Using Microsoft certreq.exe to generate a certificate signing request (CSR)
Table of Contents
Generating a certificate signing request (CSR) is the first step towards a signed certificate. The requests is generated with the applicants private key and consists of the public key, a name and optional attributes.
To generate a CSR, you can use tools like OpenSSL on a Linux box, or sometimes the application itself can generate a CSR. But if you have a Windows box, you don’t have OpenSSL by default. And it’s unhandy to install something just for a single CSR. You can use certreq.exe to create a CSR. This tool is mostly unknown, but it’s included since Server 2000. The syntax slightly differs between the version, so I focus on the version that is shipped with Server 2008/ Windows Vista and newer.
To generate a CSR, you have to create a configuration file. This file specifies the key length, the common name, if the private key is exportable etc. This is a configuration file which includes additional names (subject alternative names, SAN).
[Version]
Signature= $Windows NT$
[NewRequest]
Subject = “CN=server1.lab.local, OU=Lab, O=vcloudnine.de, L=Cologne, S=NRW, C=DE” KeySpec = 1 KeyLength = 4096 Hashalgorithm = sha256 Exportable = TRUE FriendlyName = server1 MachineKeySet = TRUE SMIME = False PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderName = Microsoft RSA SChannel Cryptographic Provider ProviderType = 12 RequestType = PKCS10 KeyUsage = 0xa0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
[Extensions]
2.5.29.17 = “{text}” _continue_ = “dns=server1.vcloudnine.de&” _continue_ = “dns=app.terlisten-consulting.de&” _continue_ = “dns=app.blazilla.de&”
This CSR includes three subject alternative names, which are listed below the [Extension] section. The syntax of this file is very important!
To create a CSR, open a CMD and change to the directory where the CSR is stored:
C:\Users\Patrick\Downloads>certreq -new request.inf csr-server1.req
CertReq: Anforderung erstellt
The csr-server1.req file can be used to create a CA signed certificate. The result is a signed certificate, based on the issued CSR. Very handy, especially in VMware Horizon View deployments in which you do not have access to a Windows-based Enterprise CA.