Create A Windows Certificate Signing Request Without IIS

Before we can install a certificate, a certificate signing request (CSR) must be generated and sent to the certificate authority (CA).  The CSR should be generated from the device that will install the certificate, as the private key will need to match.  Microsoft has simple instructions to create a CSR when IIS is installed, but what if we want to implement SSL over LDAP?  or SQL? IIS is not always available to generate the CSR.

Microsoft has a command line utility called certreq.exe to help us out.  From the technet article:

“Certreq can be used to request certificates from a certification authority (CA), to retrieve a response to a previous request from a CA, to create a new request from an .inf file, to accept and install a response to a request, to construct a cross-certification or qualified subordination request from an existing CA certificate or request, and to sign a cross-certification or qualified subordination request.”

Certreq is installed by default on: Vista, Windows 7, 8, Server 2008, and Server 2012.  The syntax has changed a little between versions, but it essentially takes an action and an inf file as parameters.  The inf file contains information that will appear in the certificate, so we want to populate it carefully.

We are going to focus on generating a new CSR, using the command:

certreq -new myrequest.inf mycsr.req

If you are exceptionally lazy, you can omit the filenames and certreq will open a file open dialog box and a file save dialog box for your lackadaisical self.

Here is the contents of the myrequest.inf file:

;—————– myrequest.inf —————–

[Version]

Signature=”$Windows NT$

[NewRequest]

Subject = “CN=myserver.sobit.org, E=certs@sobit.org, O=Sobit potenzpille cialis.org, L=SLC, S=Utah, C=US” ; replace with your FQDN
KeySpec = 1
KeyLength = 2048
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = “Microsoft RSA SChannel Cryptographic Provider”
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication

;———————————————–

Please populate the subject field with your device/server specific information.  Make sure the FQDN matches the hostname that your users are going to use to connect to your encrypted service.  Here is the template:

Subject = “CN=FQDN, OU=Organizational_Unit_Name, O=Organization_Name, L=City_Name, S=State_Name, C=Country_Name

The output of the tool will be the CSR that you submit to your certificate authority.  Similar to this:

csr3

Posted in Operating Systems

Useful Windows CLI Commands

View NIC configuration
ipconfig

Send Continuous Ping Requests
ping -t [hostname/IP]

Display DNS cache
ipconfig /displaydns

Flush local DNS cache
ipconfig /flushdns

View all active connections
netstat

View active connections with process ids
netstat -o

View the routing table
route print

View all environment variables
set

List all processes currently running
tasklist

List all processes showing DLLs in use
tasklist /m

Shutdown Windows Immediately:
shutdown /s /t 0

Restart Windows Immediately:
shutdown /r /t 0

Disable Windows Firewall
netsh firewall set opmode disable

Change DNS settings
netsh interface ip set dns local static [ip]

Launch Frequently Used GUI programs

Terminal Services
mstsc /v:[hostname/IP]

Programs and Features
appwiz.cpl

Network Control Panel
ncpa.cpl

Local User Manager
lusrmgr.msc

Services Control Panel
services.msc

Security Policy Manager
secpol.msc

Event Viewer
eventvwr generika cialis rezeptfrei.msc

Control Panel
control

Many of these commands and several others are available in a handy cheat sheet from SANS here:
http://pen-testing.sans.org/resources/downloads#command_line

Posted in Operating Systems