Me, myself & IT

Generate (Self-Issued and Self-Signed) X.509 Certificates with `CertReq.exe`

Purpose
Reason
Background Information
Preparation
Operation
Example

Purpose

Use Windows’^™ CertReq.exe CertReq.exe to generate (self-issued and self-signed) X.509 certificates.

Reason

Setup and operate your own PKI, run your own CA, issue X.509 certificates for client authentication, server authentication, code signing, secure email (S/MIME), IP security, time stamping, …

Background Information

The TechNet article Introduction to Code Signing provides an introduction.

Preparation

Replace the items enclosed in angle quotes ‹…› in the [Strings] section of the following (sample) script with your own data and save it as text file ‹filename›.inf:

; Copyright © 2009-2024, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

[Version]
Provider  = "Stefan Kanthak"
Signature = "$Windows NT$"

[Strings]
PEN          = "1.3.6.1.4.1.‹private enterprise number›"
URL          = "https://‹host›.‹domain›.‹tld›"
AIA          = "http://‹host›.‹domain›.‹tld›/…/‹filename›.cer"
CDP          = "http://‹host›.‹domain›.‹tld›/…/‹filename›.crl"
CPS          = "http://‹host›.‹domain›.‹tld›/…/‹filename›.html"
FQDN         = "‹host›.‹domain›.‹tld›"
IPv4Address  = "‹octet›.‹octet›.‹octet›.‹octet›"
EMail        = "‹mailbox›@‹domain›.‹tld›"
CommonName   = "‹firstname› ‹lastname›"
GivenName    = "‹firstname›"
SurName      = "‹lastname›"
Initials     = "‹initials›"
Title        = "‹title›"
OrgUnit      = "‹organisational unit›"       ; or ‹department›
Organisation = "‹organisation›"              ; or ‹company›
Street       = "‹street›"
Locality     = "‹city›"
State        = "‹state›"                     ; or ‹province›
Country      = "‹two-letter country code›"   ; DE, GB, US, …
PostalCode   = "‹postal code›"

[PolicyStatementExtension]
;Critical = FALSE
Policies  = Policy, …

[PolicyMappingsExtension]
;Critical = FALSE

[PolicyConstraintsExtension]
;Critical = FALSE

[Policy]
Notice = "Certificate Practice Statement"
OID    = %PEN%.1
URL    = "%CPS%"

[NewRequest]
;AlternateSignatureAlgorithm = FALSE
;EncipherOnly                = FALSE
;EncryptionAlgorithm         = …
;EncryptionLength            = …
Exportable                   = TRUE
;ExportableEncrypted         = FALSE
FriendlyName                 = "%CommonName% <%EMail%>"
HashAlgorithm                = SHA256
;KeyAlgorithm                = RSA
;KeyContainer                = …
KeyLength                    = 4096
;KeyProtection               = 2
;                            = 0 ; AT_NONE
;                            = 1 ; AT_KEYEXCHANGE
KeySpec                      = 2 ; AT_SIGNATURE
KeyUsage                     = 0x00FE
;                            = 0x0080 ; Digital Signature
;                            = 0x0040 ; Non Repudiation
;                            = 0x0020 ; Key Encipherment
;                            = 0x0010 ; Data Encipherment
;                            = 0x0008 ; Key Agreement
;                            = 0x0004 ; Key Certificate Signing
;                            = 0x0002 ; (Offline) CRL Signing
;                            = 0x0001 ; Encipher Only
;                            = 0x8000 ; Decipher Only
KeyUsageProperty             = 0xFFFFFF
MachineKeySet                = FALSE
;NotAfter                    = "mm/dd/yyyy hh:mm:ss AM"
;NotBefore                   = "mm/dd/yyyy hh:mm:ss PM"
;PrivateKeyArchive           = FALSE
ProviderName                 = "Microsoft Enhanced RSA and AES Cryptographic Provider"
ProviderType                 = 24
RequestType                  = CERT
;Silent                      = FALSE
;SMIME                       = FALSE
Subject                      = "CN=%CommonName%, G=%GivenName%, SN=%SurName%, I=%Initials%, T=%Title%, OU=%OrgUnit%, O=%Organisation%, STREET=%Street%, L=%Locality%, S=%State%, C=%Country%, PC=%PostalCode%, E=%EMail%"
;SubjectNameFlags            = …
;UserProtected               = FALSE
ValidityPeriod               = Years
ValidityPeriodUnits          = 5
;X500NameFlags               = …

