June 14 2017

Create certificate from CSR on a Microsoft Certificate Authority using command line

Do you have a Certificate Signing Request (CSR) from a device with which you need to create a certificate from a Microsoft Windows Certificate Authority?  This is actually pretty straight forward.  On a domain machine, launch a command prompt and save the CSR into a file on that machine (CSR.REQ in the example below).  Then just use the command:

certreq -submit -attrib "CertificateTemplate:WebServer" CSR.req cert.cer

You’ll get a prompt to select the issuing CA you want to use.  Substitute WebServer for whichever template you need to use.  You then have your certificate – cert.cer.



April 22 2015

How to find an internal/local Certificate Authority

Many times when I’m new to an organisation I’ll need to do a discovery within the environment to see what technology exists – including local Microsoft Windows Certificate Authorities. A very quick and easy way to do this is to use the certutil command with the follow syntax:

certutil -config - -ping

If there is a Certificate Authority published in Active Directory then you will get a popup box with a list of them. If not, you’ll see something like this:


The command is also useful for testing the responsiveness of a Certificate Authority – if you select an existing Certificate Authority from the popup box, certutil will ping it.