Certreqexe
The Certreq.exe utility allows you to create batch files that can submit, retrieve, and accept certificate requests submitted to standalone and enterprise CAs. The primary switches used with the Certreq.exe for certificate enrollment are:
■ Certreq -new Policyfile.inf RequestFile.req. Creates a certificate request file (RequestFile.req) based on the inputs provided in the Policyfile.inf file. The format of the Policyfile.inf file is shown here:
[NewRequest]
PrivateKeyArchive = FALSE KeyLength = 1024 SMIME = TRUE Exportable = TRUE UserProtected = FALSE KeyContainer = "..." MachineKeySet = TRUE Silent = TRUE
ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0"
ProviderType = 1
UseExistingKeySet = TRUE
RequestType = PKCS10
KeyUsage = 0x80
[RequestAttributes] CertificateTemplate=User o>
■ Certreq -submit -config CADNSName\CALogicaName RequestFile.req.
Submits the certificate request file to the designated enterprise CA. The command returns the request ID of the submitted certificate request.
■ Certreq -retrieve -config CADNSName\CALogicalName RequestID Certfile.cer. Retrieves the issued certificate from the designated CA. The issued certificate is stored to the local file system in the designated Certfile.cer.
■ Certreq -accept Certfile.cer. Ties the returned certificate to the private key generated during the creation of the certificate request file. Once accepted, the certificate can be used for the intended encryption or signing operations.
Note There are additional settings that can be implemented in the Policy-File.inf file, but the other settings are more likely to be required when you submit a certificate request to a standalone CA. When you submit the request to an enterprise CA, most of these additional settings are defined in the certificate template properties.
Another Tool for Generating PolicyFile.inf
The compact disc with this book includes the RequestEditor.exe utility and associated files. The utility provides a graphical interface for creating the PolicyFile.inf file, which is used to generate a certificate request file.
RequestEditor.exe can be used to generate both CAPolicy.inf files and a .inf file for creating user or computer certificate request files. On the General tab, you can select the more common settings for a certificate request. (See Figure 12-5.)
- Figure 12-5 Creating PolicyFile.inf with RequestEditor.exe
If you are submitting a request to an enterprise CA, the generated PolicyFile.inf requires minor editing. You must add the [RequestAttributes] section indicating which certificate template is being requested. For example, if you wanted to request the User certificate template, you would add the following section at the bottom of the PolicyFile.inf file:
[RequestAttributes] CertificateTemplate=User
Post a comment