Request certificate from a certification authority (CA), retrieve a response to a previous request from a CA, create a new request from an .inf file, accept and install a response to a request, construct a cross-certification or qualified subordination request from an existing CA certificate or request, or to sign a cross-certification or qualified subordination request.
Syntax Certreq [-submit] [-retrieve RequestID] [-new] [-accept] [-policy] [-sign] [-attrib AttributeString] [-binary] [-config CAMachineName\CAName] [-crl] [-rpc] [-cert CertID] [RequestFileIn | CertChainFileIn | FullResponseFileIn | CertFileIn | PolicyFileIn] [RequestFileOut | CertChainFileOut | FullResponseFileOut | CertFileOut | PKCS10FileOut] Key -submit Submit a request to a CA. -retrieve RequestID Retrieve a response to a previous request from a CA. -new Create a new request from an .inf file. -accept Accept and install a response to a certificate request. -policy Set the policy for a request. -sign Sign a cross-certification or qualified subordination request. -attrib AttributeString The Name and Value string pairs, separated by a colon. Separate Name and Value string pairs with \n (for example, Name1:Value1\nName2:Value2). -binary Format output files as binary instead of base64-encoded. -config CAMachineName\CAName Process the operation using the CA specified in the configuration string, which is CAMachineName\CAName. -crl Include certificate revocation lists (CRLs) in the output to the base64-encoded PKCS #7 file specified by CertChainFileOut or to the base64-encoded file specified by RequestFileOut. -rpc Instructs Active Directory Certificate Services (AD CS) to use a remote procedure call (RPC) server connection instead of Distributed COM. -cert CertID The signing certificate by common name, serial number, Secure Hash Algorithm (SHA-1) key, or certificate hash. CertChainFileIn The base64-encoded or binary certificate chain input file to use. FullResponseFileIn The base64-encoded or binary full response input file to use. CertFileIn The base64-encoded or binary certificate input file to use. RequestFileIn The base64-encoded or binary input file to use. The file can be a PKCS #10 certificate request, a PKCS #7 certificate renewal request, a KEYGEN tag format certificate request, a Certificate Management protocol using Cryptographic Message Syntax (CMS) request (this protocol is also known as CMC), or a certificate file of the CA that you want to cross-certify. PolicyFileIn The .inf input file that contains the extension definitions to use to qualify a request. RequestFileOut The base64-encoded file to which you want to send output. PKCS10FileOut The base64-encoded PKCS #10 file to which you want to send output. CertFileOut The binary or base64-encoded X.509 v3 file to which you want to send output. CertChainFileOut The binary or base64-encoded PKCS #7 file to which you want to send output. FullResponseFileOut The binary or base64-encoded full response file to which you want to send output. -? Display a list of certreq commands.
You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.
To retrieve the certificate after the CA has actually issued it use certreq -retrieve RequestID, you can also use this command to retrieve any certificate that has ever been issued by the CA, including revoked or expired certificates, without regard to whether the certificate's request was ever in the pending state.
If you submit a request to the CA, the policy module of the CA might temporarily leave the request in a pending state and return the RequestID for display. Eventually, the CA’s administrator will issue the certificate or deny the request.
Subject = "CN=dc01.ss64.com" ; must be the FQDN of domain controller
;EncipherOnly = FALSE
Exportable = FALSE ; TRUE = Private key is exportable
KeyLength = 1024 ; Common key sizes: 512, 1024, 2048,
; 4096, 8192, 16384
KeySpec = 1 ; Key Exchange
KeyUsage = 0xA0 ; Digital Signature, Key Encipherment
MachineKeySet = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = CMC
; Omit entire section if CA is an enterprise CA
OID=220.127.116.11.18.104.22.168.1 ; Server Authentication
CertificateTemplate = WebServer ;Omit line if CA is a stand-alone CA
Create a new request from an .inf file:
certreq -new request.inf result.txt
Supply the text of result.txt to your CA to obtain a signed certificate (and an intermediate CA certificate, if applicable.)
Submit a request to a CA:
certreq -submit result.txt certificate.cer
Retrieve a response to a previous request from a CA:
certreq -retrieve [-binary] [-config CAMachineName\CAName] [-crl] [-rpc] RequestID [CertFileOut [CertChainFileOut [FullResponseFileOut]]]
Accept and install a response to a certificate request:
certreq -accept c:\certificates\certificate.cer
Construct a cross-certification or qualified subordination request from an existing CA certificate or request:
certreq -policy [-attrib AttributeString] [-binary] [-cert CertID] [RequestFileIn [PolicyFileIn [RequestFileOut [PKCS10FileOut]]]]
Sign a cross-certification or qualified subordination request:
certreq -sign [-binary] [-certCertID] [-crl] [RequestFileIn [RequestFileOut]]
“The certified quality of person's actual education reflects in the degree of respect he employs in his words while talking with others” ~Anuj Somany
SLMGR - Software Licensing Management
CERTUTIL - Utility for certification authority (CA) files and services