How to Perform the CertSrv tasks via CLI or the console?
I want to do the following task:
Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
but the CA doesn't have the IIS CertSrv installed, is there a way to submit the request using CLI or something like that?
Thank you in advance ( I don't see a way and I'm almost pulling of my hair here)
August 7th, 2010 3:14am
The idea is that the request that you generate needs to get to the CA
somehow, and the web enrollment and autoenrollment are two ways for that
to happen. If neither of these are possible, then you will have to find
a way to copy the request file from the client to the issuing CA.
The standard way to create an advanced certificate request involves
using the Certificates MMC snap-in. Usually you open the certificate
store for the current user or the computer and open
Personal\Certificates. Right click certificates and select All Tasks ->
Advanced Operations -> Create Custom Request (if you select All Tasks ->
Request New Certificate, this will configure the request based off of
templates used by any of the enterprise CAs in your infrastructure).
The documentation for certreq also specifies that a .inf file can be used.
Once you have the request generated, you can copy it to the CA and
submit it with the certreq utility (it also appears from the
documentation that you can submit remotely; however I am not sure what
port needs to be open, possibly DCOM/RPC as it appears to be exposed
with the "CertSrv Request" DCOM component). Note that submitting to the
remote CA is done with the -config <Host>\<CAName> option.
If the user that submits the request does not have permissions to grant
the request, another administrator can use the certutil command line
utility to approve the request and the response/certificate can be
retrieved with the certreq utility or exported from the server through
the Certification Authority snap-in (This is done by right-clicking the
CA and selecting All Tasks -> Submit new request... and selecting the
PKCS 10 file. This shows in the Pending Requests Folder where it can be
approved and the certificate can be exported from the "Issued
Certificates" folder).
Certificate Request INF example
http://blogs.technet.com/b/niraj_kumar/archive/2009/02/11/how-to-request-certificate-from-third-party-ca-and-install-it-on-the-machine.aspx
certreq:
http://technet.microsoft.com/en-us/library/cc725793%28WS.10%29.aspx
certutil:
http://technet.microsoft.com/en-us/library/cc732443%28WS.10%29.aspx
-- Mike Burr
Free Windows Admin Tool Kit Click here and download it now
August 7th, 2010 5:38am
thanks Mike, I found the certreq command later on the Microsoft technet site, I also reinstall some IIS components that were preventing the CertSrv site to work as usual.
Thanks for the reply and for the well explained info.
August 15th, 2010 6:30pm