Versions Compared

Version Old Version 2 New Version 3
Changes made by

Alex Barth

Alex Barth

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Log into a server joined to the Austin Active Directory as a user with permissions to request a certificate from the desired template

  2. Open an administrative PowerShell prompt

  3. In the same administrative PowerShell prompt, navigate to the location where the certificate request should be created: 

    Code Block
    #example
Set-Location C:\Working

  4. In the same administrative PowerShell prompt, run the following command to set the filename, subject, subject alternate names, and template of the certificate:  

    Code Block
    $cert_file = "<certificate request filename without extentions>"
$cert_url = <FQDN for the certificate>
$cert_san = @("<certificate SAN #1>","<certificate SAN #2>",...)
$cert_template = <short name of the certificate template>

  5. In the same administrative PowerShell prompt, run the following to create the INF file then open the INF file to review the output:


    Code Block
    $cert_file_inf = ((Get-Location).Path + "\" + $cert_urlfile  + ".inf")
$cert_req = ((Get-Location).Path + "\" + $cert_url  + ".req")
$cert_cer = ((Get-Location).Path + "\" + $cert_url  + ".cer")
$cert_txtfile_content = @"
[Version]
Signature=`"`$Windows NT`$`"
 
[NewRequest]
Subject=`"CN=$cert_url`"
Exportable=TRUE
MachineKeySet=TRUE
KeyLength=2048
KeySpec=1 
[RequestAttributes]
CertificateTemplateExtensions]
2.5.29.17=`"{text}`"
_continue_=`"DNS=$cert_templateurl&`"
"@
 
New-Item $cert_file_inf -Type File -Force
Set-Content $cert_file_inf $cert_txt
notepad $cert_inffile_content

  6. In the same administrative PowerShell prompt, run the following to create the request, submit the request to a certificate authority, then accept the response:

    Code Block
    certreq -new $cert_inf $cert_req
certreq -submit $cert_req $cert_cer
certreq -accept $cert_cer

    In the same administrative PowerShell prompt, run the following to create the request, submit the request to a certificate authority, then accept the response: 

    Code Block$cert_pw = Read-Host -Prompt "Enter password" -AsSecureString

     run the following to add any subject alternate names to the INF file: 

    Code Block
    ForEach ($san in $cert_san) {Add-Content $cert_file_inf ("_continue_=`"DNS=$san&`"")}

  7. In the same administrative PowerShell prompt, run the following to create the request, submit the request to a certificate authority, then accept the response: 

    Code Block
    $cert_file_objreq = ((Get-ChildItem -PathLocation).Path + "cert:\LocalMachine\My" | Where-Object {$_.Subject -match "eidfeed-"} | Sort-Object NotBefore -Descending | Select-Object -First 1
$cert_rca = Get-ChildItem -Path "cert:\LocalMachine\Root" | Where-Object {$_.Subject -match $cert_obj.Issuer} | Sort-Object NotBefore -Descending | Select-Object -First 1
$cert_obj | Export-PfxCertificate -FilePath $cert_pfx -Password $cert_pw
$cert_rca | Export-Certificate -FilePath $cert_crt+ $cert_file  + ".req")
$cert_file_cer = ((Get-Location).Path + "\" + $cert_file  + ".cer")
certreq -new $cert_file_inf $cert_file_req
certreq -submit -attrib CertificateTemplate:$cert_template $cert_file_req $cert_file_cer
certreq -accept $cert_file_cer

Export the Austin certificate via PowerShell

  1. Log into a server joined to the Austin Active Directory as a user with permissions to request a certificate from the desired template

  2. Open an administrative PowerShell prompt

  3. In the same administrative PowerShell prompt, run the following command to set the filename and subject of the certificate:  

    Code Block
    $cert_file = "<certificate request filename without extentions>"
$cert_url = <FQDN for the certificate>

  4. In the same administrative PowerShell prompt, run the following command to set the password for the exported PFX file:

    Code Block
    $cert_pw = Read-Host -Prompt "Enter password" -AsSecureString

  5. In the same administrative PowerShell prompt, run the following to identify the certificate then export the PFX and CRT files: 

    Code Block
    $cert_file_pfx = ((Get-Location).Path + "\" + $cert_url  + ".pfx")
$cert_file_crt = ((Get-Location).Path + "\" + $cert_url  + ".crt")
$cert_obj = Get-ChildItem -Path "cert:\LocalMachine\My" | Where-Object {$_.Subject -match $cert_url} | Sort-Object NotBefore -Descending | Select-Object -First 1
$cert_rca = Get-ChildItem -Path "cert:\LocalMachine\Root" | Where-Object {$_.Subject -match $cert_obj.Issuer} | Sort-Object NotBefore -Descending | Select-Object -First 1
$cert_obj | Export-PfxCertificate -FilePath $cert_file_pfx -Password $cert_pw
$cert_rca | Export-Certificate -FilePath $cert_file_crt