Versions Compared

Version Old Version 28 New Version 29
Changes made by

Alex Barth

Alex Barth

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Log into a server joined to the Austin Active Directory as a user with permissions to request a certificate from the desired template

  2. Start an administrative PowerShell session

  3. In the same administrative PowerShell session, navigate to the location where the certificate request should be created: 

    Code Block
    #example
Set-Location C:\Working

  4. In the same administrative PowerShell prompt, run the following to create the certificate policy file

    Code Block
    $cert_file = $cert_fqdn + "_" + (Get-Date -Format yyyyMMdd-HHmmss)
$cert_file_inf = ((Get-Location).Path + "\" + $cert_file  + ".inf")
$cert_file_content = @"
[Version]
Signature=`"`$Windows NT`$`"
 
[NewRequest]
Subject=`"CN=$cert_fqdn`"
Exportable=TRUE
MachineKeySet=TRUE
KeyLength=2048
 
[Extensions]
2.5.29.17=`"{text}`"
_continue_=`"DNS=$cert_fqdn&`"
"@
 
New-Item $cert_file_inf -Type File -Force
Set-Content $cert_file_inf $cert_file_content

  5. In the same administrative PowerShell prompt, run the following to add any DNS subject alternate names to the certificate policy file: 

    Code Block
    ForEach ($san in $cert_sans) {Add-Content $cert_file_inf ("_continue_=`"DNS=$san&`"")}

  6. In the same administrative PowerShell prompt, run the following to add any IP Address subject alternate names to the certificate policy file: 

    Code Block
    ForEach ($ipaddr in $cert_ipaddrs) {Add-Content $cert_file_inf ("_continue_=`"IPAddress=$ipaddr&`"")}

  7. In the same administrative PowerShell prompt, run the following to create the request:

    Code Block
    $cert_file_req = ((Get-Location).Path + "\" + $cert_file  + ".req")
certreq -new $cert_file_inf $cert_file_req

  8. In the same administrative PowerShell prompt, run the following to validate the request: 

    Code Block
    notepad $cert_file_req

Submit the certificate request to an Austin CAs

Certificates should only be submitted to the Austin CAs when they require certificate attributes not supported by InCommon such as:

  • EKUs other than Digital Signature and Key Encipherment 
  • Subject Alternate Names that are not in the utexas.edu DNS address space such as IP Address
  • Certificates that must have a lifetime longer than 398 days

Complete the following instructions to submit the certificate request to the Austin CAs:

  1. If submitting a pre-created certificate request, complete the following instructions:
    1. Log into a server joined to the Austin Active Directory as on a system with permissions to request a certificate from the desired template
    2. Start an administrative PowerShell session and set the $cert_file_req object to the full path of the certificate request file

  2. In the same administrative PowerShell session, run one of the following to set the certificate template:

    • For VMware SSL certificates, run the following: 

      Code Block
      $cert_template = "VMwareSSL6.5"

    • For long-duration server certificates, run the following: 

      Code Block
      $cert_template = "Server-10Year"

  3. In the same administrative PowerShell session, run the following to define where the signed certificate file will be created using the certificate request file

    Code Block
    $cert_file_cer = (Get-Item $cert_file_req).DirectoryName + "\" + (Get-Item $cert_file_req).BaseName + ".cer"

  4. In the same administrative PowerShell session, run the following to submit the request to an Austin certificate authority:

    Code Block
    certreq -submit -attrib ("CertificateTemplate:" + $cert_template) $cert_file_req $cert_file_cer

Submit the certificate request to InCommon

Complete the following instructions to submit the certificate request to InCommon:

  1. Submit the request file or the contents of the request file to the certificate admins with the following information:
    1. Email address of the ServiceNow ticket queue for the team that manages the service or system
      • This address will receive the certificate and notices about certificate expiration
      • Do not provide the email address of a distribution list or individual user
    2. If the certificate includes any Subject Alternate Names (SANs)
      • This will instruct the certificate admins in how to process the certificate request
      • Certificates submitted without providing this information may be issued without the required SANs

Accept the certificate request

  1. If accepting a certificate file signed by an external certificate authority such as InCommon, complete the following instructions:
    1. Ensure the certificate is on or accessible by the system that created the original certificate request
    2. Log into the system that created the original certificate request
    3. Start an administrative PowerShell session and set the $cert_file_cer object to the full path of the signed certificate file that will be accepted

  2. In the same administrative PowerShell prompt, run the following to accept the response: 

    Code Block
    certreq -accept $cert_file_cer

...