Certreq

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Certreq

Requests certificates from a certification authority (CA).

  • To submit a request to a CA

  • To retrieve a response to a previous request from a CA

  • To create a new request from an .inf file

  • To accept and install a response to a previous new request

  • To construct a cross-certification or qualified subordination request from an existing

  • To sign a cross-certification or qualified subordination request

To submit a request to a CA

Syntax

certreq[-submit] [-attrib AttributeString] [-binary] [-config CAMachineName**\CAName] [-crl**] [-rpc] [RequestFileIn [CertFileOut[CertChainFileOut [FullResponseFileOut]]]]

Parameters
  • -submit
    Submits a request to a CA.
  • -attrib AttributeString
    Specifies the Name and Value string pairs, separated by a colon. Separate Name and Value string pairs with \n (for example, Name1**:Value1\nName2:**Value2).
  • -binary
    Formats output files as binary instead of base64-encoded.
  • -config CAMachineName \ CAName
  • -crl
    Includes certificate revocation lists (CRLs) in the output to the base64-encoded PKCS #7 file specified by CertChainFileOut or to the base64-encoded file specified by RequestFileOut.
  • -rpc
    Instructs Certificate Services to use a remote procedure call (RPC) server connection instead of Distributed COM.
  • RequestFileIn
    Specifies the base64-encoded or binary input file that you want to use. The file can be a PKCS #10 certificate request, PKCS #7 certificate renewal request, KEYGEN tag format certificate request, or a Certificate Management protocol using Cryptographic Message Syntax (CMS) request (this protocol is also known as CMC).
  • CertFileOut
    Specifies the binary or base64-encoded X.509 v3 file to which you want to send output.
  • CertChainFileOut
    Specifies the binary or base64-encoded PKCS #7 file to which you want to send output.
  • FullResponseFileOut
    Specifies the binary or base64-encoded Full Response file to which you want to send output.
  • -?
    Displays a list of certreq commands.
Remarks
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

To retrieve a response to a previous request from a CA

Syntax

certreq -retrieve[-binary] [-config CAMachineName**\CAName] [-crl**] [-rpc] RequestID[CertFileOut[CertChainFileOut [FullResponseFileOut]]]

Parameters
  • -retrieve
    Retrieves a response.
  • -binary
    Formats output files as binary instead of base64-encoded.
  • -config CAMachineName \ CAName
    processes the operation by using the CA specified in the configuration string (that is, CAMachineName**\**CAName). Without this option, the default CA processes the request.
  • -crl
    Includes certificate revocation lists (CRLs) in the output to the base64-encoded PKCS #7 file specified by CertChainFileOut or to the base64-encoded file specified by RequestFileOut.
  • -rpc
    Instructs Certificate Services to use a remote procedure call (RPC) server connection instead of Distributed COM.
  • RequestID
    Specifies the request or certificate that you want to retrieve.
  • CertFileOut
    Specifies the binary or base64-encoded X.509 v3 file to which you want to send output.
  • CertChainFileOut
    Specifies the binary or base64-encoded PKCS #7 file to which you want to send output.
  • FullResponseFileOut
    Specifies the binary or base64-encoded full response file to which you want to send output.
  • -?
    Displays a list of certreq commands.
Remarks
  • You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.

  • If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.

  • You can use certreq -retrieve RequestID to retrieve the certificate after the CA has actually issued it. You can also use it to retrieve any certificate that has ever been issued by the CA, including revoked or expired certificates, without regard to whether the certificate's request was ever in the pending state.

  • If you submit a request to the CA, the policy module of the CA might leave the request in a pending state and return the RequestID to the Certreq caller for display. Eventually, the CA's administrator will issue the certificate or deny the request.

