Windows PKI blog - All Comments

re: Certutil and Certreq

Kurt L Hudson MSFT — Fri, 24 May 2013 00:40:24 GMT

Georgios, I will endeavor to improve the documentation. I agree that more examples and explanations could be added.

If you are trying to actually accomplish a particular task, your best option is to post the task and details on the Security Forum (http://aka.ms/adcsforum) and then to use the Email blog author link to send me an alert on the question. We can them work with both the experts on the Forum as well as the internal experts to resolve your issues.

As for the hyperlink issues: That is a software redirection issue with the publishing platform. I have already started to taking steps to resolve this problem, but it will take a couple of publishing iterations. For this one, I removed the links. In the future, they will return, but some workarounds are needed in the background.

As for the certreq -submit question: A simple example of certreq usage from my Test Lab Guide is:

certreq -submit A:\APP1.corp.contoso.com_IssuingCA-APP1.req

That is the submission of a request from a subordinate CA for a CA signing certificate.

The Certreq -submit example you mentioned in the document, I did not create, and I could not interpret without the help of the senior developer in charge of the utility and code. Here is a recap of the example:

certreq -submit certRequest.req certnew.cer certnew.pfx

So, we already know that the first part is a submission of a request to a CA. Then, what are the certnew.cer and certnew.pfx parts of the example command do?

The response from the senior developer is as follows:

=========

• certnew.cer will contain the new certificate

• certnew.pfx will contain an empty Pkcs7, with a bag of certs attached. The bag will contain the new cert and the full chain of CA certificates, including the root CA cert. (The .pfx extension doesn’t tell certreq to do anything differently).

• If an additional filename were to be specified on the command line, it would contain the CMC Full

Response: a non-empty Pkcs7 with CMC content and the same bag of certs attached, and the CMC content will be signed by the CA. The CMC content contains some additional data regarding the request: request processing result, RequestId, issued cert hash, etc.

All of the output files will be base64 encoded (in ansi text format).

Add in the -binary option to write binary data instead (DER encoded ASN.1).

To obtain a PFX, use certreq -accept to install the certificate, and certutil -ExportPFX to export the cert and key into a PFX file (aka Pkcs12). This assumes that certreq -new was used on the same machine to create the request in the first place.

==========

Another warning he added, that I must endeavor to fix is:

This certreq doc also has a link to support.microsoft.com/.../931351

This link describes using certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2, which is a recipe for elevation of privilege [attack] and should not be used in any real deployment.

Instead, the INF file syntax for certreq -new should be used:

[Extensions]

2.5.29.17 = "{text}dns=dns.name&dns=dns.name&…"

re: Certutil and Certreq

Georgios Koutepas — Thu, 23 May 2013 09:37:21 GMT

- In the section Certreq -submit.

The command description is

CertReq [-Submit] [Options] [RequestFileIn [CertFileOut [CertChainFileOut [FullResponseFileOut]]]]

There is no exact and specific description on what are CertFileOut CertChainFileOut FullResponseFileOut

Some more info is supplied in the help text from certreq -submit -?

You get (among other things):

RequestFileOut - Base64-encoded output file name

PKCS10FileOut - Base64-encoded PKCS10 output file name

CertFileOut - Base64-encoded X-509 file name

CertChainFileOut - Base64-encoded PKCS7 file name

FullResponseFileOut - Base64-encoded Full Response file name

PolicyFileIn - INF file containing a textual representation

of extensions used to qualify a request

But it's still confusing:

RequestFileOut, PKCS10FileOut, - what are they and how you specify them in the command line?

CertFileOut, CertChainFileOut, FullResponseFileOut

PolicyFileIn - what is this? you're supposed to provide an .inf policy file with certreq -new. Why use one with certreq -submit ? In any case what is the syntax?

The first (and only) example in the section

certreq –submit certRequest.req certnew.cer certnew.pfx

implies that CertFileOut is the .cer file (logical) and CertChainFileOut is the .pfx file. In tests, the produced .pfx file cannot be used as usual (to install the secret key etc.). Instead you get the following message:

"Invalid Public Key Security Object File

This file is invalid for use as the following: Personal Information Exchange."

I apologize if I have missed any basic stuff but still, these documents only provide a partial and confusing picture of certreq, while I still believe that it can prove to be a useful tool.

I'll be glad to provide more info to help improve things if you're interested.

