Creating and Submitting a CSR to ADCS with certreq

Overview

On Windows systems you can use certreq.exe to assist in streamlining the certificate request and submission process. CSRs can be generated from inf file, and if the systems is AD joined and ADCS is available, you can submit the certificate for signing as well.

Below you will find an example inf which allows for private keys to be exported, specifies a template, and sets the private key to be owned by the computer account for use in applications like IIS.

Examples

INF File

[Version]
Signature = "$Windows NT$"

[NewRequest]
FriendlyName = "Wont You Be My Neighbor"
Subject = "CN=service.company.com,C=US,ST=Colorado,L=Colorado Springs,O=OurCompany,OU=IT,[email protected]"
Exportable = TRUE
MachineKeySet = TRUE
HashAlgorithm = SHA256
KeyAlgorithm = RSA
KeyLength = 2048

[RequestAttributes]
CertificateTemplate = WebServerExport

[Extensions]
2.5.29.17 = "{text}"
_continue_ = "DNS=services.company.com"
_continue_ = "IP Address=192.168.0.1"

Create CSR and Submit to ADCS

certreq -new "requestconfig.inf" "certrequest.csr"
certreq -config "pki.company.com\Intermediate CA" -submit "certrequest.csr" "servicecert.cer"
certreq -accept servicecert.cer

---

References

• https://www.sslplus.de/wiki-en/Generating_a_CSR_in_MS_Windows_(using_certreq)
• https://docs.aws.amazon.com/cloudhsm/latest/userguide/ssl-offload-windows-create-csr-and-certificate.html
• https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certreq_1