0

I recently installed AD cert services. Right now everything in my home network is using certs issued by my firewall. On the firewall, I can sign CSR's, I can simply create certs and define the lifetime, etc.

My question is, is there a way on a Windows CA to just "Make a cert"? I've been googling for a while and everything I'm finding is pointing to CSR's. I can't find anything on how to simply create a cert signed by the Windows CA from scratch so to speak like I can on my firewall.

Thanks in advance.

Mike Van Dunk
  • 1
  • CA requires a CSR which contains signed public key and optional information about the certificate you need. So `make a cert` without CSR is kond of pointless. – Crypt32 Jan 17 '21 at 18:04

1 Answers1

0

One way is to use certreq.exe to create a CSR, and process it on the CA.

certreq.exe -new request.inf somename.contoso.com

Then save the issued certificate and fulfill it on the machine that created the CSR:

certreq.exe -accept <filename>

It's also possible to configure the CA for direct enrollment using certreq.

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certreq_1

Request.inf:

[NewRequest]
Subject = "CN=somename.contoso.com, OU=Headquarters, O=Contoso Inc, L=Washington, S=DC, C=US"
Exportable = TRUE
KeyLength = 2048
KeySpec = 1 ; Key Exchange and Digital Signatures
KeyUsage = 0XB0 ; Digital Signature, Key Encipherment, Data Encipherment
MachineKeySet = TRUE
ProviderName = "Microsoft RSA Schannel Cryptographic Provider"
RequestType = PKCS10
HashAlgorithm = SHA256

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
OID=1.3.6.1.5.5.7.3.2 ; Client Authentication
Greg Askew
  • 35,880
  • 5
  • 54
  • 82