James Carr here and I would like to discuss creating custom certificate request in Windows Vista. When requesting certificates from a Windows 2000/2003 Enterprise Certification Authority, we will use one of the built-in certificate templates. Certificate Templates are used to tell the CA what information should be included in the issued certificate. For more information about certificate templates, please see the following:
Although certificate templates are very useful in typical enrollment scenarios, they are not very useful in situations where we have one time enrollment needs or we need to submit certificates to non-windows CA's. In these scenarios we can use a utility called Certreq to generate the request, submit the request, and then retrieve the issued certificate. To generate a certificate request, we must use a template file ( note : this is not the same as Certificate Templates discussed above, which are stored in Active Directory). Typically this template file will have an .inf extension. It will include the same information as an Active Directory certificate template but the big difference is the formatting.
Prior to Windows Vista, we didn’t have an easy way to create the template. We basically had to create the template file and then troubleshoot the syntax errors that were generated. However, now we can use the Certificate Enrollment Wizard MMC in Windows Vista to generate the request file. The wizard automates the process of creating the template file and then creating the actual certificate request. We can then submit the request file to a third-party CA or use the Certreq utility to submit the request to a Microsoft CA. Today, I want to cover the steps of generating a certificate request using the “Custom Certificate Request” wizard.
So, let’s get down to business:
1. Bring up Certificate Manager by selecting the “ Start ” button and in the “ Start Search ” window type “ Certmgr.msc ” without the quotes.
2. Expand Personal and right click on Certificates . Next select All Tasks -> Advanced Operations -> Create custom request .
3. On the “Before You Begin” page select “ Next ”.
4. On the “Custom request” we have some options that we can configure:
[RFC2986] PKCS #10 Request Format
[RFC3852] Housley, R. "Cryptographic Message Syntax (CMS)", RFC
3852, July 2004, http://www.ietf.org/rfc/rfc3852.txt
5. On the “Certificate Information” page, we need to select the “Details” drop-down arrow and then the “ Properties ” button.
6. Selecting the “Properties” button will bring up the “Certificate Properties” tab page. We will be configuring a “Client Authentication” certificate. I will provide a brief overview of the purpose of each option.
For my example, I’m going to configure the certificate as follows:
Full DN: CN=John Smith,CN=Users,DC=Domain,DC=Com
User principle name: firstname.lastname@example.org
Then select the “ Add ” button and the final output will look as follows:
TAB: PRIVATE KEY
This brings us back to the “ Certificate Enrollment ” page where we can now select “ Next ”.
7. On the “ Where do you want to save the offline request? ” page, set “ File Name ” to “ C:\Temp\Request.req ” and “ File Format ” to “ Base 64 ” and then select “ Finish ”.
To see the contents of the certificate we can go to the “ Certificate Enrollment Requests ” container:
We can bring up the request by double-clicking on it:
The error message under “Certificate Information” is expected since at this point the certificate is a self-signed certificate and is not included in the “Trusted Root Certification Authorities Store”. The error will go away once we have issued the certificate and verified that the issuer of the certificate has been placed in appropriate store i.e., “Trusted Root Certification Authorities” if the issuer is a root CA or “Intermediate Certification Authorities” if the issuer is a subordinate.
Lastly, we can go to the “ Details ” tab to verify the Subject Name :
We will also want to verify the “Subject Alternate Name”:
Finally “Enhanced Key Usage”:
Issuing the Certificate
Now that we have the request file, we can submit the certificate to a Certification Authority (CA). For our purposes we will submit the certificate to a Microsoft CA. However, this can be submitted to any third party CA. For our purposes, we can run Certreq, to submit the request. The commands are as follows.
Select the CA and then select OK. We will then get our issued certificate. The output will look as follows:
Now that we have our certificate, we will need to add the certificate to the appropriate store. A common mistake is to simply import the certificate into the personal store via the MMC. However, this will not re-associate the key pair. Remember that the private key was created when we submitted the certificate request to the CA. Now for the certificate to be valid, we associate the public/private key pair. We can do this by running the following command:
At this point the certificate has been added to the store. We can confirm this by running the following command:
For a Machine Certificate: Certutil -Store MY
For a User Certificate: Certutil –User –Store My
The output will look as follows:
Appendix 3: Certreq.exe Syntax
Appendix A: Certificate Request Structure
So as you can see, this is much easier than the old way, where we had to manually build a .inf file and then use Certreq to generate the certificate request. Not only does Vista make this process much easier but it’s also gives administrators complete control on how to customize certificate requests. I hope you’ve enjoyed the blog and please take a look at the links below for some additional information.
- James Carr
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.