[NameConstraintsExtension]
;Critical = FALSE
;Exclude  = Exclude
;Include  = Include

[Include]
;DNS       = …
;EMail     = …
;IPAddress = …
;URL       = …

[Exclude]
;DNS       = …
;EMail     = …
;IPAddress = …
;URL       = …

[Extensions]
Critical = 2.5.29.19
; Subject Directory Attributes
;2.5.29.9 = "…"
; Subject Key Identifier
;2.5.29.14 = "{hex}…"
; Private Key Usage Period
;2.5.29.16 = "…"
; Subject Alternative Name
2.5.29.17 = "{text}DNS=%FQDN%&EMail=%EMail%&IPAddress=%IPv4Address%&RegisteredId=%PEN%&URL=%URL%"
; Basic Constraints
2.5.29.19 = "{text}CA=0&PathLength=0"
; Name Constraints
;2.5.29.30 = "{text}…"
; CRL Distribution Points
;2.5.29.31 = "…"
; Certificate Policies
;2.5.29.32 = "{text}…"
; Policy Mappings
;2.5.29.33 = "{text}…"
; Authority Key Identifier
;2.5.29.35 = "{hex}…"
; Policy Constraints
;2.5.29.36 = "{text}…"
; Extended Key Usage
;2.5.29.37 = "{text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.3,1.3.6.1.5.5.7.3.4,1.3.6.1.5.5.7.3.5,1.3.6.1.5.5.7.3.6,1.3.6.1.5.5.7.3.7,1.3.6.1.5.5.7.3.8,1.3.6.1.5.5.7.3.17,…"
; Freshest CRL
;2.5.29.46 = "…"

[EnhancedKeyUsageExtension]
;Critical = FALSE
OID = 1.3.6.1.4.1.311.10.3.4 ; Encrypting File System
OID = 1.3.6.1.4.1.311.54.1.2 ; Remote Desktop
OID = 1.3.6.1.4.1.311.80.1   ; Document Encryption
OID = …
OID = 1.3.6.1.5.5.7.3.1  ; Client Authentication
OID = 1.3.6.1.5.5.7.3.2  ; Server Authentication
OID = 1.3.6.1.5.5.7.3.3  ; Code Signing
OID = 1.3.6.1.5.5.7.3.4  ; Secure E-mail (S/MIME)
OID = 1.3.6.1.5.5.7.3.5  ; IP Security End System
OID = 1.3.6.1.5.5.7.3.6  ; IP Security Tunnel Endpoint
OID = 1.3.6.1.5.5.7.3.7  ; IP Security User
OID = 1.3.6.1.5.5.7.3.8  ; Time Stamping
OID = 1.3.6.1.5.5.7.3.9  ; OCSP Signing
OID = …
OID = 1.3.6.1.5.5.7.3.17 ; IP Security Key Exchange (IKE)
OID = …
OID = 1.3.6.1.5.5.7.3.21 ; Secure Shell Client Authentication
OID = 1.3.6.1.5.5.7.3.22 ; Secure Shell Server Authentication
OID = …
OID = 2.5.29.37.0 ; Any Extended Key Usage

[CrossCertificateDistributionPointsExtension]
;Critical      = FALSE
;SyncDeltaTime = …
;URL           = "…"

[CRLDistributionPoint]
URL = "%CDP%"

[BasicConstraintsExtension]
;Critical     = TRUE
;PathLength   = 0
;Subject Type = CA

[AuthorityInformationAccess]
URL = "%AIA%"

[ApplicationPolicyStatementExtension]
;Critical = FALSE
;Policies = ApplicationPolicy, …

[ApplicationPolicyMappingsExtension]
;Critical = FALSE

[ApplicationPolicyConstraintsExtension]
;Critical = FALSE

Note: request your PEN from IANA via their application form.

Note: NotAfter and NotBefore expect localised date (and time) values!

Note: SMIME defaults to TRUE for KeySpec=1, and FALSE otherwise.

Operation

Perform the following operations using only tools shipped with Windows.

