Issuing certificates for document encryption (Cryptographic Message Syntax)

• Author
• Recent Posts

Wolfgang Sommergut

Wolfgang Sommergut has over 20 years of experience in IT journalism. He has also worked as a system administrator and as a tech consultant. Today he runs the German publication WindowsPro.de.

Latest posts by Wolfgang Sommergut (see all)

• New Group Policy settings in Windows 11 23H2 - Mon, Nov 20 2023
• Windows Server 2025 will support SMB over QUIC in all editions - Fri, Nov 17 2023
• Switch between Windows Terminal and the legacy console - Thu, Nov 16 2023

Microsoft's instructions, for example, for Protect-CmsMessage, always describe the procedure for issuing a self-signed certificate with certreq.exe for document encryption. You pack the data for requesting the certificate into an .inf file according to the following pattern:

[Version]
Signature = "$Windows NT$"
[Strings]
szOID_ENHANCED_KEY_USAGE = "2.5.29.37"
szOID_DOCUMENT_ENCRYPTION = "1.3.6.1.4.1.311.80.1"
[NewRequest]
Subject = "cn=me@somewhere.com"
MachineKeySet = false
KeyLength = 2048
KeySpec = AT_KEYEXCHANGE
HashAlgorithm = Sha1
Exportable = true
RequestType = Cert
KeyUsage = "CERT_KEY_ENCIPHERMENT_KEY_USAGE | CERT_DATA_ENCIPHERMENT_KEY_USAGE"
ValidityPeriod = "Years"
ValidityPeriodUnits = "1000"
[Extensions]
%szOID_ENHANCED_KEY_USAGE% = "{text}%szOID_DOCUMENT_ENCRYPTION%"
To request the certificate, use the command: 
certreq -new <Name-of-INF-file>.inf <Name-of-Certificate>.cer

To request the certificate, use the command:

certreq -new <Name-of-INF-file>.inf <Name-of-Certificate>.cer

The certificate is automatically copied to the local certificate store of the logged-on user. If needed, you can export it and transfer it via GPO to the computers on which you want to encrypt data.

Creating a template for enterprise CA

If you prefer a certificate issued by an internal Windows CA instead of a self-signed certificate, the required template is missing by default. If you want to create one, you can follow the settings of the above .inf file.

First, open the Certificate Templates Console, certtmpl.msc, and duplicate a suitable existing template. In our example, we will use the template User.

Duplicate an existing template as a basis for the new template for document encryption

Then assign the name for the new template under the General tab and determine the template's period of validity.

Change the purpose of the certificate template to Encryption.

Next, change the purpose on the Request Handling tab to Encryption. Here, you can also allow the private key to be exported if certificates for document encryption are needed on several computers to decrypt documents.

As with the .inf file shown above, the key length should be at least 2048 bits; the corresponding setting is found on the Cryptography tab.

Configure the necessary settings on the Extensions tab. Here, we edit the Application Policies and remove all existing entries. Instead, we add Document Encryption.

By default, the new certificate is used to encrypt the CERT_KEY_ENCIPHER¬MENT_KEY_USAGE certificates in the .inf file, which is sufficient for the task described here. If you want to add CERT_DATA_ENCI­PHER­MENT_KEY_USAGE, then edit the Key Usage entry and select the Allow encryption of user data option in the next dialog box.

Enable encryption of user data when using keys

Finally, use the Security tab to make sure all users who request a certificate based on this template have the Register permission.

Requesting a certificate

Now you can request your certificate using certmgr.msc. If you can't find your new template in the list or it has a status of Unavailable in the extended view, then try this troubleshooting tip.

In the details, enter the subject name in the format specified in the template. Under Private key > Key options, make sure it is exportable, if required.

Request a certificate based on the new template

After you click Enroll, the new certificate should appear in the store of the Current User.