Versions Compared

Version Old Version 1 New Version 2
Changes made by

Alex Barth

Alex Barth

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Create the request

  1. Open an MMC window
  2. Add the Certificates snap-in
    • Note: certain certificates can only be requested by user or computer accounts; set the snap-in account appropriately
  3. Expand Certificates then right click on Personal
  4. Select All Tasks then Advanced Operations then Create custom request then Request New Certificate...
  5. Click Next then select Active Directory Enrollment Policy
  6. Click Next then select the appropriate check the box next to the name of the desired template
    • Utilize VMware SSL 6.5 for any VMware products or interaction
    • Utilize Server (10 Year Duration) for long duration use cases (requires permissions from the AD team)
    • Utilize Web Server with IPSEC for default use cases that require IPSec (such as printers that need IPsec and HTTPS)
    • Utilize Web Server 2048 bit key for all other default cases
  7. Click Next
  8. Click on Details on the desired template to expand the request information and then click Properties
  9. Set the Subject name type drop down to Common name
  10. Set the Subject name value to the FQDN for the certificate then click Add to include the value on the certificate
  11. Set the Alternate name type drop down to DNS name
  12. Set the Alternate name value to the FQDN for the certificate then click Add to include the value on the certificate
  13. Repeat the previous step as necessary to add additional FQDNs to the certificate
  14. Click OK then click Next
  15. Specify a file name for the certificate request and click Finish.
    • The commands below assume a file name of certreq.txt

Submit the request

  1. Determine the appropriate certificate authority for the request.
  2. Identify the short name of the certificate template from certificate request
    • The template short name is the template display name without spaces unless it has the (10 year duration) suffix
    • Ex. the Web Server 2048 bit key certificate template has a short name of WebServer2048bitkey
    • The template short name for 10 year duration certificates is the portion outside of the parentheses with -10year appened
    • Ex. the Server (10 year duration) certificate template has a short name of Server-10year

  3. Open an administrative PowerShell session as the user that has permissions to request the certificate

  4. In the same PowerShell session, set the $cert_template variable to the certificate template short name. 

    Code Block
    $cert_template = "WebServer"

  5. In the same PowerShell session, attempt to submit the certificate request directly:

    Code Block
    certreq -submit -attrib CertificateTemplate:$cert_template certreq.txt
  6. When prompted for a certificate authority, select the CA step identified in step 1
  7. If the process succeeds, continue to the next section
  8. If the process failed, send email to ad-requests@its.utexas.edu with the following information:
    • The request file 
    • The name of the user that attempted to enroll for the certificate
    • The name of the CA 
    • The name of the template

Process the request (certificate administrators only)

  1. Open an MMC window
  2. Add the Certification Authority snap-in
    1. See (AAD) Certificates - CA list and naming conventions for the list of current CAs
    2. Unless otherwise required, select the latest production CA
  3. Expand Certification Authority then right click on the CA
  4. Select All Tasks then Submit new request...
  5. In the Open Request File dialog, select the request file saved in the previous section
  6. In the Save Certificate dialog, specify the file name and location for the certificate

Combine the keys

  1. Open an MMC window
  2. Add the Certificates snap-in
    • Note: certain certificates can only be requested by user or computer accounts; set the snap-in account appropriately
  3. Expand Certificates then right click on Certificate Enrollment Requests
  4. Select All Tasks then Import...
  5. Click Next 
  6. In the File to Import pane, specify the certificate file saved from the CA
  7. Click Next twice then click Finish

...

  1. click Enroll

Export the keypair (optional)

  1. Open an MMC window
  2. Add the Certificates snap-in
    • Note: certain certificates can only be requested by user or computer accounts; set the snap-in account appropriately
  3. Expand Certificates then Certificate Enrollment Requests then Certificates
  4. Right click on the certificate to export and select All tasks... then Export...
  5. Click Next then select Yes, export the private key
  6. Click Next twice
  7. Check the Password box and set a complex password
  8. Click Next 
  9. Specify a file name for the certificate request
  10. Click Next then click Finish