How to request certificate from third party CA and install it on the machine.
The right way to go about requesting and installing certificate are below:
1. Run certreq –new request.inf request.req
2. Send request.req file to third part CA.
3. Retrieve the certificate blob and save it in certnew.cer. Please make sure that you save the file in the same directory where you have saved request.req file.
4. Accept the issued certificate: Certreq –accept certnew.cer.
5. Once you install the certificate, restart the machine ( if it is computer certificate.)
As explained earlier, .cer file only contains public key. It is certreq –accept certnew.cer command which associates private key with that certificate and installs it in correct store.
Creating Certificate Requests
The –new parameter with certreq.exe is used to construct new certificate requests. Certreq.exe uses an INF file as an input option that defines the certificate request parameters. When the certificate request is constructed based on the INF file, key material is also generated. A certificate request process can be divided into the following elements.
1. Read the INF file.
2. Create the private and public key based on the information in the INF file, and store the private key in the local key store of the user or machine profile as appropriate.
3. Create the certificate request based on the information in the INF file and store the request in a Base64-encoded file or, optionally, in binary form if the –binary option is selected.
MachineKeySet
Syntax |
MachineKeySet = {Boolean} |
Values |
TRUE or FALSE |
Default value |
FALSE |
This key is important when you need to create certificates that are owned by the machine and not a user. The key material that is generated is maintained in the security context of the security principal (user or computer account) that has created the request. When an administrator creates a certificate request on behalf of a computer, the key material must be created in the machine’s security context and not the administrator’s security context. Otherwise, the machine could not access its private key since it would be in the administrator’s security context.
You must set this key to TRUE if you are creating requests for domain controllers, a Web server, or any other service that runs in the machine’s security context.
Have a look at typical .inf file content:
[Version]
Signature="$Windows NT$
[NewRequest]
Subject = "CN=ad1.tailspintoys.com,OU=BTG,O=Microsoft,L=Atlanta,S=Georgia,C=US"
KeySpec = 1
KeyLength = 1024
Exportable = TRUE
MachineKeySet = TRUE
SMIME = FALSE
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderType = 12
RequestType = PKCS10
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
KeyUsage = 0xf0
RequesterName = Microsoft India.
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
OID=1.3.6.1.5.5.7.3.2
Reference:
1. Certreq.exe syntax. https://technet.microsoft.com/en-us/library/cc736326.aspx
2. 321051 How to enable LDAP over SSL with a third-party certification authority
https://support.microsoft.com/default.aspx?scid=kb;EN-US;321051