want permission to be requested every time a private key is used. I don’t need that, so I set it to FALSE.

UseExistingKeySet – This parameter is used to specify whether or not an existing key pair should be used in building a certificate request.

ProviderName – This displays the name of the certificate security provider. To see all available providers, you can run certutil -csplist from a command line.

ProviderType – The provider type is used to select specific providers based on a specific algorithm capability such as "RSA Full," which corresponds to 1.

RequestType – Determines the standard that is used to generate and send the certificate request.

KeyUsage – Defines the purpose of the public key contained in a certificate. "0xa0" corresponds to the decimal value 160 and means the key is good for digital signature, which is often used for entity authentication and data origin authentication as well as for the key encipherment used with protocols that encrypt keys. SSL is a good example of such a protocol.

In the [EnhancedKeyUsageExtension] section, I entered only one value: OID=1.3.6.1.5.5.7.3.1. This restricts the usage of the certificate I’m requesting to server authentication.

After that, I just need to save the INF file using the out-file command, run the certreq utility against it, and direct the output to the $CSRPath.

And here is my certificate request:

Certificate request file

Certificate request file

Here is the same request decrypted with openssl:

Decrypted certificate request

Decrypted certificate request

Now I can submit my request file to the certification authority and get the certificate after it is issued.

Win the monthly 4sysops member prize for IT pros

Share
1+

Users who have LIKED this post:

  • avatar

Related Posts

1 Comment
  1. Micah Rairdon 4 months ago

    This will definitely come in handy Alex thanks!

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

CONTACT US

Please ask IT administration questions in the forum. Any other messages are welcome.

Sending
© 4sysops 2006 - 2017

Log in with your credentials

or    

Forgot your details?

Create Account