Content Comparison

...

Skip ahead to the Submit the certificate request section for an existing certificate request.

Prerequisites

For Austin CA certificates, the computer referenced in the following instructions must have Enroll permissions for the requested certificate template
- Contact the AD team for assistance with certificate template permissions

Define the certificate subject and subject alternative names

Log into a server
Sign in to a computer joined to the Austin Active Directory
as a user with permissions to request a certificate from the desired template
Start an administrative PowerShell session
In the same administrative PowerShell session, modify then run the following command to set the subject, any optional DNS or IP Address subject alternate names, and template of the certificate
then start an administrative PowerShell session
Info
Complete any remaining instructions in this PowerShell session unless directed otherwise

Modify then run the following commands to set the subject and template of the certificate as well as any optional DNS or IP Address subject alternate name values:

Code Block
$cert_fqdn = <FQDN for the certificate> $cert_sans = @("<certificate SAN #1>","<certificate SAN #2>",...) $cert_ipaddrs = @("<certificate IP address #1>","<certificate IP address #2>",...)

Create the certificate request

Log into a server joined to the Austin Active Directory as a user with permissions to request a certificate from the desired template
Start an administrative PowerShell session
In the same administrative PowerShell session, navigate to the location where the certificate request should be created:
Code Block
#example Set-Location $env:windir\temp
In the same administrative PowerShell prompt, run the following to create the certificate policy fileReview then run the following commands to create the temporary files for the certificate policy file and certificate request file:
Code Block
$cert_file_inf = $cert_fqdn + "_" + (Get-Date -Format yyyyMMdd-HHmmss) New-TemporaryFile $cert_file_infreq = ((Get-Location).Path + "\" + $cert_file + ".inf") New-TemporaryFile

Run the following commands to create the certificate policy file

Code Block

$cert_file_content = @"
[Version]
Signature=`"`$Windows NT`$`"
 
[NewRequest]
Subject=`"CN=$cert_fqdn`"
Exportable=TRUE
MachineKeySet=TRUE
KeyLength=2048
 
[Extensions]
2.5.29.17=`"{text}`"
_continue_=`"DNS=$cert_fqdn&`"
"@
 
New-Item $cert_file_inf -Type File -Force
Set-Content $cert_file_inf $cert_file_content

In the same administrative PowerShell prompt, run the following to Run the following commands to add any optional DNS subject alternate names to the certificate policy file:
Code Block
ForEach ($san in $cert_sans) {Add-Content $cert_file_inf ("_continue_=`"DNS=$san&`"")}
In the same administrative PowerShell prompt, run the following to Run the following commands to add any optional IP Address subject alternate names to the certificate policy file:
Code Block
ForEach ($ipaddr in $cert_ipaddrs) {Add-Content $cert_file_inf ("_continue_=`"IPAddress=$ipaddr&`"")}
In the same administrative PowerShell prompt, run Run the following commands to create the certificate request file:
Code Block
$cert_file_req = ((Get-Location).Path + "\" + $cert_file + ".req") certreq -new $cert_file_inf $cert_file_req
In the same administrative PowerShell prompt, run Run the following commands to validate review the certificate request:
Code Block
Get-Content $cert_file_req

Submit the certificate request to an Austin CAs

Certificates should only be submitted to the Austin CAs when they require certificate attributes not supported by InCommon such as:

EKUs other than Digital Signature and Key Encipherment
Subject Alternate Names that are not in the utexas.edu DNS address space such as IP Address
Certificates that must have a lifetime longer than 398 days

Complete the following instructions to submit the certificate request to the Austin CAs:

If submitting a pre-created certificate request, complete the following instructions:
1. Log into a server joined to the Austin Active Directory as on a system with permissions to request a certificate from the desired template
2. Start an administrative PowerShell session and set the $cert_file_req object to the full path of the certificate request file
In the same administrative PowerShell session, run one of the following to set the certificate template:
- For VMware SSL certificates, run the following:
  Code Block
  $cert_template = "VMwareSSL6.5"
- For long-duration server certificates, run the following:
  Code Block
  $cert_template = "Server-10Year"
In the same administrative PowerShell session, run the following to define where the signed certificate file will be created using the certificate request file
Code Block$cert_file_cer = (
Run the following commands to retrieve the certificate request file name:
Code Block
Get-Item $cert_file_req).DirectoryName + "\" + (Get-Item $cert_file_req).BaseName + ".cer"
In the same administrative PowerShell session, run the following to submit the request to an Austin certificate authority:
Code Block
certreq -submit -attrib ("CertificateTemplate:" + $cert_template) $cert_file_req $cert_file_cer

Submit the certificate request to InCommon

...

Review and complete the SSL Request form in ServiceNow using the certificate request file generated above

Submit the

...

This address will receive the certificate and notices about certificate expiration
Do not provide the email address of a distribution list or individual user

...

certificate request to an Austin CAs

Complete the instructions on the following page using the certificate request file generated above:
- AAD - Certificates - How-To - Submit custom certificates requests

Accept the certificate request

...

Version	Old Version 31	New Version 32
Changes made by	Alex Barth	Alex Barth
Saved on	Jul 28, 2021	Dec 02, 2021