Certificate Requests with a Standalone CA
Hello all,
I need a CA to be able to issue some SSL server certs and SSL client certs - the CA has to be standalone because I have no AD in this environment.
I can't understand how I generate different types of certificate requests without using the web enrolment pages (this has been barred). I was hoping to use certreq, but I can't see how I would do the certreq -new commands without having a template
to specify, i.e. when I am creating the request, how would I specify whether it's to be a SSL client or SSL server request.
If I do temporarily install the web enrollment pages I can see about six or seven type of "template", my understanding is that all the configuration of these is set in stone and cannot be changed and they can't be added to - e.g. their lifetime is limited
to that of the "ValidityPeriod" set on the CA, i.e. it covers all certificates issued.
Is there any kind of guide to certificate management with a standalone CA, there's lots around to cover enterprise CAs and (surprisingly) I am reasonably competent with that type of CA, but nothing for standalone CAs. Thanks.
November 4th, 2010 9:14am
Here is example INF file (for example, ssl.inf) for SSL certificates:
[NewRequest]
Subject="CN=<Target HTTPS address>"
KeyLength=2048
KeySpec=1
KeyUsage=0xf0
MachineKeySet=TRUE
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
and run the command:
certreq -new ssl.inf SSLRequest.reqhttp://en-us.sysadmins.lv
Free Windows Admin Tool Kit Click here and download it now
November 4th, 2010 9:45am
On Thu, 4 Nov 2010 13:10:14 +0000, BrianDuck wrote:
Is there any kind of guide to certificate management with a standalone CA, there's lots around to cover enterprise CAs and (surprisingly) I am reasonably competent with that type of CA, but nothing for standalone CAs. Thanks.
In addition to Vadims' response this is a pretty good guide to using the
inf files with certreq.exe:
http://technet.microsoft.com/en-us/library/cc736326(WS.10).aspx
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
November 4th, 2010 9:48am
Thanks Vadims and Paul.
Brian
Free Windows Admin Tool Kit Click here and download it now
November 8th, 2010 3:55am