Skip ahead to the Submit the certificate request section for an existing certificate request.

Define the certificate subject and subject alternative names

1. Log into a server joined to the Austin Active Directory as a user with permissions to request a certificate from the desired template

2. Start an administrative PowerShell session

3. In the same administrative PowerShell session, modify then run the following command to set the subject, any optional DNS or IP Address subject alternate names, and template of the certificate:  

   $cert_fqdn = <FQDN for the certificate> $cert_sans = @("<certificate SAN #1>","<certificate SAN #2>",...) $cert_ipaddrs = @("<certificate IP address #1>","<certificate IP address #2>",...)

Create the certificate request

1. Log into a server joined to the Austin Active Directory as a user with permissions to request a certificate from the desired template

2. Start an administrative PowerShell session

3. In the same administrative PowerShell session, navigate to the location where the certificate request should be created: 

   #example Set-Location $env:windir\temp

4. In the same administrative PowerShell prompt, run the following to create the certificate policy file

   $cert_file = $cert_fqdn + "_" + (Get-Date -Format yyyyMMdd-HHmmss) $cert_file_inf = ((Get-Location).Path + "\" + $cert_file + ".inf") $cert_file_content = @" [Version] Signature=`"`$Windows NT`$`" [NewRequest] Subject=`"CN=$cert_fqdn`" Exportable=TRUE MachineKeySet=TRUE KeyLength=2048 [Extensions] 2.5.29.17=`"{text}`" _continue_=`"DNS=$cert_fqdn&`" "@ New-Item $cert_file_inf -Type File -Force Set-Content $cert_file_inf $cert_file_content

5. In the same administrative PowerShell prompt, run the following to add any DNS subject alternate names to the certificate policy file: 

   ForEach ($san in $cert_sans) {Add-Content $cert_file_inf ("_continue_=`"DNS=$san&`"")}

6. In the same administrative PowerShell prompt, run the following to add any IP Address subject alternate names to the certificate policy file: 

   ForEach ($ipaddr in $cert_ipaddrs) {Add-Content $cert_file_inf ("_continue_=`"IPAddress=$ipaddr&`"")}

7. In the same administrative PowerShell prompt, run the following to create the request:

   $cert_file_req = ((Get-Location).Path + "\" + $cert_file + ".req") certreq -new $cert_file_inf $cert_file_req

8. In the same administrative PowerShell prompt, run the following to validate the request: 

   Get-Content $cert_file_req

Submit the certificate request to an Austin CAs

Certificates should only be submitted to the Austin CAs when they require certificate attributes not supported by InCommon such as:

• EKUs other than Digital Signature and Key Encipherment 
• Subject Alternate Names that are not in the utexas.edu DNS address space such as IP Address
• Certificates that must have a lifetime longer than 398 days

Complete the following instructions to submit the certificate request to the Austin CAs:

1. If submitting a pre-created certificate request, complete the following instructions:
   1. Log into a server joined to the Austin Active Directory as on a system with permissions to request a certificate from the desired template
   2. Start an administrative PowerShell session and set the $cert_file_req object to the full path of the certificate request file

2. In the same administrative PowerShell session, run one of the following to set the certificate template:

   • For VMware SSL certificates, run the following: 

     $cert_template = "VMwareSSL6.5"

   • For long-duration server certificates, run the following: 

     $cert_template = "Server-10Year"

3. In the same administrative PowerShell session, run the following to define where the signed certificate file will be created using the certificate request file

   $cert_file_cer = (Get-Item $cert_file_req).DirectoryName + "\" + (Get-Item $cert_file_req).BaseName + ".cer"

4. In the same administrative PowerShell session, run the following to submit the request to an Austin certificate authority:

   certreq -submit -attrib ("CertificateTemplate:" + $cert_template) $cert_file_req $cert_file_cer

Submit the certificate request to InCommon

Complete the following instructions to submit the certificate request to InCommon:

1. Submit the request file or the contents of the request file to the certificate admins with the following information:
   1. Email address of the ServiceNow ticket queue for the team that manages the service or system
      • This address will receive the certificate and notices about certificate expiration
      • Do not provide the email address of a distribution list or individual user
   2. If the certificate includes any Subject Alternate Names (SANs)
      • This will instruct the certificate admins in how to process the certificate request
      • Certificates submitted without providing this information may be issued without the required SANs

Accept the certificate request

1. If accepting a certificate file signed by an external certificate authority such as InCommon, complete the following instructions:
   1. Ensure the certificate is on or accessible by the system that created the original certificate request
   2. Log into the system that created the original certificate request
   3. Start an administrative PowerShell session and set the $cert_file_cer object to the full path of the signed certificate file that will be accepted

2. In the same administrative PowerShell prompt, run the following to accept the response: 

   Import-Certificate -CertStoreLocation Cert:\LocalMachine\My -FilePath $cert_file_cer