CERTREQ – Windows CMD Command
Request certificate from a certification authority (CA), retrieve a response to a previous request from a CA, create a new request from a .inf file, accept and install a response to a request, construct a cross-certification or qualified subordination request from an existing CA certificate or request, or to sign a cross-certification or qualified subordination request.
Certreq [-submit] [-retrieve RequestID] [-new] [-accept] [-policy] [-sign]
[-attrib AttributeString] [-binary] [-config CAMachineName\CAName]
[-crl] [-rpc] [-cert CertID]
[RequestFileIn | CertChainFileIn | FullResponseFileIn | CertFileIn | PolicyFileIn]
[RequestFileOut | CertChainFileOut | FullResponseFileOut | CertFileOut | PKCS10FileOut]
Submit a request to a CA.
Retrieve a response to a previous request from a CA.
Create a new request from an .inf file.
Accept and install a response to a certificate request.
Set the policy for a request.
Sign a cross-certification or qualified subordination request.
The Name and Value string pairs, separated by a colon.
Separate Name and Value string pairs with \n (for example, Name1:Value1\nName2:Value2).
Format output files as binary instead of base64-encoded.
Process the operation using the CA specified in the configuration
string, which is CAMachineName\CAName.
Include certificate revocation lists (CRLs) in the output to the base64-encoded
PKCS #7 file specified by CertChainFileOut or to the base64-encoded file
specified by RequestFileOut.
Instructs Active Directory Certificate Services (AD CS) to use a
remote procedure call (RPC) server connection instead of Distributed COM.
The signing certificate by common name, serial number, Secure Hash Algorithm
(SHA-1) key, or certificate hash.
The base64-encoded or binary certificate chain input file to use.
The base64-encoded or binary full response input file to use.
The base64-encoded or binary certificate input file to use.
The base64-encoded or binary input file to use.
The file can be a PKCS #10 certificate request, a PKCS #7 certificate renewal
request, a KEYGEN tag format certificate request, a Certificate Management protocol
using Cryptographic Message Syntax (CMS) request (this protocol is also known as CMC),
or a certificate file of the CA that you want to cross-certify.
The .inf input file that contains the extension definitions to use to qualify a request.
The base64-encoded file to which you want to send output.
The base64-encoded PKCS #10 file to which you want to send output.
The binary or base64-encoded X.509 v3 file to which you want to send output.
The binary or base64-encoded PKCS #7 file to which you want to send output.
The binary or base64-encoded full response file to which you want to send output.
-? Display a list of certreq commands.
You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.
To retrieve the certificate after the CA has actually issued it use certreq -retrieve RequestID, you can also use this command to retrieve any certificate that has ever been issued by the CA, including revoked or expired certificates, without regard to whether the certificate’s request was ever in the pending state.
If you submit a request to the CA, the policy module of the CA might temporarily leave the request in a pending state and return the RequestID for display. Eventually, the CA’s administrator will issue the certificate or deny the request.
Subject = "CN=dc01.F4T.com" ; must be the FQDN of domain controller
;EncipherOnly = FALSE
Exportable = FALSE ; TRUE = Private key is exportable
KeyLength = 1024 ; Common key sizes: 512, 1024, 2048,
; 4096, 8192, 16384
KeySpec = 1 ; Key Exchange
KeyUsage = 0xA0 ; Digital Signature, Key Encipherment
MachineKeySet = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = CMC
; Omit entire section if CA is an enterprise CA
OID=188.8.131.52.184.108.40.206.1 ; Server Authentication
CertificateTemplate = WebServer ;Omit line if CA is a stand-alone CA
Create a new request from an .inf file:
certreq -new request.inf result.txt
Supply the text of result.txt to your CA to obtain a signed certificate (and an intermediate CA certificate, if applicable.)
Submit a request to a CA:
certreq -submit result.txt certificate.cer
Retrieve a response to a previous request from a CA:
certreq -retrieve [-binary] [-config CAMachineName\CAName] [-crl] [-rpc] RequestID [CertFileOut [CertChainFileOut [FullResponseFileOut]]]
Accept and install a response to a certificate request:
certreq -accept c:\certificates\certificate.cer
Construct a cross-certification or qualified subordination request from an existing CA certificate or request:
certreq -policy [-attrib AttributeString] [-binary] [-cert CertID] [RequestFileIn [PolicyFileIn [RequestFileOut [PKCS10FileOut]]]]
Sign a cross-certification or qualified subordination request:
certreq -sign [-binary] [-certCertID] [-crl] [RequestFileIn [RequestFileOut]]