Generating a CSR in MS Windows (using certreq)

From SSLplus
Jump to: navigation, search

On this page we'll explain how to generate a CSR (Certificate Signing Request) using certreq. The CSR will contain the public key and additional details for the certificate, especially the domain name (Common Name) and the contact details of the requestor. After the details in the CSR have been approved by the certificate authority, the certificate can be issued.

Certreq

The following method uses the Windows tool certreq.exe and generates a Certificate Signing Request with SHA2.

Windows Server 2008 | Windows Server 2008 R2 | Windows Vista | Windows 7

Generating the Certificate Signing Request

  1. Log in as an administrator.
  2. Open the MS-DOS cmd windows as an administrator.
  3. Enter notepad.
  4. This will open a simple text editor. Here you can enter the parameters for your CSR:
    • CN = Domain name for the certificate, e.g. domain.tld
      • *.domain.tld for wildcard domains
    • C = Your ISO country code (two characters), e.g. GB
    • L = Your locality/city (in full), e.g. London
    • ST = Your state/province (in full), e.g. Middlesex
    • O = Your organisation, e.g. Your company LTD
    • OU = Your department, e.g. IT
      [Version]
      Signature="$Windows NT§"
      [New Request]
      Subject = "CN=domain.tld,O=Your company LTD,OU=IT,ST=Middlesex,L=London,C=GB"
      KeyLength =  2048
      KeySpec = 1
      Exportable = True
      ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
      HashAlgorithm = SHA256
      MachineKeySet = True
      SMIME = False
      UseExistingKeySet = False
      RequestType = PKCS10
      KeyUsage = 0xA0
      Silent = True
      FriendlyName = "Certificate SHA-256"
      [EnhancedKeyUsageExtension]
      OID=1.3.6.1.5.5.7.3.1
    • For additional subdomains (Subject Alternative Names - SAN) add the following:
      [Extensions]
      2.5.29.17 = "{text}"
      _continue_ = "dns=mail.domain.tld&"
      _continue_ = "dns=server.domain.tld&"
    • A list of all certreq parameters can be found in Microsoft's certreq technet
  5. Save your file with the appropriate name and .inf file extension, e.g. crsdetails.inf
  6. Execute the following command:
    certreq.exe -new csrangaben.inf csr256.req

Checking the CSR

Checking the text file

  1. You can display your CSR as a text file. Enter the following command (the file name with the .csr extension has to match the file name specified above):
    nano server.csr
  2. The result should look similar to the following:
    -----BEGIN CERTIFICATE REQUEST-----
    MIIC6zCCAdMCAQAwgaUxCzAJBgNVBAYTAkRFMRwwGgYDVQQIExNOb3JkcmhlaW4t
    V2VzdGZhbGVuMQ0wCwYDVQQHEwRCb25uMRowGAYDVQQKExFpY2VydGlmaWNhdGUg
    R21iSDELMAkGA1UECxMCSVQxGDAWBgNVBAMTD2ljZXJ0aWZpY2F0ZS5ldTEmMCQG
    CSqGSIb3DQEJARYXc3VwcG9ydEBpY2VydGlmaWNhdGUuZXUwggEiMA0GCSqGSIb3
    DQEBAQUAA4IBDwAwggEKAoIBAQDH4WYxgMYvxar4yZfUseT0j+QGSn896etUR7AQ
    +J2F58y24tX5+KCPQa/GaNQfvYL6/xgJvPby0PeRrQDMY62h/S4wCZhAXd58BXxh
    EseDm2530GCe6vr4ffZfo9O1ErPGrjUnoFQ2V/BknhtWi1I566kgdDFBQU5TEieF
    Bd946P6IjIaQ8IPmq8S8zHgKz3qjGY7V9UXn1ON0gqHilJ7S7sFAkNgcOS/y/ddD
    KlrygmOxATvFK5q95AXk8GHlPDo7F3Xz7mHyt0FDRg7QBZcDOK4SbzQYra1k8OLe
    0yF+NVSZs87G6PWv48qTLu0u9bhdApvZ8NRXZSIrVJPe95Q1AgMBAAGgADANBgkq
    hkiG9w0BAQUFAAOCAQEAqnNwUAsTNCNjdpQUP/KC2Sn3QVoh2aYtCHhDvj+1AmGN
    L/H2/tk+7BPhu7eNBvu4MK9N+UlC0aMeuK7S6HPb/blTs5EnXjLoMjRtN+KLzVcO
    n4FrHeC7yyYaBGO24UTfhhKnybVv9KZTYwn5sqAhutd8oxQi96aNjc+7LjXhV2eY
    hS0sHuxhIg4jdM2/sdWF+Y6gsayp5uePWSxROFH5Q48tvGewR4b+Jgzg3W+lGY0r
    ibIKrihoR1qKYVlg7sKf+EZ7L4u3+sIBOnYZdPCyaWHTKqtv8IGqcPc4LtmjEu5X
    TJnUNAQXzCYlRp1YgXe5j8Wqx9WhV0//IRuVfrd6ew==
    -----END CERTIFICATE REQUEST-----
Checking the CSR with a certutil command
You can display the CSR with additional details in the command terminal, using the following command (crs256.req has to be replaced with your file name):
certutil csr256.req

Checking the CSR with an Online-Tool

You can also use an online tool such as Symantec's CSR check.

  1. Go to the Symantec CSR Check website.
  2. Paste your CSR here (starting with -----BEGIN CERTIFCATE REQUEST----- and ending with -----END CERTIFICATE REQUEST-----) and click "Check".
  3. There you can check wether all details are processed correctly.