Many thanks,

Georgios

re: Certutil and Certreq

Georgios Koutepas — Thu, 23 May 2013 09:36:56 GMT

Dear Kurt,

Thanks for providing the "curated" version of the documentation. Still, let's work to make the underlying documents better. Here are some comments:

Revisiting the utilities, the process which they imply and the documentation (even the command line help!), and summing up information from a number of different web pages here are some more comments:

First of all, to summarize, the documents found online on certreq:

A. The article on Certreq: technet.microsoft.com/.../cc725793.aspx

B. The article on the Certreq.exe Syntax (mostly covering the .inf file syntax) - Appendix 3: technet.microsoft.com/.../cc736326(d=printer).aspx

C. An additional article on How to Request a Certificate With a Custom Subject Alternative Name (SAN): technet.microsoft.com/.../ff625722(WS.10).aspx

This last one is the only that covers the process of manually issuing certificates from the command line, specifically:

1. certreq.exe -new <RequestPolicy.inf><CertificateRequest.req>

2. certreq -submit -config "<ServerName\CAName>" "<CertificateRequest.req>" "<CertificateResponse.cer>"

3. [only if approval is required] certreq –retrieve -config "<ServerName\CAName>" <RequestID> "<CertificateResponse.cer>"

4. certreq –accept -config "<ServerName\CAName>" "<CertificateResponse.cer>"

Coming specifically to Document A (your link above).

- In the section Verbs.

Hyperlinks to more specific description, e.g. Certreq -submit take you to a page that says "This content has been moved to Certreq (technet.microsoft.com/.../cc725793.aspx)."

[continued below]

re: Certutil and Certreq

Kurt L Hudson MSFT — Wed, 22 May 2013 18:56:58 GMT

A new tool that our General Manager is promoting is in Beta. I thought this question would be a good one to test out the new tool: How Do I Use Certreq

curatedviews.azurewebsites.net/.../how-do-i-use-certreq

re: Certutil and Certreq

Kurt L Hudson MSFT — Tue, 21 May 2013 23:28:56 GMT

Sure, I found a few other examples: technet.microsoft.com/.../ff625722.aspx, which has a section titled using CertReq that explains more. Also, the Two Tier PKI Hierarchy Test Lab Guide has some steps that illustrate the use of Certreq technet.microsoft.com/.../hh831348.aspx. It is lacking a couple of certutil command line equivalents that I intend to add:

certutil -resubmit 2

cerutil -installcert A:\APP1.corp.contoso.com_corp-APP1-CA.crt

start-service certsvc

The above commands assume: The certificate request ID was 2, the removable media drive is A: and that the certificate that the subordinate CA is actually named APP1.corp.contoso.com_corp-APP1-CA.crt

re: Certutil and Certreq

Kurt L Hudson MSFT — Tue, 21 May 2013 00:22:37 GMT

Yes, you and all the users of these articles deserve some updates and more examples. I will work on it. In the meantime, please, check out:

Appendix 3: Certreq.exe Syntax (technet.microsoft.com/.../cc736326.aspx)

blogs.technet.com/.../rsa-key-blocking-is-here.aspx

social.technet.microsoft.com/.../3063.certutil-examples-for-managing-active-directory-certificate-services-ad-cs-from-the-command-line.aspx at the end of that article.

Thanks for your feedback!

re: Certutil and Certreq

Georgios Koutepas — Mon, 20 May 2013 09:56:06 GMT

Dear Kurt,

Thank you very much for answering and sending me these useful links. I'll probably be sending you more feedback to improve the documents as I further work on this.

re: Certutil and Certreq

Georgios Koutepas — Thu, 16 May 2013 13:43:43 GMT

Dear Kurt,

Recently I have been a frequent visitor to these pages. I currently manage an MS Certificate Server and I'm looking into ways to make the process of issuing certificates automated (rather than using the web interface) via tools like certreq and certutil.

If you curate these two pages I'd like to point some omissions that IMHO make these tools difficult to understand and use.

1. There is no description of the process that one should follow to manually issue certificates: i.e. certreq -new (using the .inf file), -submit, -retrieve

2. In the certreq page, after describing certreq -submit there are examples mentioned that are never shown

3. In the certreq page, when describing the .inf files there is only mention of "some of the possible sections" that can be added to an .inf file, e.g. the section [RequestAttributes] which is used to set the most useful CertificateTemplate parameter is shown in the examples but never really explained. Is there any reference document for ALL .inf sections available anywhere?

These are just some of the many shortcoming that these pages have in my opinion. So, may I kindly ask you if there is any additional (and complete) documentation on these tools available.

In any case, thank you very much for all your efforts,

Georgios

re: Certutil and Certreq

Glen Grady — Tue, 07 May 2013 05:18:00 GMT

This is gold! ...and is making my life much easier. Thanks very much Kurt.

re: Quick Check on ADCS Health Using Enterprise PKI Tool (PKIVIEW)

Amerk [MSFT] — Sun, 14 Apr 2013 14:40:38 GMT

Noted and corrected