Valid HTML 4.01 Transitional Valid CSS Valid SVG 1.0

Me, myself & IT

Generate (self-issued and self-signed) X.509 Certificates with CertReq.exe

Purpose
Reason
Preparation
Operation
Example

Purpose

Use Windows’® CertReq.exe to generate (self-issued and self-signed) X.509 certificates.

Reason

Setup and operate your own PKI, run your own CA, issue X.509 certificates for client authentication, server authentication, code signing, secure email (S/MIME), IP security, time stamping, …

Preparation

Replace the items enclosed in angle quotes ‹…› in the [Strings] section of the following (sample) script with your own data and save it as text file ‹filename›.inf:
; Copyright © 2009-2020, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

[Version]
Provider  = "Stefan Kanthak"
Signature = "$Windows NT$"

[Strings]
PEN          = "1.3.6.1.4.1.‹private enterprise number›"
URL          = "https://‹host›.‹domain›.‹tld›"
AIA          = "http://‹host›.‹domain›.‹tld›/…/‹filename›.cer"
CDP          = "http://‹host›.‹domain›.‹tld›/…/‹filename›.crl"
CPS          = "http://‹host›.‹domain›.‹tld›/…/‹filename›.html"
FQDN         = "‹host›.‹domain›.‹tld›"
IPv4Address  = "‹octet›.‹octet›.‹octet›.‹octet›"
EMail        = "‹mailbox›@‹domain›.‹tld›"
CommonName   = "‹firstname› ‹lastname›"
GivenName    = "‹firstname›"
SurName      = "‹lastname›"
Initials     = "‹initials›"
Title        = "‹title›"
OrgUnit      = "‹organisational unit›"       ; or ‹department›
Organisation = "‹organisation›"              ; or ‹company›
Street       = "‹street›"
Locality     = "‹city›"
State        = "‹state›"                     ; or ‹province›
Country      = "‹two-letter country code›"   ; DE, GB, US, …
PostalCode   = "‹postal code›"

[PolicyStatementExtension]
;Critical = FALSE
Policies  = Policy, …

[PolicyMappingsExtension]
;Critical = FALSE

[PolicyConstraintsExtension]
;Critical = FALSE

[Policy]
Notice = "Certificate Practice Statement"
OID    = %PEN%.1
URL    = "%CPS%"

[NewRequest]
;AlternateSignatureAlgorithm = FALSE
;EncipherOnly                = FALSE
;EncryptionAlgorithm         = …
;EncryptionLength            = …
Exportable                   = TRUE
;ExportableEncrypted         = FALSE
FriendlyName                 = "%CommonName% <%EMail%>"
HashAlgorithm                = SHA256
;KeyAlgorithm                = RSA
;KeyContainer                = …
KeyLength                    = 4096
;KeyProtection               = 2
;                            = 0 ; AT_NONE
;                            = 1 ; AT_KEYEXCHANGE
KeySpec                      = 2 ; AT_SIGNATURE
KeyUsage                     = 0x00FE
;                            = 0x0080 ; Digital Signature
;                            = 0x0040 ; Non Repudiation
;                            = 0x0020 ; Key Encipherment
;                            = 0x0010 ; Data Encipherment
;                            = 0x0008 ; Key Agreement
;                            = 0x0004 ; Key Certificate Signing
;                            = 0x0002 ; (Offline) CRL Signing
;                            = 0x0001 ; Encipher Only
;                            = 0x8000 ; Decipher Only
KeyUsageProperty             = 0xFFFFFF
MachineKeySet                = FALSE
;NotAfter                    = "mm/dd/yyyy hh:mm:ss AM"
;NotBefore                   = "mm/dd/yyyy hh:mm:ss PM"
;PrivateKeyArchive           = FALSE
ProviderName                 = "Microsoft Enhanced RSA and AES Cryptographic Provider"
ProviderType                 = 24
RequestType                  = CERT
;Silent                      = FALSE
;SMIME                       = FALSE
Subject                      = "CN=%CommonName%, G=%GivenName%, SN=%SurName%, I=%Initials%, T=%Title%, OU=%OrgUnit%, O=%Organisation%, STREET=%Street%, L=%Locality%, S=%State%, C=%Country%, PC=%PostalCode%, E=%EMail%"
;SubjectNameFlags            = …
;UserProtected               = FALSE
ValidityPeriod               = Years
ValidityPeriodUnits          = 5
;X500NameFlags               = …

