| Table of Contents | ||
|---|---|---|
|
Prerequisites
- For Austin CA certificates, the computer referenced in the following instructions must have Enroll permissions for the requested certificate template
- Contact the AD team for assistance with certificate template permissions
Define the certificate subject and subject alternative names
Sign in to a computer joined to the Austin Active Directory then start an administrative an administrative PowerShell session
Info Complete any remaining instructions in this PowerShell session unless directed otherwise
Modify then run the following commands to set the subject and template of the certificate as well as any optional DNS or IP Address subject alternate name values:
Code Block $cert_fqdn = <FQDN for the certificate> $cert_sans = @("<certificate SAN #1>","<certificate SAN #2>",...) $cert_ipaddrs = @("<certificate IP address #1>","<certificate IP address #2>",...)
...
Run the following commands to create the temporary files for the certificate policy file and certificate request file:
Code Block $cert_file_inf = New-TemporaryFile $cert_file_req = New-TemporaryFile
Run the following commands to create the certificate template file for certreq.exe (aka the certificate .INF file):
Info Certreq reference: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certreq_1
Quick notes on the template contents:
Expand Exportable = this allows the certificate to be exported by Windows
MachineKeySet = specifies that certificates will be created in the computer store instead of the user running the commands; requires Administrator privileges to perform
Code Block $cert_file_content = @" [Version] Signature=`"`$Windows NT`$`" [NewRequest] Subject=`"CN=$cert_fqdn`" # the following allows the certificate to be exported Exportable=TRUE # the following places the certificate in the computer store MachineKeySet=TRUE KeyLength=2048 [Extensions] 2.5.29.17=`"{text}`" _continue_=`"DNS=$cert_fqdn&`" "@ Set-Content -Path $cert_file_inf -Value $cert_file_content
Run the following commands to add any optional DNS subject alternate names to the certificate policy file:
Code Block ForEach ($san in $cert_sans) {Add-Content -Path $cert_file_inf -Value ("_continue_=`"DNS=$san&`"")}Run the following commands to add any optional IP Address subject alternate names to the certificate policy file:
Code Block ForEach ($ipaddr in $cert_ipaddrs) {Add-Content -Path $cert_file_inf -Value ("_continue_=`"IPAddress=$ipaddr&`"")}Run the following commands to review the certificate policy file:
Code Block Get-Content $cert_file_inf
Run the following commands to create the certificate request file:
Code Block certreq -new -f $cert_file_inf $cert_file_req
Run the following commands to review the certificate request:
Code Block Get-Content $cert_file_req
Run the following commands to retrieve the certificate request file name:
Code Block Get-Item $cert_file_req
...
- To submit the certificate request to the preferred InCommon certificate authority, review and complete the SSL Request form in ServiceNow
To submit the certificate request to the internal Austin certificate authority, complete the instructions on the following page: Austin Certificates - How-To - Submit custom certificates requests