Hello all, I need a CA to be able to issue some SSL server certs and SSL client certs - the CA has to be standalone because I have no AD in this environment. I can't understand how I generate different types of certificate requests without using the web enrolment pages (this has been barred). I was hoping to use certreq, but I can't see how I would do the certreq -new commands without having a template to specify, i.e. when I am creating the request, how would I specify whether it's to be a SSL client or SSL server request. If I do temporarily install the web enrollment pages I can see about six or seven type of "template", my understanding is that all the configuration of these is set in stone and cannot be changed and they can't be added to - e.g. their lifetime is limited to that of the "ValidityPeriod" set on the CA, i.e. it covers all certificates issued. Is there any kind of guide to certificate management with a standalone CA, there's lots around to cover enterprise CAs and (surprisingly) I am reasonably competent with that type of CA, but nothing for standalone CAs. Thanks.

Here is example INF file (for example, ssl.inf) for SSL certificates: [NewRequest] Subject="CN=<Target HTTPS address>" KeyLength=2048 KeySpec=1 KeyUsage=0xf0 MachineKeySet=TRUE [EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.1 and run the command: certreq -new ssl.inf SSLRequest.reqhttp://en-us.sysadmins.lv

On Thu, 4 Nov 2010 13:10:14 +0000, BrianDuck wrote: Is there any kind of guide to certificate management with a standalone CA, there's lots around to cover enterprise CAs and (surprisingly) I am reasonably competent with that type of CA, but nothing for standalone CAs. Thanks. In addition to Vadims' response this is a pretty good guide to using the inf files with certreq.exe: http://technet.microsoft.com/en-us/library/cc736326(WS.10).aspx Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca

Thanks Vadims and Paul. Brian