CERTREQ

Request certificate from a certification authority (CA), retrieve a response to a previous request from a CA, create a new request from an .inf file, accept and install a response to a request, construct a cross-certification or qualified subordination request from an existing CA certificate or request, or to sign a cross-certification or qualified subordination request.

Syntax
      Certreq [-submit] [-retrieve RequestID] [-new] [-accept] [-policy] [-sign]
                 [-attrib AttributeString] [-binary] [-config CAMachineName\CAName]
                    [-crl] [-rpc] [-cert CertID]
                       [RequestFileIn | CertChainFileIn | FullResponseFileIn | CertFileIn | PolicyFileIn]
                          [RequestFileOut | CertChainFileOut | FullResponseFileOut | CertFileOut | PKCS10FileOut]
 
Key
   -submit
          Submit a request to a CA.

   -retrieve RequestID
          Retrieve a response to a previous request from a CA.

   -new
          Create a new request from an .inf file.

   -accept
          Accept and install a response to a certificate request.

   -policy
          Set the policy for a request.

   -sign
          Sign a cross-certification or qualified subordination request.

   -attrib AttributeString
          The Name and Value string pairs, separated by a colon.
          Separate Name and Value string pairs with \n (for example, Name1:Value1\nName2:Value2).

   -binary
          Format output files as binary instead of base64-encoded.

   -config CAMachineName\CAName
          Process the operation using the CA specified in the configuration
          string, which is CAMachineName\CAName.

   -crl
          Include certificate revocation lists (CRLs) in the output to the base64-encoded
          PKCS #7 file specified by CertChainFileOut or to the base64-encoded file
          specified by RequestFileOut.

   -rpc
          Instructs Active Directory Certificate Services (AD CS) to use a 
          remote procedure call (RPC) server connection instead of Distributed COM.

   -cert CertID
          The signing certificate by common name, serial number, Secure Hash Algorithm
          (SHA-1) key, or certificate hash.

   CertChainFileIn
          The base64-encoded or binary certificate chain input file to use.

   FullResponseFileIn
          The base64-encoded or binary full response input file to use.

   CertFileIn
          The base64-encoded or binary certificate input file to use.

   RequestFileIn
          The base64-encoded or binary input file to use.
          The file can be a PKCS #10 certificate request, a PKCS #7 certificate renewal
          request, a KEYGEN tag format certificate request, a Certificate Management protocol
          using Cryptographic Message Syntax (CMS) request (this protocol is also known as CMC),
          or a certificate file of the CA that you want to cross-certify.

   PolicyFileIn
          The .inf input file that contains the extension definitions to use to qualify a request.

   RequestFileOut
          The base64-encoded file to which you want to send output.

   PKCS10FileOut
          The base64-encoded PKCS #10 file to which you want to send output.

   CertFileOut
          The binary or base64-encoded X.509 v3 file to which you want to send output.

   CertChainFileOut
          The binary or base64-encoded PKCS #7 file to which you want to send output.

   FullResponseFileOut
          The binary or base64-encoded full response file to which you want to send output.

   -?     Display a list of certreq commands.

You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

To retrieve the certificate after the CA has actually issued it use certreq -retrieve RequestID, you can also use this command to retrieve any certificate that has ever been issued by the CA, including revoked or expired certificates, without regard to whether the certificate's request was ever in the pending state.

If you submit a request to the CA, the policy module of the CA might temporarily leave the request in a pending state and return the RequestID for display. Eventually, the CA’s administrator will issue the certificate or deny the request.

Examples

Sample request.inf

;----------------- request.inf

[Version]
Signature="$Windows NT$

[NewRequest]
Subject = "CN=dc01.ss64.com" ; must be the FQDN of domain controller
;EncipherOnly = FALSE
Exportable = FALSE ; TRUE = Private key is exportable
KeyLength = 1024 ; Common key sizes: 512, 1024, 2048,
; 4096, 8192, 16384
KeySpec = 1 ; Key Exchange
KeyUsage = 0xA0 ; Digital Signature, Key Encipherment
MachineKeySet = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = CMC

; Omit entire section if CA is an enterprise CA
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication

[RequestAttributes]
CertificateTemplate = WebServer ;Omit line if CA is a stand-alone CA
;SAN="dns=dc01.ss64.com&dns=.ss64.com&dns=ldap.ss64.com"
;-----------------

Create a new request from an .inf file:

certreq -new request.inf result.txt

Supply the text of result.txt to your CA to obtain a signed certificate (and an intermediate CA certificate, if applicable.)

Submit a request to a CA:

certreq -submit result.txt certificate.cer

Retrieve a response to a previous request from a CA:

certreq -retrieve [-binary] [-config CAMachineName\CAName] [-crl] [-rpc] RequestID [CertFileOut [CertChainFileOut [FullResponseFileOut]]]

Accept and install a response to a certificate request:

certreq -accept c:\certificates\certificate.cer

Construct a cross-certification or qualified subordination request from an existing CA certificate or request:

certreq -policy [-attrib AttributeString] [-binary] [-cert CertID] [RequestFileIn [PolicyFileIn [RequestFileOut [PKCS10FileOut]]]]

Sign a cross-certification or qualified subordination request:

certreq -sign [-binary] [-certCertID] [-crl] [RequestFileIn [RequestFileOut]]

“The certified quality of person's actual education reflects in the degree of respect he employs in his words while talking with others” ~Anuj Somany

Related commands

SLMGR - Software Licensing Management.
CERTUTIL - Utility for certification authority (CA) files and services.
PowerShell cmdlet: Get-Certificate


 
Copyright © 1999-2024 SS64.com
Some rights reserved