Generating a certificate signing request using certreq

I did some work related to certificates exactly one year ago. Today I had to repeat some of what I did in order to generate a new cert, and I’d forgotten some of the details in the process. I wrote a little about it here last year, but clearly I’d left out one step: How to generate a signing request which you can then submit to a third party for signing. Luckily I was able to recall the details after messing around with the files from last year. The following is a simple guide to save more time next time.

First, you need a request file, something like the following, saved in ANSI format:
(For more details on this an similar stuff, see my previous related posts about certificate signing, and retaining SAN fields).

[Version]
Signature="$WindowsNT$"
[NewRequest]
FriendlyName="My SSL Cert"
Subject="CN=my-app-url.northeurope.cloudapp.azure.com"
KeySpec=1
KeyLength=2048
Exportable=TRUE
MachineKeySet=TRUE
SMIME=FALSE
PrivateKeyArchive=FALSE
UserProtected=FALSE
UseExistingKeySet=FALSE
ProviderName="Microsoft RSA SChannel Cryptographic Provider"
ProviderType=12
RequestType=PKCS10
KeyUsage=0xa0
[Extensions]
2.5.29.17 = "{text}"
_continue_="dns=my-app-url.northeurope.cloudapp.azure.com"

Save this file as e.g. MyRequest.inf. Make sure you put in the correct URL for Subject, and also under the _continue_ field at the end (and don’t forget to start the lines with CN= and dns=, respectively). If you need more than one url, you can add multiple lines starting with _continue_ – again, see my previous posts for an example.

Now that you’ve defined what you want in your request, you need to actually create it. Do this with the following simple command in windows cmd, powershell, or git bash:
certreq -new MyRequest.inf MyRequest.req

This will generate the file MyRequest.req, which contains a base64-encoded request, which you can submit to some registration authority (RA) for signing. If approved, the RA should then provide you with a certificate according to your specifications, which is signed by their certificate.

One thought on “Generating a certificate signing request using certreq

  1. …And voiala – six months later, and a not unsubstantial amount of time was saved! Thankyou, previous me! XD

Engage and contribute for the common benefit of mankind!

This site uses Akismet to reduce spam. Learn how your comment data is processed.