To create a new request from an .inf file

Syntax

certreq -new[-attrib AttributeString] [-binary] [-cert CertID] [PolicyFileIn [RequestFileOut]]

Parameters
  • -new
    Creates a new request.
  • -attrib AttributeString
    Specifies the Name and Value string pairs, separated by a colon. Separate Name and Value string pairs with \n (for example, Name1**:Value1\nName2:**Value2).
  • -binary
    Formats output files as binary instead of base64-encoded.
  • -cert CertID
    Specifies the signing certificate by common name, serial number, Secure Hash Algorithm (SHA-1) key, or certificate hash.
  • PolicyFileIn
    Specifies the .inf input file that contains the extension definitions that you want to use to qualify a request.
  • RequestFileOut
    Specifies the base64-encoded file to which you want to send output.
  • -?
    Displays a list of certreq commands.

To accept and install a response to a previous new request

Syntax

certreq -accept [{CertChainFileIn | FullResponseFileIn | CertFileIn}]

Parameters
  • -accept
    Accepts and installs a response.
  • CertChainFileIn
    Specifies the binary or a base64-encoded input file that you want to use.
  • FullResponseFileIn
    Specifies the binary or a base64-encoded input file that you want to use.
  • CertFileIn
    Specifies the binary or a base64-encoded input file that you want to use.
  • -?
    Displays a list of certreq commands.

To construct a cross-certification or qualified subordination request from an existingCA certificate or request

Syntax

certreq -policy [-attrib AttributeString] [-binary] [-cert CertID] [RequestFileIn [PolicyFileIn[RequestFileOut [PKCS10FileOut]]]]

Parameters
  • -policy
    Sets the policy for a request.
  • -attrib AttributeString
    Specifies the Name and Value string pairs, separated by a colon. Separate Name and Value string pairs with \n (for example, Name1**:Value1\nName2:**Value2).
  • -binary
    Formats output files as binary instead of base64-encoded.
  • -cert CertID
    Specifies the signing certificate by common name, serial number, Secure Hash Algorithm (SHA-1) key, or certificate hash.
  • RequestFileIn
    Specifies the base64-encoded or binary input file that you want to use. The file can be a PKCS #10 certificate request, PKCS #7 certificate renewal request, KEYGEN tag format certificate request, a Certificate Management protocol using Cryptographic Message Syntax (CMS) request (this protocol is also known as CMC), or a certificate file of the CA that you want to cross-certify.
  • PolicyFileIn
    Specifies the .inf input file that contains the extension definitions that you want to use to qualify a request.
  • RequestFileOut
    Specifies the base64-encoded file to which you want to send output.
  • PKCS10FileOut
    Specifies the base64-encoded PKCS #10 file to which you want to send output.
  • -?
    Displays a list of certreq commands.

To sign a cross-certification or qualified subordination request

Syntax

certreq -sign [-binary] [-certCertID] [-crl] [RequestFileIn[RequestFileOut]]

Parameters
  • -sign
    Signs a cross-certification or qualified subordination request.
  • -binary
    Formats output files as binary instead of base64-encoded.
  • -cert CertID
    Specifies the signing certificate by common name, serial number, Secure Hash Algorithm (SHA-1) key, or certificate hash.
  • -crl
    Includes certificate revocation lists (CRLs) in the output to the base64-encoded PKCS #7 file specified by CertChainFileOut or to the base64-encoded file specified by RequestFileOut.
  • RequestFileIn
    Specifies the base64-encoded or binary input file that you want to use. The file can be a PKCS #10 certificate request, PKCS #7 certificate renewal request, KEYGEN tag format certificate request, a Certificate Management protocol using Cryptographic Message Syntax (CMS) request (this protocol is also known as CMC).
  • RequestFileOut
    Specifies the base64-encoded file to which you want to send output.
  • -?
    Displays a list of certreq commands.

Formatting legend

Format Meaning

Italic

Information that the user must supply

Bold

Elements that the user must type exactly as shown

Ellipsis (...)

Parameter that can be repeated several times in a command line

Between brackets ([])

Optional items

Between braces ({}); choices separated by pipe (|). Example: {even|odd}

Set of choices from which the user must choose only one

Courier font

Code or program output

See Also

Concepts

Command-line reference A-Z
Certutil