Create A Windows Certificate Signing Request Without IIS

Before we can install a certificate, a certificate signing request (CSR) must be generated and sent to the certificate authority (CA).  The CSR should be generated from the device that will install the certificate, as the private key will need to match.  Microsoft has simple instructions to create a CSR when IIS is installed, but what if we want to implement SSL over LDAP?  or SQL? IIS is not always available to generate the CSR.

Microsoft has a command line utility called certreq.exe to help us out.  From the technet article:

“Certreq can be used to request certificates from a certification authority (CA), to retrieve a response to a previous request from a CA, to create a new request from an .inf file, to accept and install a response to a request, to construct a cross-certification or qualified subordination request from an existing CA certificate or request, and to sign a cross-certification or qualified subordination request.”

Certreq is installed by default on: Vista, Windows 7, 8, Server 2008, and Server 2012.  The syntax has changed a little between versions, but it essentially takes an action and an inf file as parameters.  The inf file contains information that will appear in the certificate, so we want to populate it carefully.

We are going to focus on generating a new CSR, using the command:

certreq -new myrequest.inf mycsr.req

If you are exceptionally lazy, you can omit the filenames and certreq will open a file open dialog box and a file save dialog box for your lackadaisical self.

Here is the contents of the myrequest.inf file:

;—————– myrequest.inf —————–


Signature=”$Windows NT$


Subject = “,, O=Sobit potenzpille, L=SLC, S=Utah, C=US” ; replace with your FQDN
KeySpec = 1
KeyLength = 2048
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = “Microsoft RSA SChannel Cryptographic Provider”
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0


OID= ; this is for Server Authentication


Please populate the subject field with your device/server specific information.  Make sure the FQDN matches the hostname that your users are going to use to connect to your encrypted service.  Here is the template:

Subject = “CN=FQDN, OU=Organizational_Unit_Name, O=Organization_Name, L=City_Name, S=State_Name, C=Country_Name

The output of the tool will be the CSR that you submit to your certificate authority.  Similar to this:


Posted in Operating Systems

Useful Windows CLI Commands

View NIC configuration

Send Continuous Ping Requests
ping -t [hostname/IP]

Display DNS cache
ipconfig /displaydns

Flush local DNS cache
ipconfig /flushdns

View all active connections

View active connections with process ids
netstat -o

View the routing table
route print

View all environment variables

List all processes currently running

List all processes showing DLLs in use
tasklist /m

Shutdown Windows Immediately:
shutdown /s /t 0

Restart Windows Immediately:
shutdown /r /t 0

Disable Windows Firewall
netsh firewall set opmode disable

Change DNS settings
netsh interface ip set dns local static [ip]

Launch Frequently Used GUI programs

Terminal Services
mstsc /v:[hostname/IP]

Programs and Features

Network Control Panel

Local User Manager

Services Control Panel

Security Policy Manager

Event Viewer
eventvwr generika cialis rezeptfrei.msc

Control Panel

Many of these commands and several others are available in a handy cheat sheet from SANS here:

Posted in Operating Systems