[NameConstraintsExtension]
;Critical = FALSE
;Exclude  = Exclude
;Include  = Include

[Include]
;DNS       = …
;EMail     = …
;IPAddress = …
;URL       = …

[Exclude]
;DNS       = …
;EMail     = …
;IPAddress = …
;URL       = …

[Extensions]
Critical = 2.5.29.19
; Subject Directory Attributes
;2.5.29.9 = "…"
; Subject Key Identifier
;2.5.29.14 = "{hex}…"
; Private Key Usage Period
;2.5.29.16 = "…"
; Subject Alternative Name
2.5.29.17 = "{text}DNS=%FQDN%&EMail=%EMail%&IPAddress=%IPv4Address%&RegisteredId=%PEN%&URL=%URL%"
; Basic Constraints
2.5.29.19 = "{text}CA=0&PathLength=0"
; Name Constraints
;2.5.29.30 = "{text}…"
; CRL Distribution Points
;2.5.29.31 = "…"
; Certificate Policies
;2.5.29.32 = "{text}…"
; Policy Mappings
;2.5.29.33 = "{text}…"
; Authority Key Identifier
;2.5.29.35 = "{hex}…"
; Policy Constraints
;2.5.29.36 = "{text}…"
; Extended Key Usage
;2.5.29.37 = "{text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.3,1.3.6.1.5.5.7.3.4,1.3.6.1.5.5.7.3.5,1.3.6.1.5.5.7.3.6,1.3.6.1.5.5.7.3.7,1.3.6.1.5.5.7.3.8,1.3.6.1.5.5.7.3.17,…"
; Freshest CRL
;2.5.29.46 = "…"

[EnhancedKeyUsageExtension]
;Critical = FALSE
OID = 1.3.6.1.4.1.311.10.3.4 ; Encrypting File System
OID = 1.3.6.1.4.1.311.54.1.2 ; Remote Desktop
OID = 1.3.6.1.4.1.311.80.1   ; Document Encryption
OID = …
OID = 1.3.6.1.5.5.7.3.1  ; Client Authentication
OID = 1.3.6.1.5.5.7.3.2  ; Server Authentication
OID = 1.3.6.1.5.5.7.3.3  ; Code Signing
OID = 1.3.6.1.5.5.7.3.4  ; Secure E-mail (S/MIME)
OID = 1.3.6.1.5.5.7.3.5  ; IP Security End System
OID = 1.3.6.1.5.5.7.3.6  ; IP Security Tunnel Endpoint
OID = 1.3.6.1.5.5.7.3.7  ; IP Security User
OID = 1.3.6.1.5.5.7.3.8  ; Time Stamping
OID = 1.3.6.1.5.5.7.3.9  ; OCSP Signing
OID = …
OID = 1.3.6.1.5.5.7.3.17 ; IP Security Key Exchange (IKE)
OID = …
OID = 1.3.6.1.5.5.7.3.21 ; Secure Shell Client Authentication
OID = 1.3.6.1.5.5.7.3.22 ; Secure Shell Server Authentication
OID = …
OID = 2.5.29.37.0 ; Any Extended Key Usage

[CrossCertificateDistributionPointsExtension]
;Critical      = FALSE
;SyncDeltaTime = …
;URL           = "…"

[CRLDistributionPoint]
URL = "%CDP%"

[BasicConstraintsExtension]
;Critical     = TRUE
;PathLength   = 0
;Subject Type = CA

[AuthorityInformationAccess]
URL = "%AIA%"

[ApplicationPolicyStatementExtension]
;Critical = FALSE
;Policies = ApplicationPolicy, …

[ApplicationPolicyMappingsExtension]
;Critical = FALSE

[ApplicationPolicyConstraintsExtension]
;Critical = FALSE
Note: request your PEN from IANA via their application form.

Note: NotAfter and NotBefore expect localised date (and time) values!

Note: SMIME defaults to TRUE for KeySpec=1, and FALSE otherwise.

Operation

Perform the following operations using only tools shipped with Windows.

