Versions Compared

Version Old Version 25 New Version 26
Changes made by

Alex Barth

Alex Barth

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Skip ahead to the Submit the certificate request section for an existing certificate request.

...

Define the certificate

...

subjects

  1. Log into a server joined to the Austin Active Directory as a user with permissions to request a certificate from the desired template

  2. Open Start an administrative PowerShell promptsession

  3. In the same administrative PowerShell prompt, navigate to the location where the certificate request should be created: 

    Code Block
    #example
Set-Location C:\Working

    In the same administrative PowerShell prompt, run the session, modify then run the following command to set the the subject, any optional DNS or IP Address subject alternate names, and and template of  of the certificate:  

    Code Block
    $cert_url = <FQDN for the certificate>
$cert_sans = @("<certificate SAN #1>","<certificate SAN #2>",...)
$cert_ipaddrs = @("<certificate IP address #1>","<certificate IP address #2>",...)

Create the certificate request

  1. Log into a server joined to the Austin Active Directory as a user with permissions to request a certificate from the desired template

  2. Start an administrative PowerShell session

  3. In the same administrative PowerShell session, navigate to the location where the certificate request should be created: 

    Code Block
    #example
Set-Location C:\Working

  4. In the same administrative PowerShell prompt, run the following to create the INF file then open the INF file to review the output: certificate policy file

    Code Block
    $cert_file = $cert_url + "_" + (Get-Date -Format yyyyMMdd-HHmmss)
$cert_file_inf = ((Get-Location).Path + "\" + $cert_file  + ".inf")
$cert_file_content = @"
[Version]
Signature=`"`$Windows NT`$`"
 
[NewRequest]
Subject=`"CN=$cert_url`"
Exportable=TRUE
MachineKeySet=TRUE
KeyLength=2048
 
[Extensions]
2.5.29.17=`"{text}`"
_continue_=`"DNS=$cert_url&`"
"@
 
New-Item $cert_file_inf -Type File -Force
Set-Content $cert_file_inf $cert_file_content

  5. In the same administrative PowerShell prompt, run the following to add any DNS subject alternate names to the INF certificate policy file: 

    Code Block
    ForEach ($san in $cert_sans) {Add-Content $cert_file_inf ("_continue_=`"DNS=$san&`"")}

  6. In the same administrative PowerShell prompt, run the following to add any IP Address subject alternate names to the INF filecertificate policy file

    Code Block
    ForEach ($ipaddr in $cert_ipaddrs) {Add-Content $cert_file_inf ("_continue_=`"IPAddress=$ipaddr&`"")}

  7. In the same administrative PowerShell prompt, run the following to create the request:

    Code Block
    $cert_file_req = ((Get-Location).Path + "\" + $cert_file  + ".req")
$cert_file_cer = ((Get-Location).Path + "\" + $cert_file  + ".cer")
certreq -new $cert_file_inf $cert_file_req

...

  1. If submitting a pre-created certificate request, complete the following instructions:
    1. Log into a server joined to the Austin Active Directory as on a system with permissions to request a certificate from the desired template
    2. Start an administrative PowerShell session
    3. In the same administrative PowerShell session, set the following variables as requested:
      • $cert_file_req  - the full path to the certificate request file
      • $cert_file_cer - the full path to the certificate that will be created

  2. In the same administrative PowerShell session, run one of the following to set the certificate template:

    • For VMware SSL certificates, run the following: 

      Code Block
      $cert_template = "VMwareSSL6.5"

    • For long-duration server certificates, run the following: 

      Code Block
      $cert_template = "Server-10Year"

  3. In the same administrative PowerShell prompt, run the following to submit the request to a certificate authority then accept the response: 

    Code Block
    certreq -submit -attrib ("CertificateTemplate:" + $cert_template) $cert_file_req

Accept the certificate request

  1. If accepting a pre-created certificate request, complete the following instructions:
    1. Log into the system that created the original certificate request.
    2. Start an administrative PowerShell session
    3. In the same administrative PowerShell session, set the following variables as requested:
      • $cert_file_cer
      •  - the full path to the certificate that will be accepted

  2. In the same administrative PowerShell prompt, run the following to accept the response: 

    Code Block
    certreq -accept $cert_file_cer

...