Versions Compared

Version Old Version 31 New Version Current
Changes made by

Alex Barth

Alex Barth

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
typeflat

Skip ahead to the Submit the certificate request section for an existing certificate request.

Define the certificate subject and subject alternative names

...

  1. Sign in to a computer then start an administrative PowerShell

...

  1. session 

  2. Modify then run the following

...

  1. commands to set the subject

...

  1. and template of the certificate as well as any optional DNS or IP

...

  1. Address subject alternate

...

  1. name values:  

    Code Block

...

  1. languagepowershell
    $Subject =

...

  1. "<subject for the certificate>"

...

  1. $SubjectAlternateNames = @("<certificate SAN #1>","<certificate SAN #2>",...)

...

  1. $CertificateIPAddresses = @("<certificate IP address #1>","<certificate IP address #2>",...)

Create the certificate request

...

Log into a server joined to the Austin Active Directory as a user with permissions to request a certificate from the desired template

...

Start an administrative PowerShell session

...

  1. Run the following commands to define the newline string

    Code Block

...

#example
Set-Location $env:windir\temp

In the same administrative PowerShell prompt, run the following to create the certificate policy file

...

  1. languagepowershell
    $NewLine = [System.Environment]::NewLine

  2. Run the following commands to create the temporary files: 

    Code Block
    languagepowershell
    $CertificateTemplateFile = New-TemporaryFile
$CertificateRequestFile = New-TemporaryFile

  3. Run the following commands to define the certificate template:

    Code Block
    languagepowershell
    $CertificateTemplate = @'
[Version]
Signature=

...

  1. "

...

  1. $Windows

...

  1. NT$"
  
[NewRequest]
Subject=

...

  1. "CN=

...

  1. %Subject%"
Exportable=TRUE
MachineKeySet=TRUE
KeyLength=2048
KeySpec=AT_KEYEXCHANGE
  
[Extensions]
2.5.29.17=

...

  1. "{text}

...

  1. "
_continue_=

...

  1. "DNS=

...

  1. %Subject%&

...

  1. "

...

  1. '@

  2. Run the following commands to update the subject in the certificate template: 

    Code Block
    languagepowershell
    $CertificateTemplate = $CertificateTemplate.Replace('%Subject%', $Subject)

  3. Run the following commands to add any optional DNS subject alternate names to the certificate

...

  1. template

    Code Block
    languagepowershell
    ForEach (

...

  1. $SubjectAlternateName in

...

  1. $SubjectAlternateNames) {

...

  1.  $CertificateTemplate = '{0}{1}_continue_=

...

  1. "DNS=

...

  1. {2}&

...

  1. "' -f $CertificateTemplate, $NewLine, $SubjectAlternateName }

  2. Run the following commands to add any optional IP Address subject alternate names to the certificate

...

  1. template

    Code Block
    languagepowershell
    ForEach (

...

  1. $CertificateIPAddress in

...

  1. $CertificateIPAddresses) {

...

  1.  $CertificateTemplate = '{0}{1}_continue_=

...

  1. "IPAddress=

...

  1. {2}&

...

In the same administrative PowerShell prompt, run the following to create the request:

Code Block
$cert_file_req = ((Get-Location).Path + "\" + $cert_file  + ".req")
certreq -new $cert_file_inf $cert_file_req

...

In the same administrative PowerShell prompt, run the following to validate the request: 

Code Block
Get-Content $cert_file_req

Submit the certificate request to an Austin CAs

Certificates should only be submitted to the Austin CAs when they require certificate attributes not supported by InCommon such as:

  • EKUs other than Digital Signature and Key Encipherment 
  • Subject Alternate Names that are not in the utexas.edu DNS address space such as IP Address
  • Certificates that must have a lifetime longer than 398 days

Complete the following instructions to submit the certificate request to the Austin CAs:

  1. If submitting a pre-created certificate request, complete the following instructions:
    1. Log into a server joined to the Austin Active Directory as on a system with permissions to request a certificate from the desired template
    2. Start an administrative PowerShell session and set the $cert_file_req object to the full path of the certificate request file

  2. In the same administrative PowerShell session, run one of the following to set the certificate template:

    • For VMware SSL certificates, run the following: 

      Code Block
      $cert_template = "VMwareSSL6.5"

    • For long-duration server certificates, run the following: 

      Code Block
      $cert_template = "Server-10Year"

  3. In the same administrative PowerShell session, run the following to define where the signed certificate file will be created using the certificate request file

    Code Block
    $cert_file_cer = (Get-Item $cert_file_req).DirectoryName + "\" + (Get-Item $cert_file_req).BaseName + ".cer"

  4. In the same administrative PowerShell session, run the following to submit the request to an Austin certificate authority:

    Code Block
    certreq -submit -attrib ("CertificateTemplate:" + $cert_template) $cert_file_req $cert_file_cer

Submit the certificate request to InCommon

Complete the following instructions to submit the certificate request to InCommon:

  1. Submit the request file or the contents of the request file to the certificate admins with the following information:
    1. Email address of the ServiceNow ticket queue for the team that manages the service or system
      • This address will receive the certificate and notices about certificate expiration
      • Do not provide the email address of a distribution list or individual user
    2. If the certificate includes any Subject Alternate Names (SANs)
      • This will instruct the certificate admins in how to process the certificate request
      • Certificates submitted without providing this information may be issued without the required SANs

Accept the certificate request

...

  1. Ensure the certificate is on or accessible by the system that created the original certificate request
  2. Log into the system that created the original certificate request
  3. Start an administrative PowerShell session and set the $cert_file_cer object to the full path of the signed certificate file that will be accepted

In the same administrative PowerShell prompt, run the following to accept the response: 

...

  1. "' -f $CertificateTemplate, $NewLine, $CertificateIPAddress }

  2. Run the following commands to trim the certificate template:

    Code Block
    languagepowershell
    $CertificateTemplate = $CertificateTemplate -replace '&"\s*$', '"'

  3. Run the following commands to write the certificate template file:

    Code Block
    languagepowershell
    $Content | Out-File -FilePath $CertificateTemplateFile -Force

  4. Run the following commands to review the certificate template file: 

    Code Block
    languagepowershell
    Get-Content -Path $CertificateTemplateFile

  5. Run the following commands to create the certificate request file:

    Code Block
    languagepowershell
    certreq -new -f $CertificateTemplateFile $CertificateRequestFile

  6. Run the following commands to review the certificate request file: 

    Code Block
    languagepowershell
    Get-Content -Path $CertificateRequestFile

  7. Run the following commands to retrieve the certificate request file name: 

    Code Block
    languagepowershell
    Get-Item -Path $CertificateRequestFile

Submit the certificate request to a certificate authority

References