Example

The following example generates a self-signed X.509 (root) certificate for the Root CA of a (fictitious) newspaper Daily Planet, located in the (fictitious) town Metropolis in the (fictitious) state East Coast, then generates a self-issued second X.509 (leaf) certificate for its (fictitious) reporter Clark Kent, suitable for client authentication, e-mail encryption and e-mail signing, and signs it using the X.509 root certificate.
  1. Save the following text file as Sample-RootCA.inf in an arbitrary, preferable empty directory:

    ; Copyright © 2009-2020, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>
    
    [Version]
    Provider  = "Stefan Kanthak"
    Signature = "$Windows NT$"
    
    [Strings]
    CPS          = "https://ca.daily-planet.tld/cps.html"
    URL          = "https://ca.daily-planet.tld/index.html"
    EMail        = "ca@daily-planet.tld"
    Domain       = "daily-planet"
    TopLevel     = "tld"
    CommonName   = "Daily Planet Certification Authority"
    OrgUnit      = "Trust Center"
    Organisation = "Daily Planet"
    Street       = "Planet Square"
    Locality     = "Metropolis"
    State        = "East Coast"
    Country      = "CC"
    PostalCode   = "EC-0815"
    
    [PolicyStatementExtension]
    ;Critical = FALSE
    Policies  = Policy
    
    [Policy]
    Notice = "Certificate Practice Statement"
    OID    = 2.5.29.32
    URL    = "%CPS%"
    
    [NewRequest]
    Exportable       = TRUE
    FriendlyName     = "%CommonName% <%EMail%>"
    HashAlgorithm    = SHA256
    KeyLength        = 4096
    ;KeyProtection   = 2
    KeySpec          = 2 ; AT_SIGNATURE
    KeyUsage         = 0x00FE
    KeyUsageProperty = 0xFFFFFF
    MachineKeySet    = FALSE
    ProviderName     = "Microsoft Enhanced RSA and AES Cryptographic Provider"
    ProviderType     = 24
    RequestType      = CERT
    ;SMIME           = FALSE
    Subject          = "CN=%CommonName%, OU=%OrgUnit%, O=%Organisation%, STREET=%Street%, L=%Locality%, S=%State%, C=%Country%, PC=%PostalCode%, E=%EMail%, DC=%Domain%, DC=%TopLevel%"
    
    [Extensions]
    Critical = 2.5.29.19
    ; Subject Alternative Name
    2.5.29.17 = "{text}EMail=%EMail%&URL=%URL%"
    ; Basic Constraints
    2.5.29.19 = "{text}CA=1&PathLength=0"
  2. Run the following command line to generate the root certificate from the file Sample-RootCA.inf created in step 1. and save it in the output file Sample-RootCA.cer:

    CertReq.exe /V /User /New Sample-RootCA.inf Sample-RootCA.cer
    0: 2.5.29.17(Subject Alternative Name) not critical cb=3f
    0000	30 3d 81 13 63 61 40 64  61 69 6c 79 2d 70 6c 61   0=..ca@daily-pla
    0010	6e 65 74 2e 74 6c 64 86  26 68 74 74 70 73 3a 2f   net.tld.&https:/
    0020	2f 63 61 2e 64 61 69 6c  79 2d 70 6c 61 6e 65 74   /ca.daily-planet
    0030	2e 74 6c 64 2f 69 6e 64  65 78 2e 68 74 6d 6c      .tld/index.html
    1: 2.5.29.19(Basic Constraints) critical cb=8
    0000	30 06 01 01 ff 02 01 00                            0.......
    Cert: 4 -> 4
  3. Save the following text file as Sample-ClarkKent.inf in the directory choosen in step 1.:

    ; Copyright © 2009-2020, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>
    
    [Version]
    Provider  = "Stefan Kanthak"
    Signature = "$Windows NT$"
    
    [Strings]
    URL          = "https://staff.daily-planet.tld/clark.kent/index.html"
    EMail        = "clark.kent@daily-planet.tld"
    Domain       = "daily-planet"
    TopLevel     = "tld"
    CommonName   = "Clark Kent"
    GivenName    = "Clark"
    SurName      = "Kent"
    Title        = "Reporter"
    OrgUnit      = "Staff"
    Organisation = "Daily Planet"
    Street       = "Planet Square"
    Locality     = "Metropolis"
    State        = "East Coast"
    Country      = "CC"
    PostalCode   = "EC-0815"
    
