Signing certificates requests with certreq.exe

Within a Microsoft PKI Infrastructure, you can use certreq.exe on a MS CA Signing server (with Active Directory Certificate Services installed on it) to sign certificate signing requests (CSR). This method can be used when you want to deploy a certificate for a system which is out of the AD domain.

The workflow exists of the following steps:

1. Generate a CSR on the device where the signed certificate needs to be installed (or you can use OpenSSL to generate a CSR manually);
2. Sign the CSR on your MS ADCS Server with use of the certreq command;
3. Install the signed certificate on the target system.

This post is only about the certreq command. More information about how to create a CSR with OpenSSL can be found here.
 When you have created the CSR, you have to upload it to the MS ADCS server where the certificate is about to be signed. The following syntax can be used in a DOS box on the MS ADCS server:

C:\>certreq -submit -attrib "CertificateTemplate:TemplateName" CertSignRequest.csr
Active Directory Enrollment Policy
..//..
Certificate retrieved(Issued) Issued

Now The following output shows the available options for the certreq command (for reference).

C:\>certreq.exe -?
Usage:
  CertReq -?
  CertReq [-v] -?
  CertReq [-Command] -?

  CertReq [-Submit] [Options] [RequestFileIn [CertFileOut [CertChainFileOut [Ful
lResponseFileOut]]]]
    Submit a request to a Certification Authority.

  Options:
    -attrib AttributeString
    -binary
    -PolicyServer PolicyServer
    -config ConfigString
    -Anonymous
    -Kerberos
    -ClientCertificate ClientCertId
    -UserName UserName
    -p Password
    -crl
    -rpc
    -AdminForceMachine
    -RenewOnBehalfOf

  CertReq -Retrieve [Options] RequestId [CertFileOut [CertChainFileOut [FullResp
onseFileOut]]]
    Retrieve a response to a previous request from a Certification Authority.

  Options:
    -binary
    -PolicyServer PolicyServer
    -config ConfigString
    -Anonymous
    -Kerberos
    -ClientCertificate ClientCertId
    -UserName UserName
    -p Password
    -crl
    -rpc
    -AdminForceMachine

  CertReq -New [Options] [PolicyFileIn [RequestFileOut]]
    Create a new request as directed by PolicyFileIn

  Options:
    -attrib AttributeString
    -binary
    -cert CertId
    -PolicyServer PolicyServer
    -config ConfigString
    -Anonymous
    -Kerberos
    -ClientCertificate ClientCertId
    -UserName UserName
    -p Password
    -user
    -machine
    -xchg ExchangeCertFile

  CertReq -Accept [Options] [CertChainFileIn | FullResponseFileIn | CertFileIn]
    Accept and install a response to a previous new request.

  Options:
    -user
    -machine

  CertReq -Policy [Options] [RequestFileIn [PolicyFileIn [RequestFileOut [PKCS10
FileOut]]]]
    Construct a cross certification or qualified subordination request
    from an existing CA certificate or from an existing request.

  Options:
    -attrib AttributeString
    -binary
    -cert CertId
    -PolicyServer PolicyServer
    -Anonymous
    -Kerberos
    -ClientCertificate ClientCertId
    -UserName UserName
    -p Password
    -noEKU
    -AlternateSignatureAlgorithm
    -HashAlgorithm HashAlgorithm

  CertReq -Sign [Options] [RequestFileIn [RequestFileOut]]
    Sign a certificate request with an enrollment agent or qualified
    subordination signing certificate.

  Options:
    -binary
    -cert CertId
    -PolicyServer PolicyServer
    -Anonymous
    -Kerberos
    -ClientCertificate ClientCertId
    -UserName UserName
    -p Password
    -crl
    -noEKU
    -HashAlgorithm HashAlgorithm

  CertReq -Enroll [Options] TemplateName
  CertReq -Enroll -cert CertId [Options] Renew [ReuseKeys]
    Enroll for or renew a certificate.

  Options:
    -PolicyServer PolicyServer
    -user
    -machine