Server 2012 R2

Creating a SAN Cert from the command line

Let’s face it, using IIS or the computer certs MMC for generating a CSR is a pain. Well there is no way around it, creating a CSR is a pain no matter what. But I always have a difficult time remember to get everything filled out correctly using the certificate MMC snap-in, so I use a command line and INF file. Yeah yeah…

For more specifics see: https://technet.microsoft.com/library/cc725793.aspx

But here is the condensed version

  1. Create a file called request.inf (the reality is that it can be any file name.)
  2. Put in it the following, I have added comments to what should/can be changed and describing them
  3. Once you have the file, you need to generate the CSR: certreq -new -machine c:\source\request.inf c:\source\request.req
  4. Then take that to a 3rd party provider. Once they have authorized it, you need to re-import it

    Now, for those that don’t know, a certificate file is just a text file, rename it to .txt and open it, it will look just like a csr.

    Many 3rd party SSL vendors just give you the text. So simply place the string from the ===== to the end of the ==== and rename the file .cer

  5. Then import the certificate back into the computer: certreq -accept -machine c:\source\cert.cer

Done, see easy

So here is the request.inf file example

[Version]

Signature=”$Windows NT$”

 

[NewRequest]

;Federation the Subject Name should be URL.Domain.Com, for example adfs.mydomain.com. Remember that it cannot be the same name as the federation server, so having a server called ADFS will not work.

;Depending on the provider, you may need more information

;CN=2 Letter Country Code

;ST=State, usually spelled out

;L=City

;O=Company

;OU=Department

;CN=Server Name, and you would never acutally put a real server name in public DNS would you?

 

Subject = “C=US, ST=California, L=San Jose, O=family, OU=Spouse, CN=alias.mydomain.com”

 

KeySpec = 1

KeyLength = 2048

Exportable = TRUE; generally I leave this true. Even if you set it to false, there are ways to get around it. And with a UC cert, you need to easily export it and move it around

MachineKeySet = TRUE

SMIME = False

PrivateKeyArchive = FALSE

UserProtected = FALSE

UseExistingKeySet = FALSE

ProviderName = “Microsoft RSA SChannel Cryptographic Provider”

ProviderType = 12

RequestType = PKCS10

KeyUsage = 0xa0

HashingAlgorithm = SHA256

 

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication / Token Signing

 

[RequestAttributes]

; Here is where you enter in SAN information, if you don’t need a SAN entry, just comment it out

; The enterpriseregistration is specifically for ADFS https://technet.microsoft.com/en-us/library/dn383662.aspx

SAN=”DNS=enterpriseregistration.mydomain.com&DNS=somethingelse.mydomain.com&IPaddress=127.0.0.1″

7 thoughts on “Creating a SAN Cert from the command line

  1. secure ordering isotretinoin pills in internet Dogs And Cephalexin Priligy Tablets Uk [url=http://cialibuy.com]Buy Cialis[/url] Propecia Barato Venta Priligy Es Eficaz No Prescription Fluoxetine

Leave a Reply

Your email address will not be published. Required fields are marked *