How do I make a certificate request in windows 11 from the command line?

Question

We have a working internal certificate process and instructions on how to use it involving certreq; however on Windows 11 it stopped generating SAN correctly.

Internal certreq template:

    [Version]
    Signature="$Windows NT§"
    [NewRequest]
    Subject = "CN=<machine-name>.domain-name,O=Cedaron,OU=<machine-name>,ST=California,L=Davis,C=US"
    KeyLength =  2048
    KeySpec = 1
    Exportable = True
    ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
    HashAlgorithm = SHA256
    MachineKeySet = True
    SMIME = False
    UseExistingKeySet = False
    RequestType = PKCS10
    KeyUsage = 0xA0
    Silent = True
    FriendlyName = "Certificate SHA-256"
    [EnhancedKeyUsageExtension]
    OID=1.3.6.1.5.5.7.3.1
    [Extensions]
    2.5.29.17 = "{text}"
    _continue_ = "dns=<machine-name>.domain-name&dns=<machine-name>&dns=localhost"

New template to try to fix the problem (DO NOT USE):

    [Version]
    Signature="$Windows NT§"
    [NewRequest]
    Subject = "CN=<machine-name>.domain-name,O=Cedaron,OU=<machine-name>,ST=California,L=Davis,C=US"
    KeyLength =  2048
    KeySpec = 1
    Exportable = True
    ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
    HashAlgorithm = SHA256
    MachineKeySet = True
    SMIME = False
    UseExistingKeySet = False
    RequestType = PKCS10
    KeyUsage = 0xA0
    Silent = True
    FriendlyName = "Certificate SHA-256"
    [EnhancedKeyUsageExtension]
    OID=1.3.6.1.5.5.7.3.1
    [RequestAttributes]
    SAN="dns=<machine-name>.domain-name&dns=<machine-name>&"

I can see the request attribute for SAN in the file either way, but it's corrupted. I'm currently getting undefined: 0: hostname.domainnamemyusernamecertreq

Web searches find the same broken instructions still. For example: https://saketupadhyay.medium.com/how-to-create-a-certificate-signing-request-csr-in-2021-windows-11-10-156202d1bf97 This generates the necessary except for SAN is no longer filled.

Please specify if the command needs powershell. I don't mind using powershell but if you don't specify I'm going to key it into cmd.exe and wonder why it doesn't work.

you need to use `certreq.exe` tool in conjunction with INF template for this. — Crypt32, Jul 06 '22 at 15:03
@Crypt32: Turned out I was using certreq, sorry about that. Something is wrong with the INF template. — joshudson, Jul 06 '22 at 22:02
https://docs.microsoft.com/en-us/powershell/module/pki/get-certificate?view=windowsserver2022-ps — Ace, Jul 07 '22 at 16:35
This might also be helpful: `openssl req -text -noout -verify -in CSR.csr`. (bash). You can install wsl(Windows subsystem for linux) and use openssl to test the request — Ace, Jul 07 '22 at 16:37
@Ace: Actually no, it didn't. It wouldn't show the SAN on the request that had it, which is what lead me to believe the failure was on the Windows side. I finally debugged it by `sed '1d$d' CSR.csr | tr -d '\r\n' | base64 -d | strings` — joshudson, Jul 07 '22 at 16:40
Actually, both INFs are "somehow" correct, but the first one ist correct and I do use multiple of those without any problem on different CAs. Are you sure your CA is working correctly? — bjoster, Jul 20 '22 at 13:19

joshudson · Answer 1 · 2022-07-07T16:32:52.523

So this was a case of trying things in the wrong order. The "new" template was from a well reputed site (didn't find the actual site but another site with the same content https://kb.vmware.com/s/article/2032400 ) but does not work.

The actual problem was the old root CA software, TinyCA, had gotten damaged by a security update and no longer worked! On replacing it with xca, the original template started working again.

The reason I've left this question up is the new template wrong and still doesn't work even with XCA but web searches keep finding the new one not the original one.

The template is fine. TinyCA is busted.

How do I make a certificate request in windows 11 from the command line?

1 Answers1