SSL Certificates from the command line

Usually, at least for IIS folks, SSL certificates are requested using the IIS Management Console GUI. In cases where IIS is not installed you may use Certreq, which is – in fact – very easy.

  1. Create a request.inf file:
    ;----------------- request.inf -----------------
    [Version]
    Signature="$Windows NT$
    [NewRequest]
    Subject = "CN=<FQDN>, E=<Email>, O=<Organization>, OU=<Organization Unit>, L=<City>, S=<State/Province>, C=<Two Letter Country Code>"
    KeySpec = 1
    KeyLength = 2048
    ; Can be 1024, 2048, 4096, 8192, or 16384.
    ; Larger key sizes are more secure, but have
    ; a greater impact on performance.
    Exportable = TRUE
    MachineKeySet = TRUE
    SMIME = False
    PrivateKeyArchive = FALSE
    UserProtected = FALSE
    UseExistingKeySet = FALSE
    ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
    ProviderType = 12
    RequestType = PKCS10
    KeyUsage = 0xa0
    [EnhancedKeyUsageExtension]
    OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication
    ;-----------------------------------------------
  2. Run command:
    certreq -new request.inf request.req
  3. Contact your public CA and order a new SSL certificate. You’ll be prompted for the request in the process. Use the contents of the request.req file we generated above.
  4. In return the CA will provide you with a response. Save this response in a new file, lets call it response.cer.
  5. Run the following command on the same server to accept the new certificate and complete the request:
    certreq -accept -user response.cer

    Note: You may choose “-machine” or “-user” to define which store to import the certificate to.

  1. No comments yet.

  1. No trackbacks yet.