    [NewRequest]
    Exportable       = TRUE
    FriendlyName     = "%CommonName% <%EMail%>"
    HashAlgorithm    = SHA256
    KeyLength        = 4096
    ;KeyProtection   = 2
    KeySpec          = 1 ; AT_KEYEXCHANGE
    KeyUsage         = 0x00F0
    KeyUsageProperty = 0xFFFFFF
    MachineKeySet    = FALSE
    ProviderName     = "Microsoft Enhanced RSA and AES Cryptographic Provider"
    ProviderType     = 24
    RequestType      = CERT
    ;SMIME           = TRUE
    Subject          = "CN=%CommonName%, G=%GivenName%, SN=%SurName%, T=%Title%, OU=%OrgUnit%, O=%Organisation%, STREET=%Street%, L=%Locality%, S=%State%, C=%Country%, PC=%PostalCode%, E=%EMail%, DC=%Domain%, DC=%TopLevel%"
    
    [Extensions]
    Critical = 2.5.29.37
    ; Subject Alternative Name
    2.5.29.17 = "{text}EMail=%EMail%&URL=%URL%"
    ; Extended Key Usage
    2.5.29.37 = "{text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.4,1.3.6.1.5.5.7.3.21"
  4. Run the following command line to generate the certificate for Clark Kent from the file Sample-ClarkKent.inf created in step 3., sign it using the root certificate generated in step 2. and save it in the output file Sample-ClarkKent.cer:

    CertReq.exe /V /User /New /Cert "Daily Planet Certification Authority" Sample-ClarkKent.inf Sample-ClarkKent.cer
    0: 2.5.29.17(Subject Alternative Name) not critical cb=55
    0000	30 53 81 1b 63 6c 61 72  6b 2e 6b 65 6e 74 40 64   0S..clark.kent@d
    0010	61 69 6c 79 2d 70 6c 61  6e 65 74 2e 74 6c 64 86   aily-planet.tld.
    0020	34 68 74 74 70 73 3a 2f  2f 73 74 61 66 66 2e 64   4https://staff.d
    0030	61 69 6c 79 2d 70 6c 61  6e 65 74 2e 74 6c 64 2f   aily-planet.tld/
    0040	63 6c 61 72 6b 2e 6b 65  6e 74 2f 69 6e 64 65 78   clark.kent/index
    0050	2e 68 74 6d 6c                                     .html
    1: 2.5.29.37(Extended Key Usage) critical cb=20
    0000	30 1e 06 08 2b 06 01 05  05 07 03 01 06 08 2b 06   0...+.........+.
    0010	01 05 05 07 03 04 06 08  2b 06 01 05 05 07 03 15   ........+.......
    Cert: 4 -> 4

Contact

If you miss anything here, have additions, comments, corrections, criticism or questions, want to give feedback, hints or tipps, report broken links, bugs, deficiencies, errors, inaccuracies, misrepresentations, omissions, shortcomings, vulnerabilities or weaknesses, …: don’t hesitate to contact me and feel free to ask, comment, criticise, flame, notify or report!

Use the X.509 certificate to send S/MIME encrypted mail.

Note: email in weird format and without a proper sender name is likely to be discarded!

I dislike HTML (and even weirder formats too) in email, I prefer to receive plain text.
I also expect to see your full (real) name as sender, not your nickname.
I abhor top posts and expect inline quotes in replies.

Terms and Conditions

By using this site, you signify your agreement to these terms and conditions. If you do not agree to these terms and conditions, do not use this site!

Data Protection Declaration

This web page records no (personal) data and stores no cookies in the web browser.

The web service is operated and provided by

Telekom Deutschland GmbH
Business Center
D-64306 Darmstadt
Germany
<‍hosting‍@‍telekom‍.‍de‍>
+49 800 5252033

The web service provider stores a session cookie in the web browser and records every visit of this web site with the following data in an access log on their server(s):


Copyright © 1995–2020 • Stefan Kanthak • <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>