- Reading Azure VM name, IP address, and hostname with PowerShell - Fri, Jul 28 2017
- Automating WSUS with PowerShell - Thu, Jul 13 2017
- Disable SSL and TLS 1.0/1.1 on IIS with PowerShell - Tue, Jun 27 2017
The usual procedure for creating a certificate request is to launch the IIS or certificates MMC and use the wizard shown below:
New certificate request wizard
As usual, the GUI is good for a one-time request. However, if you need to create several requests, PowerShell is the better option. The certreq.exe command line utility could also be used to do the same thing, and I've shown that help screen below.
Certreq utility help screen
As with the GUI, you have to run the tool on each server individually. However, since this utility can work with the preconfigured .inf file while creating certificate requests, it can be used with a PowerShell script to speed up the process:
Write-Host "Creating CertificateRequest(CSR) for $CertName `r "
Invoke-Command -ComputerName testbox -ScriptBlock {
$CertName = "newcert.contoso.com"
$CSRPath = "c:\temp\$($CertName)_.csr"
$INFPath = "c:\temp\$($CertName)_.inf"
$Signature = '$Windows NT$'
$INF =
@"
[Version]
Signature= "$Signature"
[NewRequest]
Subject = "CN=$CertName, OU=Contoso East Division, O=Contoso Inc, L=Boston, S=Massachusetts, C=US"
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
"@
write-Host "Certificate Request is being generated `r "
$INF | out-file -filepath $INFPath -force
certreq -new $INFPath $CSRPath
}
write-output "Certificate Request has been generated"I decided to run this script from an admin workstation to save the time it takes to log on to a remote computer. Thus, I’m using the Invoke-Command cmdlet to run the entire script on the remote machine.
The first variable sets the certificate name, or friendly name, and the next two variables are the paths to the certificate request files, one for the path to the INF file that will be used as a template for the certreq.exe utility and one for the signature that is used in the INF file.
Then, I create the INF file content and save the data to the $INF variable, which I’ll use later for creating the file itself. This involves a few sections and a lot of key words.
First, there is the [Version] section, with the Signature key under it. This section is mandatory, and there is no way to create a working certificate request without it. The Signature key indicates the operating system family for which this INF is valid. Although this key is required, for testing purposes, I could create the INF file without it and successfully process it with the certreq utility. However, in production, stick with the documented method of using this key to be on the safe side.
Next is the [NewRequest] section, which consists of the following parameters: Subject – certificate name, Organization, Organization Unit, Location, State (for the US), and Country.
KeySpec – Determines if the key can be used for signatures, for encryption, or for both. The "1" I assigned to it means that the key could be used for both signatures and encryption.
KeyLength – Defines the length of the public and private key.
Exportable – If this attribute is set to TRUE, the private key can be exported with the certificate.
MachineKeySet – If this is set to TRUE, it tells the tool that the certificate request should be created on behalf of a computer; the key material must be created in the machine’s security context and not the administrator’s security context.
SMIME – If this parameter is set to TRUE, an extension with the object identifier value 1.2.840.113549.1.9.15 is added to the request. I don’t need this extension, so I set it to FALSE.
PrivateKeyArchive – The PrivateKeyArchive setting works only if the corresponding RequestType is set to "CMC" because only the Certificate Management Messages over CMS (CMC) request format allows for securely transferring the requester’s private key to the CA for key archival. Since I’m using PKCS10, I set this to FALSE.
UserProtected – This option gives additional protection and is set to TRUE if you want permission to be requested every time a private key is used. I don’t need that, so I set it to FALSE.
UseExistingKeySet – This parameter is used to specify whether or not an existing key pair should be used in building a certificate request.
ProviderName – This displays the name of the certificate security provider. To see all available providers, you can run certutil -csplist from a command line.
ProviderType – The provider type is used to select specific providers based on a specific algorithm capability such as "RSA Full," which corresponds to 1.
RequestType – Determines the standard that is used to generate and send the certificate request.
KeyUsage – Defines the purpose of the public key contained in a certificate. "0xa0" corresponds to the decimal value 160 and means the key is good for digital signature, which is often used for entity authentication and data origin authentication as well as for the key encipherment used with protocols that encrypt keys. SSL is a good example of such a protocol.
In the [EnhancedKeyUsageExtension] section, I entered only one value: OID=1.3.6.1.5.5.7.3.1. This restricts the usage of the certificate I’m requesting to server authentication.
After that, I just need to save the INF file using the out-file command, run the certreq utility against it, and direct the output to the $CSRPath.
And here is my certificate request:
Certificate request file
Here is the same request decrypted with openssl:
Subscribe to 4sysops newsletter!
Decrypted certificate request
Now I can submit my request file to the certification authority and get the certificate after it is issued.
This will definitely come in handy Alex thanks!
Hi there,
how do you select the User Principal name from the Subject tab and Client Authentication option from the Extensions tab with the script?
Thanks.
I came up with a very similar script but I seem to have hit the double hop issue – did you not come across this? I am using Windows 2016.
Awesome blog!!! thanks for the detailed information, this clear instructions helps a lot . I am also looking for option to import signed certificate via command line and after that export it with key and make .pfx file
it would be nice to get that option if you have one ready or thoughts.
Top, Thnx!!
I wonder if anyone has developed a similar script , or variant for a user enrollment for a verification cert with CertMgr. We want to start at the "certificate enrollment" prompt in the wizard.