Signing certificates requests with certreq.exe

Within a Microsoft PKI Infrastructure, you can use certreq.exe on a MS CA Signing server (with Active Directory Certificate Services installed on it) to sign certificate signing requests (CSR). This method can be used when you want to deploy a certificate for a system which is out of the AD domain.

The workflow exists of the following steps:

1. Generate a CSR on the device where the signed certificate needs to be installed (or you can use OpenSSL to generate a CSR manually);
2. Sign the CSR on your MS ADCS Server with use of the certreq command;
3. Install the signed certificate on the target system.

This post is only about the certreq command. More information about how to create a CSR with OpenSSL can be found here.
 When you have created the CSR, you have to upload it to the MS ADCS server where the certificate is about to be signed. The following syntax can be used in a DOS box on the MS ADCS server:

C:\>certreq -submit -attrib "CertificateTemplate:TemplateName" CertSignRequest.csr
Active Directory Enrollment Policy
..//..
Certificate retrieved(Issued) Issued

Now The following output shows the available options for the certreq command (for reference).

C:\>certreq.exe -?
Usage:
  CertReq -?
  CertReq [-v] -?
  CertReq [-Command] -?

  CertReq [-Submit] [Options] [RequestFileIn [CertFileOut [CertChainFileOut [Ful
lResponseFileOut]]]]
    Submit a request to a Certification Authority.

  Options:
    -attrib AttributeString
    -binary
    -PolicyServer PolicyServer
    -config ConfigString
    -Anonymous
    -Kerberos
    -ClientCertificate ClientCertId
    -UserName UserName
    -p Password
    -crl
    -rpc
    -AdminForceMachine
    -RenewOnBehalfOf

  CertReq -Retrieve [Options] RequestId [CertFileOut [CertChainFileOut [FullResp
onseFileOut]]]
    Retrieve a response to a previous request from a Certification Authority.

  Options:
    -binary
    -PolicyServer PolicyServer
    -config ConfigString
    -Anonymous
    -Kerberos
    -ClientCertificate ClientCertId
    -UserName UserName
    -p Password
    -crl
    -rpc
    -AdminForceMachine

  CertReq -New [Options] [PolicyFileIn [RequestFileOut]]
    Create a new request as directed by PolicyFileIn

  Options:
    -attrib AttributeString
    -binary
    -cert CertId
    -PolicyServer PolicyServer
    -config ConfigString
    -Anonymous
    -Kerberos
    -ClientCertificate ClientCertId
    -UserName UserName
    -p Password
    -user
    -machine
    -xchg ExchangeCertFile

  CertReq -Accept [Options] [CertChainFileIn | FullResponseFileIn | CertFileIn]
    Accept and install a response to a previous new request.

  Options:
    -user
    -machine

  CertReq -Policy [Options] [RequestFileIn [PolicyFileIn [RequestFileOut [PKCS10
FileOut]]]]
    Construct a cross certification or qualified subordination request
    from an existing CA certificate or from an existing request.

  Options:
    -attrib AttributeString
    -binary
    -cert CertId
    -PolicyServer PolicyServer
    -Anonymous
    -Kerberos
    -ClientCertificate ClientCertId
    -UserName UserName
    -p Password
    -noEKU
    -AlternateSignatureAlgorithm
    -HashAlgorithm HashAlgorithm

  CertReq -Sign [Options] [RequestFileIn [RequestFileOut]]
    Sign a certificate request with an enrollment agent or qualified
    subordination signing certificate.

  Options:
    -binary
    -cert CertId
    -PolicyServer PolicyServer
    -Anonymous
    -Kerberos
    -ClientCertificate ClientCertId
    -UserName UserName
    -p Password
    -crl
    -noEKU
    -HashAlgorithm HashAlgorithm

  CertReq -Enroll [Options] TemplateName
  CertReq -Enroll -cert CertId [Options] Renew [ReuseKeys]
    Enroll for or renew a certificate.

  Options:
    -PolicyServer PolicyServer
    -user
    -machine

Cisco ASA - VPN Config Template

When I want to configure a site-2-site VPN on a Cisco ASA, I use the following script. Maybe it is useful to others, so I decide to share it. The following content is an example, and you need to alter the values to match them for your own environment.

access-list outside_1_cryptomap remark VPN Description access-list outside_1_cryptomap extended permit ip x.x.x.x 255.255.255.0 y.y.y.y 255.255.0.0
!
access-list vpnfilter-name extended permit ip any4 any4
!
crypto ikev1 policy xx authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
!
!
group-policy grpol-s2s-xxxx internal
group-policy grpol-s2s-xxxx attributes
vpn-idle-timeout none
vpn-filter value vpnfilter-name
vpn-tunnel-protocol ikev1
!
tunnel-group p.p.p.p type ipsec-l2l
tunnel-group p.p.p.p general-attributes
default-group-policy grpol-s2s-xxxx
tunnel-group p.p.p.p ipsec-attributes
ikev1 pre-shared-key vpn-secret
!
crypto map outside_map n match address outside_1_cryptomap
crypto map outside_map n set pfs group5
crypto map outside_map n set peer p.p.p.p
crypto map outside_map n set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map n set security-association lifetime seconds xxxxx
crypto map outside_map n set nat-t-disable

In my job as an IP consultant, I am running into several websites which provide some useful information for my daily work. As I want to share these information with others, I started to collect al these links on a single page. Maybe it is useful for others around the globe... :-).

SWITCHING

• Troubleshooting high CPU in a Cisco Catalyst 4500

SECURITY

• Setup your IIS for SSL Perfect Forward Secrecy and TLS 1.2