Skip ahead to the Submit the certificate request section for an existing certificate request.
Define the certificate subject and subject alternative names
- Log into a server joined to the Austin Active Directory as a user with permissions to request a certificate from the desired template
Start an administrative PowerShell session
In the same administrative PowerShell session, modify then run the following command to set the subject, any optional DNS or IP Address subject alternate names, and template of the certificate:
$cert_fqdn = <FQDN for the certificate> $cert_sans = @("<certificate SAN #1>","<certificate SAN #2>",...) $cert_ipaddrs = @("<certificate IP address #1>","<certificate IP address #2>",...)
Create the certificate request
Log into a server joined to the Austin Active Directory as a user with permissions to request a certificate from the desired template
Start an administrative PowerShell session
In the same administrative PowerShell session, navigate to the location where the certificate request should be created:
#example Set-Location C:\Working
In the same administrative PowerShell prompt, run the following to create the certificate policy file
$cert_file = $cert_fqdn + "_" + (Get-Date -Format yyyyMMdd-HHmmss) $cert_file_inf = ((Get-Location).Path + "\" + $cert_file + ".inf") $cert_file_content = @" [Version] Signature=`"`$Windows NT`$`" [NewRequest] Subject=`"CN=$cert_fqdn`" Exportable=TRUE MachineKeySet=TRUE KeyLength=2048 [Extensions] 2.5.29.17=`"{text}`" _continue_=`"DNS=$cert_fqdn&`" "@ New-Item $cert_file_inf -Type File -Force Set-Content $cert_file_inf $cert_file_contentIn the same administrative PowerShell prompt, run the following to add any DNS subject alternate names to the certificate policy file:
ForEach ($san in $cert_sans) {Add-Content $cert_file_inf ("_continue_=`"DNS=$san&`"")}In the same administrative PowerShell prompt, run the following to add any IP Address subject alternate names to the certificate policy file:
ForEach ($ipaddr in $cert_ipaddrs) {Add-Content $cert_file_inf ("_continue_=`"IPAddress=$ipaddr&`"")}In the same administrative PowerShell prompt, run the following to create the request:
$cert_file_req = ((Get-Location).Path + "\" + $cert_file + ".req") certreq -new $cert_file_inf $cert_file_req
Submit the certificate request
- If submitting a pre-created certificate request, complete the following instructions:
- Log into a server joined to the Austin Active Directory as on a system with permissions to request a certificate from the desired template
- Start an administrative PowerShell session and set the $cert_file_req object to the full path of the certificate request file
In the same administrative PowerShell session, run one of the following to set the certificate template:
For VMware SSL certificates, run the following:
$cert_template = "VMwareSSL6.5"
For long-duration server certificates, run the following:
$cert_template = "Server-10Year"
In the same administrative PowerShell session, run the following to define where the signed certificate file will be created using the certificate request file
$cert_file_cer = (Get-Item $cert_file_req).DirectoryName + "\" + (Get-Item $cert_file_req).BaseName + ".cer"
In the same administrative PowerShell session, run the following to submit the request to an Austin certificate authority:
certreq -submit -attrib ("CertificateTemplate:" + $cert_template) $cert_file_req $cert_file_cer
Accept the certificate request
- If accepting a certificate file signed by an external certificate authority such as InCommon, complete the following instructions:
- Log into the system that created the original certificate request
- Start an administrative PowerShell session and set the $cert_file_cer object to the full path of the signed certificate file that will be accepted
In the same administrative PowerShell prompt, run the following to accept the response:
certreq -accept $cert_file_cer