CERTREQ – Windows CMD Command
Request certificate from a certification authority (CA), retrieve a response to a previous request from a CA, create a new request from a .inf file, accept and install a response to a request, construct a cross-certification or qualified subordination request from an existing CA certificate or request, or to sign a cross-certification or qualified subordination request.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 |
Syntax Certreq [-submit] [-retrieve RequestID] [-new] [-accept] [-policy] [-sign] [-attrib AttributeString] [-binary] [-config CAMachineName\CAName] [-crl] [-rpc] [-cert CertID] [RequestFileIn | CertChainFileIn | FullResponseFileIn | CertFileIn | PolicyFileIn] [RequestFileOut | CertChainFileOut | FullResponseFileOut | CertFileOut | PKCS10FileOut] Key -submit Submit a request to a CA. -retrieve RequestID Retrieve a response to a previous request from a CA. -new Create a new request from an .inf file. -accept Accept and install a response to a certificate request. -policy Set the policy for a request. -sign Sign a cross-certification or qualified subordination request. -attrib AttributeString The Name and Value string pairs, separated by a colon. Separate Name and Value string pairs with \n (for example, Name1:Value1\nName2:Value2). -binary Format output files as binary instead of base64-encoded. -config CAMachineName\CAName Process the operation using the CA specified in the configuration string, which is CAMachineName\CAName. -crl Include certificate revocation lists (CRLs) in the output to the base64-encoded PKCS #7 file specified by CertChainFileOut or to the base64-encoded file specified by RequestFileOut. -rpc Instructs Active Directory Certificate Services (AD CS) to use a remote procedure call (RPC) server connection instead of Distributed COM. -cert CertID The signing certificate by common name, serial number, Secure Hash Algorithm (SHA-1) key, or certificate hash. CertChainFileIn The base64-encoded or binary certificate chain input file to use. FullResponseFileIn The base64-encoded or binary full response input file to use. CertFileIn The base64-encoded or binary certificate input file to use. RequestFileIn The base64-encoded or binary input file to use. The file can be a PKCS #10 certificate request, a PKCS #7 certificate renewal request, a KEYGEN tag format certificate request, a Certificate Management protocol using Cryptographic Message Syntax (CMS) request (this protocol is also known as CMC), or a certificate file of the CA that you want to cross-certify. PolicyFileIn The .inf input file that contains the extension definitions to use to qualify a request. RequestFileOut The base64-encoded file to which you want to send output. PKCS10FileOut The base64-encoded PKCS #10 file to which you want to send output. CertFileOut The binary or base64-encoded X.509 v3 file to which you want to send output. CertChainFileOut The binary or base64-encoded PKCS #7 file to which you want to send output. FullResponseFileOut The binary or base64-encoded full response file to which you want to send output. -? Display a list of certreq commands. |
You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.
To retrieve the certificate after the CA has actually issued it use certreq -retrieve RequestID, you can also use this command to retrieve any certificate that has ever been issued by the CA, including revoked or expired certificates, without regard to whether the certificate’s request was ever in the pending state.
If you submit a request to the CA, the policy module of the CA might temporarily leave the request in a pending state and return the RequestID for display. Eventually, the CA’s administrator will issue the certificate or deny the request.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
Examples Sample request.inf ;----------------- request.inf [Version] Signature="$Windows NT$ [NewRequest] Subject = "CN=dc01.F4T.com" ; must be the FQDN of domain controller ;EncipherOnly = FALSE Exportable = FALSE ; TRUE = Private key is exportable KeyLength = 1024 ; Common key sizes: 512, 1024, 2048, ; 4096, 8192, 16384 KeySpec = 1 ; Key Exchange KeyUsage = 0xA0 ; Digital Signature, Key Encipherment MachineKeySet = True ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 RequestType = CMC ; Omit entire section if CA is an enterprise CA [EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.1 ; Server Authentication [RequestAttributes] CertificateTemplate = WebServer ;Omit line if CA is a stand-alone CA ;SAN="dns=dc01.F4T.com&dns=.F4T.com&dns=ldap.F4T.com" ;----------------- |
Create a new request from an .inf file:
1 |
certreq -new request.inf result.txt |
Supply the text of result.txt to your CA to obtain a signed certificate (and an intermediate CA certificate, if applicable.)
Submit a request to a CA:
1 |
certreq -submit result.txt certificate.cer |
Retrieve a response to a previous request from a CA:
1 |
certreq -retrieve [-binary] [-config CAMachineName\CAName] [-crl] [-rpc] RequestID [CertFileOut [CertChainFileOut [FullResponseFileOut]]] |
Accept and install a response to a certificate request:
1 |
certreq -accept c:\certificates\certificate.cer |
Construct a cross-certification or qualified subordination request from an existing CA certificate or request:
1 |
certreq -policy [-attrib AttributeString] [-binary] [-cert CertID] [RequestFileIn [PolicyFileIn [RequestFileOut [PKCS10FileOut]]]] |
Sign a cross-certification or qualified subordination request:
1 |
certreq -sign [-binary] [-certCertID] [-crl] [RequestFileIn [RequestFileOut]] |
I’ve been browsing on-line more than 3 hours lately, yet I by no means discovered any fascinating article like yours. It is pretty value sufficient for me. Personally, if all web owners and bloggers made just right content material as you probably did, the web shall be a lot more helpful than ever before.