June 14 2017

Create certificate from CSR on a Microsoft Certificate Authority using command line

Do you have a Certificate Signing Request (CSR) from a device with which you need to create a certificate from a Microsoft Windows Certificate Authority?  This is actually pretty straight forward.  On a domain machine, launch a command prompt and save the CSR into a file on that machine (CSR.REQ in the example below).  Then just use the command:

certreq -submit -attrib "CertificateTemplate:WebServer" CSR.req cert.cer

You’ll get a prompt to select the issuing CA you want to use.  Substitute WebServer for whichever template you need to use.  You then have your certificate – cert.cer.

 

 



----------------------------------------------------------------------------
I use a maximum of one Google Ad per post to help offset some of my blog hosting costs.

----------------------------------------------------------------------------

April 22 2015

How to find an internal/local Certificate Authority

Many times when I’m new to an organisation I’ll need to do a discovery within the environment to see what technology exists – including local Microsoft Windows Certificate Authorities. A very quick and easy way to do this is to use the certutil command with the follow syntax:

certutil -config - -ping

If there is a Certificate Authority published in Active Directory then you will get a popup box with a list of them. If not, you’ll see something like this:

certutil
certutil

The command is also useful for testing the responsiveness of a Certificate Authority – if you select an existing Certificate Authority from the popup box, certutil will ping it.

July 11 2014

Free public SSL certificates

I recently needed to do some testing and needed to have a valid public SSL certificate and since it was only for testing, I preferred if there was no cost for this.
I came across StartCom – https://www.startssl.com/ – who offer FREE Class 1 SSL certificates.

These free certificates are Class 1 – meaning that there is minimal validation is done when they are requested and issued – however this is fine for testing but not really recommended for commercial use. From my testing, it appears that the issuing CA was automatically trusted by Internet Explorer and Chrome. These certs are perfect for testing over SSL.

For more info see the StartCom website – https://www.startssl.com/?app=40

December 9 2011

Microsoft Certificate Expiration Alerting tool

I came across this very useful free tool for alerting when a certificate that has been issued by an internal Microsoft Certificate Authority is going to expire (SCOM can do this too but this is a good alernative). In the words of the developer:

The Certificate Expiration Alerter helps IT departments monitor the expiration status of all their certificates which are issued from an internal Windows Server Certificate Authority (CA). When a certificate is about to expire, the Certificate Expiration Alerter sends a notification email with information about the certificate. This allows IT administrator to be proactive and take action by renewing the certificates before they expire and prevent possible service downtimes.

For more info, see these 2 websites – http://blogs.technet.com/b/nexthop/archive/2011/11/18/certificate-expiration-alerting.aspx and http://sourceforge.net/projects/certexpalerter.
 
 

October 7 2011

Extend the validity period of a Certificate Authority certificate

During a new deployment of a Certificate Services, I needed to increase the validity period of the CA certificate issued from the root (and offline) CA to the issuing CA (online and domain joined). By default this is only valid for 1 year. After unsuccessful hunting around the GUI options, I realised that this is going to be a registry change:

HKEY_LOCAL_MACHINESystemCurrentControlSetServicesCertSvcConfiguration
Find ValidityPeriod. Set the value one of the following – Days, Weeks, Months or Years.
Find ValidityPeriodUnits and set this to the numeric value that you want.
Then restart the Certificate Services NT service.

I made this change on both the root CA and issuing CA because I wanted to increase the validity period of not just the CA certificate that is issued from the root CA, but also any certificates that are issued from the issuing CA also. Be aware that validity period may also be set in the certificate template and templates supported by Windows 2000 and Windows Server 2003 Standard Edition cannot be modified. Templates supported by Windows Server Enterprise Edition (Version 2 templates) do support modification.

There is a bit more detail here if required – http://support.microsoft.com/kb/254632.