Installing the certificate

  1. Upload the CSR/the crs256.req file to your Certificate Authority to generate the certificate.
  2. After receiving your certificate you, copy it into the root directory c:\ and execute the following command:
    certreq.exe -accept certificatename.cer
  1. Your certificate is now installed.

Windows Server 2003 | Windows Server 2003 R2 | Windows XP

Generating the Certificate Signing Request

  1. Log in as an administrator.
  2. Open the MS-DOS cmd windows as an administrator.
  3. Enter notepad.
  4. This will open a simple text editor. Here you can enter the parameters for your CSR:
    • CN = Domain name for the certificate, e.g. domain.tld
      • *.domain.tld for wildcard domains
    • C = Your ISO country code (two characters), e.g. GB
    • L = Your locality/city (in full), e.g. London
    • ST = Your state/province (in full), e.g. Middlesex
    • O = Your organisation, e.g. Your company LTD
    • OU = Your department, e.g. IT
      [Version]
      Signature="$Windows NT§"
      [New Request]
      Subject = "CN=icertificate.eu,O=icertificate GmbH,OU=IT,ST=Nordrhein-Westfalen,L=Bonn,C=DE"
      KeyLength =  2048
      KeySpec = 1
      Exportable = True
      ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
      HashAlgorithm = SHA256
      MachineKeySet = True
      SMIME = False
      UseExistingKeySet = False
      RequestType = PKCS10
      KeyUsage = 0xA0
      Silent = True
      FriendlyName = "Certificate SHA-256"
      [EnhancedKeyUsageExtension]
      OID=1.3.6.1.5.5.7.3.1
    • For additional subdomains (Subject Alternative Names - SAN) add the following:
      [RequestAttributes]
      SAN="dns=mail.domain.tld&dns=server.domain.tld"
    • A list of all certreq parameters can be found in Microsoft's certreq technet
  5. Save your file with the appropriate name and .inf file extension, e.g. crsdetails.inf
  6. Execute the following command:
    certreq.exe -new csrangaben.inf csr256.req


Checking the CSR

Checking the CSR with a text file
  1. Your CSR can be displayed as a text file. Enter the following command (the file name ending on .req has to match the one specified above):
    notepad csr256.req
  1. The result should look similar to the following:
    -----BEGIN CERTIFICATE REQUEST-----
    MIIC6zCCAdMCAQAwgaUxCzAJBgNVBAYTAkRFMRwwGgYDVQQIExNOb3JkcmhlaW4t
    V2VzdGZhbGVuMQ0wCwYDVQQHEwRCb25uMRowGAYDVQQKExFpY2VydGlmaWNhdGUg
    R21iSDELMAkGA1UECxMCSVQxGDAWBgNVBAMTD2ljZXJ0aWZpY2F0ZS5ldTEmMCQG
    CSqGSIb3DQEJARYXc3VwcG9ydEBpY2VydGlmaWNhdGUuZXUwggEiMA0GCSqGSIb3
    DQEBAQUAA4IBDwAwggEKAoIBAQDH4WYxgMYvxar4yZfUseT0j+QGSn896etUR7AQ
    +J2F58y24tX5+KCPQa/GaNQfvYL6/xgJvPby0PeRrQDMY62h/S4wCZhAXd58BXxh
    EseDm2530GCe6vr4ffZfo9O1ErPGrjUnoFQ2V/BknhtWi1I566kgdDFBQU5TEieF
    Bd946P6IjIaQ8IPmq8S8zHgKz3qjGY7V9UXn1ON0gqHilJ7S7sFAkNgcOS/y/ddD
    KlrygmOxATvFK5q95AXk8GHlPDo7F3Xz7mHyt0FDRg7QBZcDOK4SbzQYra1k8OLe
    0yF+NVSZs87G6PWv48qTLu0u9bhdApvZ8NRXZSIrVJPe95Q1AgMBAAGgADANBgkq
    hkiG9w0BAQUFAAOCAQEAqnNwUAsTNCNjdpQUP/KC2Sn3QVoh2aYtCHhDvj+1AmGN
    L/H2/tk+7BPhu7eNBvu4MK9N+UlC0aMeuK7S6HPb/blTs5EnXjLoMjRtN+KLzVcO
    n4FrHeC7yyYaBGO24UTfhhKnybVv9KZTYwn5sqAhutd8oxQi96aNjc+7LjXhV2eY
    hS0sHuxhIg4jdM2/sdWF+Y6gsayp5uePWSxROFH5Q48tvGewR4b+Jgzg3W+lGY0r
    ibIKrihoR1qKYVlg7sKf+EZ7L4u3+sIBOnYZdPCyaWHTKqtv8IGqcPc4LtmjEu5X
    TJnUNAQXzCYlRp1YgXe5j8Wqx9WhV0//IRuVfrd6ew==
    -----END CERTIFICATE REQUEST-----
Checking the CSR with a certutil command
You can display the CSR with additional details in the command terminal, using the following command (crs256.req has to be replaced with your file name):
certutil csr256.req

Checking the CSR with an Online-Tool

You can also use an online tool such as Symantec's CSR check.

  1. Go to the Symantec CSR Check website.
  2. Paste your CSR here (starting with -----BEGIN CERTIFCATE REQUEST----- and ending with -----END CERTIFICATE REQUEST-----) and click "Check".
  3. There you can check wether all details are processed correctly.

Installing the certificate

  1. Upload the CSR/the crs256.req file to your Certificate Authority to generate the certificate.
  2. After receiving your certificate you, copy it into the root directory c:\ and execute the following command:
    certreq.exe -accept certificatename.cer
  3. Your certificate is now installed.

Links