To create a self-signed X.509 certificate from the script file ‹filename›.inf, add it to the Personal container of your user account’s system certificate store, and write it either X.690 CER (base-64) encoded to the output file ‹filename›.cer or X.690 DER (binary) encoded to the output file ‹filename›.der, run one of the following command lines:
```
"%SystemRoot%\System32\CertReq.exe" /V /New "‹filename›.inf" "‹filename›.cer"
"%SystemRoot%\System32\CertReq.exe" /V /New /Binary "‹filename›.inf" "‹filename›.der"
```
Note: base-64 encoded files are always created with wrong, non-conformant header and footer line!
```
-----BEGIN NEW CERTIFICATE REQUEST-----
MII…
-----END NEW CERTIFICATE REQUEST-----
```
Note: to establish trust in the self-signed X.509 certificate, copy or move it from the Personal container of the system certificate store to the Root container.
To view and manage Windows’ system certificate store, run the following command line:
```
"%SystemRoot%\System32\MMC.exe" "%SystemRoot%\System32\CertMgr.msc"
```
Note: the Personal container of your user account’s system certificate store is located in the (hidden) directory %APPDATA%\Microsoft\SystemCertificates\My\ alias %USERPROFILE%\AppData\Roaming\Microsoft\SystemCertificates\My\.
To create an X.509 certificate from the script file ‹filename›.inf, digitally sign it using another X.509 certificate present in Windows’ system certificate store, identified via its common name, its serial number, its finger print or the SHA-1 hash of its key identification, add it to the Personal container of your user account’s system certificate store, and write it either X.690 CER (base-64) encoded to the output file ‹filename›.cer or X.690 DER (binary) encoded to the output file ‹filename›.der, run one of the following command lines:
```
"%SystemRoot%\System32\CertReq.exe" /V /New /Cert "‹certificate identifier›" "‹filename›.inf" "‹filename›.cer"
"%SystemRoot%\System32\CertReq.exe" /V /New /Cert "‹certificate identifier›" /Binary "‹filename›.inf" "‹filename›.der"
```
To read an arbitrary X.509 certificate stored X.690 CER (base-64) encoded in the input file ‹filename›.cer and write it X.690 DER (binary) encoded to the output file ‹filename›.der, run the following command line:
```
"%SystemRoot%\System32\CertUtil.exe" /V /Decode "‹filename›.cer" "‹filename›.der"
```
To read an arbitrary X.509 certificate stored X.690 DER (binary) encoded in the input file ‹filename›.der and write it X.690 CER (base-64) encoded to the output file ‹filename›.cer, run the following command line:
```
"%SystemRoot%\System32\CertUtil.exe" /V /Encode "‹filename›.der" "‹filename›.cer"
```
To read an arbitrary X.509 certificate stored X.690 CER (base-64) encoded or X.690 DER (binary) encoded in the input file ‹filename›.‹extension› and print it in readable form, run the following command line:
```
"%SystemRoot%\System32\CertUtil.exe" /V /Seconds /GMT /Dump "‹filename›.‹extension›"
```
To show all X.509 certificates stored in your (machine’s and user account’s) system certificate stores, select one and print it in readable form, run the following command line:
```
"%SystemRoot%\System32\CertUtil.exe" /V /Seconds /GMT /GetCert
```
To print all X.509 certificates stored in the Personal container of your user account’s system certificate store in readable form, run the following command line:
```
"%SystemRoot%\System32\CertUtil.exe" /V /Seconds /GMT /Store My
```
To print the names of all system certificate stores, run the following command line:
```
"%SystemRoot%\System32\CertUtil.exe" /V /EnumStore
```
To show all X.509 certificates stored in an arbitrary container of your (machine’s and user account’s) system certificate store, run the following command line:
```
"%SystemRoot%\System32\CertUtil.exe" /V /ViewStore "‹container›"
```
To print all X.509 certificates stored in an arbitrary container of your (machine’s and user account’s) system certificate stores, run the following command line:
```
"%SystemRoot%\System32\CertMgr.exe" /All /S "‹container›"
```
Note: predefined container names are AddressBook, AuthRoot, CA, Disallowed, FVE, My, Remote Desktop, Root, SmartCardRoot, Trust, TrustedDevices, TrustedPeople and TrustedPublisher.

Example

The following example generates a self-signed X.509 (root) certificate for the Root CA of a (fictitious) newspaper Daily Planet, located in the (fictitious) town Metropolis in the (fictitious) state East Coast, then generates a self-issued second X.509 (leaf) certificate for its (fictitious) reporter Clark Kent, suitable for client authentication, e-mail encryption and e-mail signing, and signs it using the X.509 root certificate.

