Create A Windows Certificate Signing Request Without IIS

Before we can install a certificate, a certificate signing request (CSR) must be generated and sent to the certificate authority (CA).  The CSR should be generated from the device that will install the certificate, as the private key will need to match.  Microsoft has simple instructions to create a CSR when IIS is installed, but what if we want to implement SSL over LDAP?  or SQL? IIS is not always available to generate the CSR.

Microsoft has a command line utility called certreq.exe to help us out.  From the technet article:

“Certreq can be used to request certificates from a certification authority (CA), to retrieve a response to a previous request from a CA, to create a new request from an .inf file, to accept and install a response to a request, to construct a cross-certification or qualified subordination request from an existing CA certificate or request, and to sign a cross-certification or qualified subordination request.”

Certreq is installed by default on: Vista, Windows 7, 8, Server 2008, and Server 2012.  The syntax has changed a little between versions, but it essentially takes an action and an inf file as parameters.  The inf file contains information that will appear in the certificate, so we want to populate it carefully.

We are going to focus on generating a new CSR, using the command:

certreq -new myrequest.inf mycsr.req

If you are exceptionally lazy, you can omit the filenames and certreq will open a file open dialog box and a file save dialog box for your lackadaisical self.

Here is the contents of the myrequest.inf file:

;—————– myrequest.inf —————–


Signature=”$Windows NT$


Subject = “,, O=Sobit potenzpille, L=SLC, S=Utah, C=US” ; replace with your FQDN
KeySpec = 1
KeyLength = 2048
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = “Microsoft RSA SChannel Cryptographic Provider”
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0


OID= ; this is for Server Authentication


Please populate the subject field with your device/server specific information.  Make sure the FQDN matches the hostname that your users are going to use to connect to your encrypted service.  Here is the template:

Subject = “CN=FQDN, OU=Organizational_Unit_Name, O=Organization_Name, L=City_Name, S=State_Name, C=Country_Name

The output of the tool will be the CSR that you submit to your certificate authority.  Similar to this:


Posted in Operating Systems

Leave a Reply