Creating certificates from the shell.

As always it seems, it’s been ages since I’ve actually blogged anything. Anyhow, having finally completed my first book Mastering Lync 2010 for Sybex, i’ve got some time back to build some labs…

… As always with modern technology there is a need for certificates. In this case I’m setting up a Hybrid Coexistence system for Exchange 2010 SP2 and Office 365 and need a cert for the ADFS box. Well one thing I finally figured out whilst writing the Lync book was how to generate a certificate request from the shell.

Here goes.

In this case I need a simple SSL cert with a single name – adfs.msexchangelab.co.uk

I find that the smoothest way of creating certificates these days is through the shell using certreq.exe. There is a lot of information on the subject of using certreq.exe available at the following links:

http://technet.microsoft.com/en-us/library/ff625722(WS.10).aspx

http://technet.microsoft.com/en-us/library/cc725793(WS.10).aspx

Essentially, the process is to create a request template file (.inf) for the required certificate and then to use the certreq.exe utility, which is installed by default on Windows Server 2008 R2, to create a certificate request file.

The template file for a simple SSL single name certificate is show in Code Sample 1.

Code Sample 1: .inf File Text Used to Create Single Name ADFS certificate

[Version]

Signature="$Windows NT$"

[NewRequest]

Subject = "CN=adfs.msexchangelab.co.uk,OU=ICT,O=MSExchangeLab,L=Croydon,S=Surrey,C=GB"

Exportable = FALSE

KeyLength = 2048

KeySpec = 1

KeyUsage = 0xA0

MachineKeySet = True

ProviderName = "Microsoft RSA SChannel Cryptographic Provider"

RequestType = PKCS10

FriendlyName = "ADFS Cert"

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1 ; Server Authentication

Once you have created the above file and saved it with the file extension .inf you will take the following steps to create the certificate:

From an Administrator CMD.exe prompt, change to the folder where the request template .inf file is stored and run the following command which will will pull settings from the adfscsr.inf file and output to the adfs.req file in the same directory. 

certreq -new adfscsr.inf adfs.req

At this point you have created the certificate request for the required certificate. You will now need to copy the contents of the .req file and send it to your third-Party CA, such as Digicert or VeriSign.

 

P.S.

If you were thinking about creating SAN certificates in this way, then of course you can. You just need the correct .inf file. An example is Code Sample 2.

Code Sample 2: .inf File Text Used to SAN Cert

[Version]

Signature="$Windows NT$"

[NewRequest]

Subject = "CN=subject.msexchangelab.co.uk,OU=ICT,O=MSExchangeLab,L=Croydon,S=Surrey,C=GB"

Exportable = FALSE

KeyLength = 2048

KeySpec = 1

KeyUsage = 0xA0

MachineKeySet = True

ProviderName = "Microsoft RSA SChannel Cryptographic Provider"

RequestType = PKCS10

FriendlyName = "Example SAN Cert"

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1 ; Server Authentication

[Extensions]

2.5.29.17 = "{text}"

_continue_ = "dns=subject.msexchangelab.co.uk&dns=SAN1.msexchangelab.co.uk&dns=SAN2etc.msexchangelab.co.uk"

1 Comment

Other Links to this Post

  1. Creating certificates from the shell. | nathanwinters.co.uk « JC’s Blog-O-Gibberish — December 22, 2011 @ 12:52 pm

RSS feed for comments on this post. TrackBack URI

Leave a comment

WordPress Themes

Get Adobe Flash player