Save the following text file as Sample-RootCA.inf in an arbitrary, preferable empty directory:

; Copyright © 2009-2024, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

[Version]
Provider  = "Stefan Kanthak"
Signature = "$Windows NT$"

[Strings]
CPS          = "https://ca.daily-planet.tld/cps.html"
URL          = "https://ca.daily-planet.tld/index.html"
EMail        = "ca@daily-planet.tld"
Domain       = "daily-planet"
TopLevel     = "tld"
CommonName   = "Daily Planet Certification Authority"
OrgUnit      = "Trust Center"
Organisation = "Daily Planet"
Street       = "Planet Square"
Locality     = "Metropolis"
State        = "East Coast"
Country      = "CC"
PostalCode   = "EC-0815"

[PolicyStatementExtension]
;Critical = FALSE
Policies  = Policy

[Policy]
Notice = "Certificate Practice Statement"
OID    = 2.5.29.32
URL    = "%CPS%"

[NewRequest]
Exportable       = TRUE
FriendlyName     = "%CommonName% <%EMail%>"
HashAlgorithm    = SHA256
KeyLength        = 4096
;KeyProtection   = 2
KeySpec          = 2 ; AT_SIGNATURE
KeyUsage         = 0x00FE
KeyUsageProperty = 0xFFFFFF
MachineKeySet    = FALSE
ProviderName     = "Microsoft Enhanced RSA and AES Cryptographic Provider"
ProviderType     = 24
RequestType      = CERT
;SMIME           = FALSE
Subject          = "CN=%CommonName%, OU=%OrgUnit%, O=%Organisation%, STREET=%Street%, L=%Locality%, S=%State%, C=%Country%, PC=%PostalCode%, E=%EMail%, DC=%Domain%, DC=%TopLevel%"

[Extensions]
Critical = 2.5.29.19
; Subject Alternative Name
2.5.29.17 = "{text}EMail=%EMail%&URL=%URL%"
; Basic Constraints
2.5.29.19 = "{text}CA=1&PathLength=0"

Run the following command line to generate the root certificate from the file Sample-RootCA.inf created in step 1. and save it in the output file Sample-RootCA.cer:

"%SystemRoot%\System32\CertReq.exe" /V /User /New Sample-RootCA.inf Sample-RootCA.cer

0: 2.5.29.17(Subject Alternative Name) not critical cb=3f
0000	30 3d 81 13 63 61 40 64  61 69 6c 79 2d 70 6c 61   0=..ca@daily-pla
0010	6e 65 74 2e 74 6c 64 86  26 68 74 74 70 73 3a 2f   net.tld.&https:/
0020	2f 63 61 2e 64 61 69 6c  79 2d 70 6c 61 6e 65 74   /ca.daily-planet
0030	2e 74 6c 64 2f 69 6e 64  65 78 2e 68 74 6d 6c      .tld/index.html
1: 2.5.29.19(Basic Constraints) critical cb=8
0000	30 06 01 01 ff 02 01 00                            0.......
Cert: 4 -> 4

Save the following text file as Sample-ClarkKent.inf in the directory chosen in step 1.:

; Copyright © 2009-2024, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

[Version]
Provider  = "Stefan Kanthak"
Signature = "$Windows NT$"

[Strings]
URL          = "https://staff.daily-planet.tld/clark.kent/index.html"
EMail        = "clark.kent@daily-planet.tld"
Domain       = "daily-planet"
TopLevel     = "tld"
CommonName   = "Clark Kent"
GivenName    = "Clark"
SurName      = "Kent"
Title        = "Reporter"
OrgUnit      = "Staff"
Organisation = "Daily Planet"
Street       = "Planet Square"
Locality     = "Metropolis"
State        = "East Coast"
Country      = "CC"
PostalCode   = "EC-0815"

