Using Microsoft certreq.exe to generate a certificate signing request (CSR)

Generating a certificate signing request (CSR) is the first step towards a signed certificate. The requests is generated with the applicants private key and consists of the public key, a name and optional attributes.

To generate a CSR, you can use tools like OpenSSL on a Linux box, or sometimes the application itself can generate a CSR. But if you have a Windows box, you don’t have OpenSSL by default. And it’s unhandy to install something just for a single CSR. You can use certreq.exe to create a CSR. This tool is mostly unknown, but it’s included since Server 2000. The syntax slightly differs between the version, so I focus on the version that is shipped with Server 2008/ Windows Vista and newer.

To generate a CSR, you have to create a configuration file. This file specifies the key length, the common name, if the private key is exportable etc. This is a configuration file which includes additional names (subject alternative names, SAN).

[Version]

Signature= $Windows NT$

[NewRequest]

Subject = "CN=server1.lab.local, OU=Lab, O=vcloudnine.de, L=Cologne, S=NRW, C=DE"
KeySpec = 1
KeyLength = 4096
Hashalgorithm = sha256
Exportable = TRUE
FriendlyName = server1
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = Microsoft RSA SChannel Cryptographic Provider
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1

[Extensions]

2.5.29.17 = "{text}"
_continue_ = "dns=server1.vcloudnine.de&"
_continue_ = "dns=app.terlisten-consulting.de&"
_continue_ = "dns=app.blazilla.de&"

This CSR includes three subject alternative names, which are listed below the [Extension] section. The syntax of this file is very important!

To create a CSR, open a CMD and change to the directory where the CSR is stored:

C:\Users\Patrick\Downloads>certreq -new request.inf csr-server1.req

CertReq: Anforderung erstellt

The csr-server1.req file can be used to create a CA signed certificate. The result is a signed certificate, based on the issued CSR. Very handy, especially in VMware Horizon View deployments in which you do not have access to a Windows-based Enterprise CA.