Pete Hinchley: Create a Web Server Certificate from the Command Line

A quick guide on creating a web server certificate from the command line using an enterprise root certificate authority. This example creates a cert named web.lab.hinchley.net with a SAN of code.lab.hinchley.net. The certificate authority is hosted on ca.lab.hinchley.net and is named Lab Enterprise Certificate Authority.

Start by creating a file named cert.inf with the following content:

[Version]
Signature = "$Windows NT$"
[NewRequest]
Subject = "CN=web.lab.hinchley.net"
Exportable = TRUE
KeyLength = 4096
KeySpec = 1 ; required for encryption
KeyUsage = 0xA0 ; digital signature, key encipherment
MachineKeySet = TRUE ; key belongs to the local computer account
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = CMC
[RequestAttributes]
CertificateTemplate = "WebServer"
[Extensions]
2.5.29.17 = "{text}dns=web.lab.hinchley.net&code.lab.hinchley.net"
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; server authentication

Next, run the following commands to generate the cert request, submit it to the CA, and install the certificate:

certreq -new cert.inf cert.req
certreq -submit -config "ca.lab.hinchley.net\Lab Enterprise Certificate Authority" cert.req cert.cer
certreq –accept cert.cer