[NewRequest]
Exportable       = TRUE
FriendlyName     = "%CommonName% <%EMail%>"
HashAlgorithm    = SHA256
KeyLength        = 4096
;KeyProtection   = 2
KeySpec          = 1 ; AT_KEYEXCHANGE
KeyUsage         = 0x00F0
KeyUsageProperty = 0xFFFFFF
MachineKeySet    = FALSE
ProviderName     = "Microsoft Enhanced RSA and AES Cryptographic Provider"
ProviderType     = 24
RequestType      = CERT
;SMIME           = TRUE
Subject          = "CN=%CommonName%, G=%GivenName%, SN=%SurName%, T=%Title%, OU=%OrgUnit%, O=%Organisation%, STREET=%Street%, L=%Locality%, S=%State%, C=%Country%, PC=%PostalCode%, E=%EMail%, DC=%Domain%, DC=%TopLevel%"

[Extensions]
Critical = 2.5.29.37
; Subject Alternative Name
2.5.29.17 = "{text}EMail=%EMail%&URL=%URL%"
; Extended Key Usage
2.5.29.37 = "{text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.4,1.3.6.1.5.5.7.3.21"

Run the following command line to generate the certificate for Clark Kent from the file Sample-ClarkKent.inf created in step 3., sign it using the root certificate generated in step 2. and save it in the output file Sample-ClarkKent.cer:

"%SystemRoot%\System32\CertReq.exe" /V /User /New /Cert "Daily Planet Certification Authority" Sample-ClarkKent.inf Sample-ClarkKent.cer

0: 2.5.29.17(Subject Alternative Name) not critical cb=55
0000	30 53 81 1b 63 6c 61 72  6b 2e 6b 65 6e 74 40 64   0S..clark.kent@d
0010	61 69 6c 79 2d 70 6c 61  6e 65 74 2e 74 6c 64 86   aily-planet.tld.
0020	34 68 74 74 70 73 3a 2f  2f 73 74 61 66 66 2e 64   4https://staff.d
0030	61 69 6c 79 2d 70 6c 61  6e 65 74 2e 74 6c 64 2f   aily-planet.tld/
0040	63 6c 61 72 6b 2e 6b 65  6e 74 2f 69 6e 64 65 78   clark.kent/index
0050	2e 68 74 6d 6c                                     .html
1: 2.5.29.37(Extended Key Usage) critical cb=20
0000	30 1e 06 08 2b 06 01 05  05 07 03 01 06 08 2b 06   0...+.........+.
0010	01 05 05 07 03 04 06 08  2b 06 01 05 05 07 03 15   ........+.......
Cert: 4 -> 4

Contact

If you miss anything here, have additions, comments, corrections, criticism or questions, want to give feedback, hints or tipps, report broken links, bugs, deficiencies, errors, inaccuracies, misrepresentations, omissions, shortcomings, vulnerabilities or weaknesses, …: don’t hesitate to contact me and feel free to ask, comment, criticise, flame, notify or report!

Use the X.509 certificate to send S/MIME encrypted mail.

Note: email in weird format and without a proper sender name is likely to be discarded!

I dislike HTML (and even weirder formats too) in email, I prefer to receive plain text.
I also expect to see your full (real) name as sender, not your nickname.
I abhor top posts and expect inline quotes in replies.

Terms and Conditions

By using this site, you signify your agreement to these terms and conditions. If you do not agree to these terms and conditions, do not use this site!

The software and the documentation on this site are provided as is without any warranty, neither express nor implied.
In no event will the author be held liable for any damage(s) arising from the use of the software or the documentation.
Permission is granted to use the current version of the software and the current version of the documentation solely for personal private and non-commercial purposes.
An individuals use of the software or the documentation in his or her capacity or function as an agent, (independent) contractor, employee, member or officer of a business, corporation or organisation (commercial or non-commercial) does not qualify as personal private and non-commercial purpose.
Without written approval from the author the software or the documentation must not be used for a business, for commercial, corporate, governmental, military or organisational purposes of any kind, or in a commercial, corporate, governmental, military or organisational environment of any kind.
Redistribution of the software and the documentation is allowed only in unmodified form of its current version and free of charge.

Data Protection Declaration

This web page records no (personal) data and stores no cookies in the web browser.

The web service is operated and provided by

Telekom Deutschland GmbH
Business Center
D-64306 Darmstadt
Germany
<‍hosting‍@‍telekom‍.‍de‍>
+49 800 5252033

The web service provider stores a session cookie in the web browser and records every visit of this web site with the following data in an access log on their server(s):

the (pseudonymised) IP address;
the date and time of the request;
the URL of the requested web page or file;
the Referer and User-Agent HTTP headers sent by the web browser;
the result (success or failure) of the request;
the amount of data received and sent.