Windows PKI blog - All Comments

re: Certutil and Certreq

Kurt L Hudson MSFT — Tue, 21 May 2013 23:28:56 GMT

Sure, I found a few other examples: technet.microsoft.com/.../ff625722.aspx, which has a section titled using CertReq that explains more. Also, the Two Tier PKI Hierarchy Test Lab Guide has some steps that illustrate the use of Certreq technet.microsoft.com/.../hh831348.aspx. It is lacking a couple of certutil command line equivalents that I intend to add:

certutil -resubmit 2

cerutil -installcert A:\APP1.corp.contoso.com_corp-APP1-CA.crt

start-service certsvc

The above commands assume: The certificate request ID was 2, the removable media drive is A: and that the certificate that the subordinate CA is actually named APP1.corp.contoso.com_corp-APP1-CA.crt

re: Certutil and Certreq

Kurt L Hudson MSFT — Tue, 21 May 2013 00:22:37 GMT

Yes, you and all the users of these articles deserve some updates and more examples. I will work on it. In the meantime, please, check out:

Appendix 3: Certreq.exe Syntax (technet.microsoft.com/.../cc736326.aspx)

blogs.technet.com/.../rsa-key-blocking-is-here.aspx

social.technet.microsoft.com/.../3063.certutil-examples-for-managing-active-directory-certificate-services-ad-cs-from-the-command-line.aspx at the end of that article.

Thanks for your feedback!

re: Certutil and Certreq

Georgios Koutepas — Mon, 20 May 2013 09:56:06 GMT

Dear Kurt,

Thank you very much for answering and sending me these useful links. I'll probably be sending you more feedback to improve the documents as I further work on this.

re: Certutil and Certreq

Georgios Koutepas — Thu, 16 May 2013 13:43:43 GMT

Dear Kurt,

Recently I have been a frequent visitor to these pages. I currently manage an MS Certificate Server and I'm looking into ways to make the process of issuing certificates automated (rather than using the web interface) via tools like certreq and certutil.

If you curate these two pages I'd like to point some omissions that IMHO make these tools difficult to understand and use.

1. There is no description of the process that one should follow to manually issue certificates: i.e. certreq -new (using the .inf file), -submit, -retrieve

2. In the certreq page, after describing certreq -submit there are examples mentioned that are never shown

3. In the certreq page, when describing the .inf files there is only mention of "some of the possible sections" that can be added to an .inf file, e.g. the section [RequestAttributes] which is used to set the most useful CertificateTemplate parameter is shown in the examples but never really explained. Is there any reference document for ALL .inf sections available anywhere?

These are just some of the many shortcoming that these pages have in my opinion. So, may I kindly ask you if there is any additional (and complete) documentation on these tools available.

In any case, thank you very much for all your efforts,

Georgios

re: Certutil and Certreq

Glen Grady — Tue, 07 May 2013 05:18:00 GMT

This is gold! ...and is making my life much easier. Thanks very much Kurt.

re: Quick Check on ADCS Health Using Enterprise PKI Tool (PKIVIEW)

Amerk [MSFT] — Sun, 14 Apr 2013 14:40:38 GMT

Noted and corrected

re: Connecting iPads to an Enterprise Wireless 802.1x Network Using Certificates and Network Device Enrollment Services (NDES)

B.C. — Sun, 14 Apr 2013 14:25:38 GMT

I tried to follow the steps. But failed. Could you please give me more detail instructions?

re: Quick Check on ADCS Health Using Enterprise PKI Tool (PKIVIEW)

JCSunday — Thu, 28 Mar 2013 19:35:43 GMT

For the certutil -dspublish command, you show an example ("Certutil -f -dspublish RootCA.cer Root") to add a new Root Certification Authority to the Certification Authorities container. That example ends with "Root", but when I use certutil -dspublish /?, the closest option I see is "RootCA", not "Root". Is that a typo? Will either work, or does each one do something different?

re: Connecting iPads to an Enterprise Wireless 802.1x Network Using Certificates and Network Device Enrollment Services (NDES)

Amerk [MSFT] — Mon, 25 Mar 2013 22:43:26 GMT

Devices such as iPads behave differently, where they treat all certificates installed as a user certificate, hence when passing the subject name to the NPS server, NPS will look for a user object in AD DS rather than a computer object, causing the authentication request to fail

re: Connecting iPads to an Enterprise Wireless 802.1x Network Using Certificates and Network Device Enrollment Services (NDES)

BBWI — Mon, 25 Mar 2013 21:18:18 GMT

Why do I need to duplicate a user certificate and then convert it to a computer certificate? Why not just use a computer certificate?