Manually requesting a web server certificate

There are cases in which you cannot or do not want to obtain web server certificates directly from a certification authority in your own Active Directory forest via the Microsoft Management Console, for example if the system in question is not a domain member.

In this case, the use of certificate templates is not possible, and one must manually create a Certificate Signing Request (CSR).

Preliminary work

If the certificate request is to be answered by an Active Directory integrated certification authority, a corresponding certificate template must be defined for this authority. The procedure for this is described in the article "Configuring a Secure Socket Layer (SSL) Certificate Template for Web Server" described.

Generate the key pair and certificate request

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem and is available under a free license. It can downloaded via GitHub and can be used free of charge.

There are several ways to create the key pair and certificate request. The following two methods are described below:

  • Generate the certificate request using Windows on-board tools (certreq.exe)
  • Generating the certificate request with the PSCertificateEnrollment PowerShell module

Generate the certificate request using Windows on-board tools (certreq.exe)

If the certificate request is to be made using Windows on-board resources, an information file (.inf) for the certificate request must first be created.

The information file must be saved with UTF-8 encoding. If the encoding is different, the certificate request creation will fail (see article "Creation of a manual certificate request fails with error message "Expected INF file section name 0xe0000000".„).

The following file is used to generate a certificate request for an SSL certificate that contains a 3072-bit key and "test.intra.adcslabor.de" as both the "commonName" within the subject and the "dNSName" within the alternate requestor name.

[Version]
Signature="$Windows NT$"

[Strings]
; Adapt the following variable to the environment
SERVER_FQDN = "test.intra.adcslabor.de"

; Do not edit the following strings
; ----------------------------------------------------------------

szOID_SUBJECT_ALT_NAME2 = "2.5.29.17"
szOID_ENHANCED_KEY_USAGE = "2.5.29.37"
szOID_PKIX_KP_SERVER_AUTH = "1.3.6.1.5.7.3.1"

[NewRequest]
Subject = "CN=%SERVER_FQDN%"
Exportable = FALSE
MachineKeySet = True
KeyLength = 3072
KeyUsage = 0xA0 ; Digital Signature, Key Encipherment
ProviderName = "Microsoft Software Key Storage Provider".

[Extensions]
%szOID_SUBJECT_ALT_NAME2% = "{text}dns=%SERVER_FQDN%"
%szOID_ENHANCED_KEY_USAGE% = "{text}%szOID_PKIX_KP_SERVER_AUTH%"

For background information on each option, see the following articles:

Now a key pair and a certificate request can be generated using this information file. The following command generates the certificate request.

certreq.exe -new {information file}.inf {certificate request}.req

A certificate request with file extension .req is generated from the .inf file.

The command must be listed on the system on which the certificate is to be used later. The key pair is generated on this, the private key never leaves the system.

Generating the certificate request with the PSCertificateEnrollment PowerShell module

The PSCertificateEnrollment PowerShell module can be accessed via the PowerShell Gallery obtained and then loaded.

Install-Module -Name PSCertificateEnrollment
Import-Module -Name PSCertificateEnrollment

To create the certificate request, Windows PowerShell must be started as an administrator, since the key pair for a web server should usually be created in the system context.

The following command generates a certificate request for an SSL certificate that includes a 3072-bit key and "test.intra.adcslabor.de" as both the common name within the subject and the DNS name within the alternate requestor name.

New-CertificateRequest `
-Machine `
-EnhancedKeyUsage ServerAuthentication `
-KeyLength 3072 `
-Subject "CN=test.intra.adcslabor.de" `
-DnsName "test.intra.adcslabor.de"

With the -Exportable argument can optionally be specified that the private key should be exportable.

Verify the certificate request

The certificate request now generated can be viewed if desired with the following command line command:

certutil -dump {certificate request}.req 

See also article "Inspect a certificate request (CSR)„.

Sending the certificate request to the certification authority

Sending a certificate request to a certification authority and collecting the issued certificate is described in the article "Send a manually created certificate request to a certification authority" described.

Installation of the issued certificate

The certificate can now be copied to the computer. It must now be installed in the certificate store and linked to the private key. This is done with the following command line command:

certreq -accept {filename certificate} 

Activation of the certificate and subsequent function test

The certificate must now be bound to the specific application (for example, Internet Information Services). This process is specific to the web server product in question.

Related links:

External sources

en_USEnglish