Send a manually created certificate request to a certification authority

If a certificate request exists, for example after manual generation, in the form of a text file (usually with the extension .CSR or .REQ), it can be sent to the certification authority using on-board means.

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem and is available under a free license. It can downloaded via GitHub and can be used free of charge.

Requirements

The following requirements must be met in order to send the certificate request to the certification authority:

  • The user and computer accounts must be members of the same Active Directory forest.
  • The right to submit certificate requests to the Certification Authority.
  • The right on the certificate template to be able to submit certificate requests.

The following information is required:

  • The name of the Certification Authority.
  • The computer name of the server on which the certificate authority is operated.
  • The object name of the desired certificate template.

Optional: Inspect the certificate request

The certificate request can be checked with the following command line command before transferring it to the certification authority:

certutil -dump {certificate request}

Sending the certificate request to the certification authority

Afterwards, the certificate request can be sent to the certification authority using the following command line command:

certreq -submit -attrib "CertificateTemplate:{name-of-the-certificate-template}" -submit {certificate-request}.req

Note that the name of the certificate template is specified with the -attrib argument. Here the name of the LDAP object is to be used, not the display name of the certificate template (mostly this is the display name without spaces).

One is prompted to select the certification authority.

After entering the command, you will be prompted to select a target certification authority, after which the certificate request will be sent to it.

Issuing the requested certificate

At the target certification authority, the certificate request now appears on the list of pending certificate requests and can be issued there by a certificate manager after verification.

Picking up the issued certificate

Back on the requesting system, the issued certificate can now be retrieved by specifying the request ID:

certreq -retrieve {request ID}

Extended command line arguments for certreq

The -config argument

The -config argument can be used to specify the certification authority to be used or the certificate enrollment web service (CES) to be used. The certification authority is specified in the format "{servername}\{name-of-CA}".

Example:

certreq -config "CA03.intra.adcslabor.de\ADCS Labor Issuing CA 2" -submit "C:\Users\rudi\Desktop\test.req" 

The -username argument and the -p argument

If the certificate request is sent to a certificate enrollment web service (CES), authentication with username and password is also possible. The username can be specified with the -username argument. It is necessary to specify the user's password with the -p argument.

Example:

certreq -username "INTRA\rudi" -p "password" -config "https://ces01.intra.adcslabor.de/ADCSLaborIssuingCA2_CES_UsernamePassword/service.svc/CES" -submit "C:\Users\rudi\Desktop\test.req"

The -kerberos argument

If the certificate request is sent to a certificate enrollment web service (CES), authentication via Kerberos is also possible. If one wishes to perform Kerberos authentication, this must be specified with the -kerberos argument.

Example:

certreq -kerberos -config "https://ces01.intra.adcslabor.de/ADCSLaborIssuingCA2_CES_Kerberos/service.svc/CES" -submit "C:\Users\rudi\Desktop\test.req"

Include the issued certificate as an argument

If the certificate issued by the certification authority is to be written directly to a file, the file name can be specified as the last argument.

Example:

Related links:

en_USEnglish