Export (0) Print
Expand All

Certreq sign

Published: April 17, 2012

Updated: April 17, 2012

Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012

Sign a certificate request with an enrollment agent or qualified subordination signing certificate.

certreq -sign [Options] [RequestFileIn [RequestFileOut]]

 

Options Description

-any

Force ICertRequest::Submit to determine encoding type.

-attrib <AttributeString>

Specifies the Name and Value string pairs, separated by a colon.

Separate Name and Value string pairs with \n (for example, Name1:Value1\nName2:Value2).

-binary

Formats output files as binary instead of base64-encoded.

Cert <CertId>

Specify signing certificate by common name, serial number, or by sha-1 key or certificate hash.

-PolicyServer <PolicyServer>

-config <ConfigString>

Processes the operation by using the CA specified in the configuration string, which is CAHostName\CAName. For an https connection, specify the enrollment server URI. For the local machine CA, use a minus (-) sign.

-Anonymous

-Kerberos

-ClientCertificate <ClientCertId>

-UserName <UserName>

-p <Password>

-pin <PIN>

This option allows for accessing smart cards when the command is using silent mode.

-crl

Includes certificate revocation lists (CRLs) in the output to the base64-encoded PKCS #7 file specified by CertChainFileOut or to the base64-encoded file specified by RequestFileOut.

-rpc

Instructs Active Directory Certificate Services (AD CS) to use a remote procedure call (RPC) server connection instead of Distributed COM.

-f

Force existing files to be overwritten

-q

Use silent mode; suppress all interactive prompts.

-Unicode

Writes Unicode output when standard output is redirected or piped to another command, which helps when invoked from Windows PowerShell® scripts).

-UnicodeText

Sends Unicode output when writing base64 text encoded data blobs to files.

-NoEKU

Do not filter signing certificate selection by Enhanced Key Usage (EKU).

-HashAlgorithm <HashAlgorithm>

Use the specified hash algorithm.

 

Parameters Description

RequestFileIn

Base64-encoded or binary input file name: PKCS #10 certificate request, CMS certificate request, PKCS #7 certificate renewal request, X.509 certificate to be cross-certified, or KeyGen tag format certificate request.

RequestFileOut

Base64-encoded output file name

CertFileOut

Base64-encoded X-509 file name.

PKCS10FileOut

Base64-encoded PKCS10 output file name.

CertChainFileOut

Base64-encoded PKCS #7 file name.

FullResponseFileOut

Base64-encoded full response file name.

PolicyFileIn

INF file containing a textual representation of extensions used to qualify a request.

  • If you type the certreq -sign without any additional parameter it will open a dialog window so you can select the requested fie (req, cmc, txt, der, cer or crt).

  • Signing the qualified subordination request may require Enterprise Administrator credentials. This is a best practice for issuing signing certificates for qualified subordination.

  • The certificate used to sign the qualified subordination request is created using the qualified subordination template. Enterprise Admins will have to sign the request or grant user permissions for the individuals that will sign the certificate.

  • When you sign the CMC request, you may need to have multiple personnel sign this request, depending on the assurance level that is associated with the qualified subordination.

  • If the parent CA of the qualified subordinate CA you are installing is offline, you must obtain the CA certificate for the qualified subordinate CA from the offline parent. If the parent CA is online, specify the CA certificate for the qualified subordinate CA during the Certificate Services Installation Wizard.

The sequence of commands below will show how to create a new certificate request, sign it and submit it:

certreq -new policyfile.inf MyRequest.req
certreq -sign MyRequest.req MyRequest_Sign.req
certreq -submit MyRequest_Sign.req MyRequest_cert.cer 

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft