As organizations begin to harden certificate templates on their internal Microsoft CA authorities we are beginning to see more and more environments where Microsoft CA’s web enrollment option is no longer available for requesting certificates. In this post we review step-by-step how to submit CSR to Microsoft CA using certreq rather than web enrollment. Worry not, it is a 3-step walk in the park…
Quick Steps
- Generate CSR. It will be required for the next steps.
- Right-click Start | select Windows PowerShell (Admin) to launch command prompt as administrator.
- Execute certreq command via command prompt:
certreq -submit -attrib "CertificateTemplate:CertificateTemplateName" CSRFileName.req CertFileName.cerCertificateTemplateName: Substitute with an appropriate Certificate Template name. This is the name of the certificate template without any spaces. It can be found on the CA server by launching Certificate Templates MMC snap-in or certtmpl.msc via command prompt or PowerShell. For example, “WebServer”. If unsure, check with a PKI administrator.
CSRFileName: Substitute with an appropriate CSR file name. This is the name of the CSR (or .req) file generated in step 1.
CertFileName: This is the name of the resulting certificate file created by the certreq command. If this file cannot be located after certreq command execution, it may be in c:\windows\system32 as is likely the current working directory.
How to Submit CSR to Microsoft CA using CertReq
Where V3 templates are utilized and requests cannot be made via Microsoft CA’s web enrollment, a certificate request must be submitted using an alternate method. Here is how to to submit a Certificate Signing Request (CSR) to a Microsoft CA using CertReq.
Before we can submit a request using CertReq this way, we need to generate our Certificate Signing Request (CSR) file. To generate a CSR on a Microsoft Windows machine via MMC console see EnTrust’s CSR Help kb article. Once a CSR file is available we can proceed with our next steps.
Step 1 – Launch command prompt as administrator
Launch Windows command line prompt as administrator. That is, Right-Click the Start button and then select Command Prompt (Admin), Windows PowerShell (Admin), or Windows Terminal (Admin), depending on the version of Windows.
Step 2 – Execute certreq command
Execute the following certreq command via command prompt:
certreq -submit -attrib "CertificateTemplate:CertificateTemplateName" CSRFileName.req CertFileName.cerCertificateTemplateName: Substitute with an appropriate Certificate Template name. This is the name of the certificate template without any spaces. It can be found on the CA server by launching Certificate Templates MMC snap-in or certtmpl.msc via command prompt or PowerShell. For example, “WebServer”. If unsure, check with a PKI administrator.
CSRFileName: Substitute with an appropriate CSR file name. This is the name of the CSR (or .req) file generated in step 1.
CertFileName: This is the name of the resulting certificate file created by the certreq command. If this file cannot be located after certreq command execution, it may be in c:\windows\system32 as is likely the current working directory.
Final Step – Validate the certificate
Locate the .cer certificate file and verify its validity. Import it to the certificate store of the machine that generated the CSR.