If a certificate request exists, for example after manual generation, in the form of a text file (usually with the extension .CSR or .REQ), it can be sent to the certification authority using on-board means.
Requirements
The following requirements must be met in order to send the certificate request to the certification authority:
- The user and computer accounts must be members of the same Active Directory forest.
- The right to submit certificate requests to the Certification Authority.
- The right on the certificate template to be able to submit certificate requests.
The following information is required:
- The name of the Certification Authority.
- The computer name of the server on which the certificate authority is operated.
- The object name of the desired certificate template.
Optional: Inspect the certificate request
The certificate request can be checked with the following command line command before transferring it to the certification authority:
certutil -dump {certificate request}
Sending the certificate request to the certification authority
Afterwards, the certificate request can be sent to the certification authority using the following command line command:
certreq -submit -attrib "CertificateTemplate:{name-of-the-certificate-template}" -submit {certificate-request}.req
Note that the name of the certificate template is specified with the -attrib argument. Here the name of the LDAP object is to be used, not the display name of the certificate template (mostly this is the display name without spaces).
One is prompted to select the certification authority.
After entering the command, you will be prompted to select a target certification authority, after which the certificate request will be sent to it.
Issuing the requested certificate
At the target certification authority, the certificate request now appears on the list of pending certificate requests and can be issued there by a certificate manager after verification.
Picking up the issued certificate
Back on the requesting system, the issued certificate can now be retrieved by specifying the request ID:
certreq -retrieve {request ID}
Extended command line arguments for certreq
The -config argument
The -config argument can be used to specify the certification authority to be used or the certificate enrollment web service (CES) to be used. The certification authority is specified in the format "{servername}\{name-of-CA}".
Example:
certreq -config "CA03.intra.adcslabor.de\ADCS Labor Issuing CA 2" -submit "C:\Users\rudi\Desktop\test.req"
The -username argument and the -p argument
If the certificate request is sent to a certificate enrollment web service (CES), authentication with username and password is also possible. The username can be specified with the -username argument. It is necessary to specify the user's password with the -p argument.
Example:
certreq -username "INTRA\rudi" -p "password" -config "https://ces01.intra.adcslabor.de/ADCSLaborIssuingCA2_CES_UsernamePassword/service.svc/CES" -submit "C:\Users\rudi\Desktop\test.req"
The -kerberos argument
If the certificate request is sent to a certificate enrollment web service (CES), authentication via Kerberos is also possible. If one wishes to perform Kerberos authentication, this must be specified with the -kerberos argument.
Example:
certreq -kerberos -config "https://ces01.intra.adcslabor.de/ADCSLaborIssuingCA2_CES_Kerberos/service.svc/CES" -submit "C:\Users\rudi\Desktop\test.req"
Include the issued certificate as an argument
If the certificate issued by the certification authority is to be written directly to a file, the file name can be specified as the last argument.
Example:
English 
Deutsch
4 thoughts on “Eine manuell erstellte Zertifikatanforderung an eine Zertifizierungsstelle senden”
Comments are closed.