Valid HTML 4.01 Transitional Valid CSS Valid SVG 1.0

Me, myself & IT

Generate (self-signed) X.509 Certificates with CertReq.exe

Purpose
Reason
Preparation
Operation

Purpose

Use Windows’® CertReq.exe to issue (self-signed) X.509 certificates.

Reason

Setup and operate your own PKI, run your own CA, issue X.509 certificates for client authentication, server authentication, code signing, secure email (S/MIME), IP security, time stamping, …

Preparation

Replace the items enclosed in angle quotes ‹…› in the [Strings] section of the following (sample) script with your own data and save it as file ‹filename›.inf:
; Copyright © 2009-2020, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

[Version]
Provider  = "Stefan Kanthak"
Signature = "$Windows NT$"

[Strings]
MailAddress  = "‹mailbox›@‹domain›.‹tld›"
CommonName   = "‹firstname› ‹lastname›"
GivenName    = "‹firstname›"
SurName      = "‹lastname›"
Initials     = "‹initials›"
Title        = "‹title›"
OrgUnit      = "‹organisational unit›"     ; or ‹department›
Organisation = "‹organisation›"            ; or ‹company›
Street       = "‹street›"
Locality     = "‹city›"
State        = "‹state›"                   ; or ‹province›
Country      = "‹two-letter country code›" ; DE, GB, US, …

[NewRequest]
;AlternateSignatureAlgorithm = FALSE
;EncipherOnly = FALSE
;EncryptionAlgorithm =
;EncryptionLength =
Exportable = TRUE
;ExportableEncrypted = FALSE
FriendlyName = "%CommonName% <%MailAddress%>"
HashAlgorithm = SHA256
;KeyAlgorithm = RSA
;KeyContainer =
KeyLength = 4096
;KeyProtection = 2
KeySpec = 2
KeyUsage = 0x00FC
KeyUsageProperty = 0xFFFFFF
;MachineKeySet = FALSE
;NotAfter = "mm/dd/yyyy hh:mm AM"
;NotBefore = "mm/dd/yyyy hh:mm PM"
;PrivateKeyArchive = FALSE
ProviderName = "Microsoft Enhanced RSA and AES Cryptographic Provider"
ProviderType = 24
RequestType = CERT
;Silent = FALSE
;SMIME = FALSE
Subject = "E=%MailAddress%, CN=%CommonName%, G=%GivenName%, SN=%SurName%, I=%Initials%, T=%Title%, OU=%OrgUnit%, O=%Organisation%, STREET=%Street%, L=%Locality%, S=%State%, C=%Country%"
;UserProtected = FALSE
ValidityPeriod = Years
ValidityPeriodUnits = 3

[Extensions]
; Subject Alternative Name
2.5.29.17 = "{text}EMail=%MailAddress%"
; Basic Constraints
2.5.29.19 = "{text}CA=0&PathLength=0"
; Enhanced Key Usage
2.5.29.37 = "{text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.3,1.3.6.1.5.5.7.3.4,1.3.6.1.5.5.7.3.5,1.3.6.1.5.5.7.3.6,1.3.6.1.5.5.7.3.7,1.3.6.1.5.5.7.3.8,1.3.6.1.5.5.7.3.17,…"
Critical = 2.5.29.19

[EnhancedKeyUsageExtension]
OID = 1.3.6.1.5.5.7.3.1  ; Client Authentication
OID = 1.3.6.1.5.5.7.3.2  ; Server Authentication
OID = 1.3.6.1.5.5.7.3.3  ; Code Signing
OID = 1.3.6.1.5.5.7.3.4  ; Secure E-mail
OID = 1.3.6.1.5.5.7.3.5  ; IP Security End System
OID = 1.3.6.1.5.5.7.3.6  ; IP Security Tunnel Endpoint
OID = 1.3.6.1.5.5.7.3.7  ; IP Security User
OID = 1.3.6.1.5.5.7.3.8  ; Time Stamping
OID = 1.3.6.1.5.5.7.3.17 ; IP Security Key Exchange (IKE)
…

Operation

Perform the following operations using only tools shipped with Windows.

Contact

If you miss anything here, have additions, comments, corrections, criticism or questions, want to give feedback, hints or tipps, report broken links, bugs, deficiencies, errors, inaccuracies, misrepresentations, omissions, shortcomings, vulnerabilities or weaknesses, …: don’t hesitate to contact me and feel free to ask, comment, criticise, flame, notify or report!

Note: email in weird format and without a proper sender name is likely to be discarded!

I dislike HTML (and even weirder formats too) in email, I prefer to receive plain text.
I also expect to see your full (real) name as sender, not your nickname.
I abhor top posts and expect inline quotes in replies.

Terms and Conditions

By using this site, you signify your agreement to these terms and conditions. If you do not agree to these terms and conditions, do not use this site!

Data Protection Declaration

This web page records no (personal) data and stores no cookies in the web browser.

The web service is operated and provided by

Telekom Deutschland GmbH
Business Center
D-64306 Darmstadt
Germany
<‍hosting‍@‍telekom‍.‍de‍>
+49 800 5252033

The web service provider stores a session cookie in the web browser and records every visit of this web site with the following data in an access log on their server(s):


Copyright © 1995–2020 • Stefan Kanthak • <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>