Windows PKI blog

Creating offline certificate requests through the user-interface on Windows Vista or Windows Server 2008

Windows Vista and Windows Server 2008 have a convenient user interface to create custom certificate requests.

If you want to create a custom certificate request, perform the following steps:

1. Start the Certificates MMC snap-in and expand the Personal – Certificates container in the left pane.
2. Right click the Certificates container and chose Create custom request from the context menu.

3. Click Next to accept the welcome page of the wizard.
4. If you have Enterprise CA connectivity in your Active Directory forest, you can chose from a list of available certificate templates and create the request based on a specific certificate template. If you want to be independent of any certificate template, select (No template) CNG key. For more information on Cryptography Next Generation (CNG), see the documentation on MSDN.
5. Click Next to continue.

6. To customize your certificate request click the little arrow next to the word Details in the Certificate Enrollment page.
7. Click the Properties button.

8. Use the dialog tabs to define the certificate properties.

9. After defining all certificate attributes, click OK
10. Finally, specify a filename to save the offline certificate request and click Finish.

11. The pending certificate request appears in the Certificate Enrollment Requests container in the Certificates MMC snap-in until the offline request was accepted.

12. To verify the certificate request, double-click the pending request in the MMC snap-in. Alternatively use certutil [mycert.req] at a command-line where [mycert.req] is equal to the file that you saved in step 10.
13. To enroll for the certificate request, submit the request with certreq –submit. If no certificate template was selected in the wizard, it is required to specify one as command-line parameter. Also don’t forget the –config parameter to specify the name of the certification authority where you are enrolling from. The certreq command might look like the following example:

certreq –config "myCAserver\myCAname" –submit –attrib "CertificateTemplate:User" mycert.req

12. To install the certificate once it was enrolled, accept the certificate. This will also remove the pending certificate request from the Certificate Enrollment Requests container. Use certutil –accept [certificatename.cer] to accept the certificate request.