Create a (SAN) CSR using Certreq.exe

If you want to create a Certificate Signing Request (CSR) for a normal or Subject Alternative Names (SAN) certificate, for example, for a website, you can use Certreq.exe to create such a request.

Open Notepad or any other text editor and copy the following information to it.

[NewRequest]
Subject = "CN=<Main FQDN>, OU=<Organizational Unit>, O=<Organization>, L=<Location>, S=<State>, C=<Country>"
Exportable = <TRUE/FALSE>
KeySpec = 1
KeyLength = <2048/4096>
HashAlgorithm = SHA384
MachineKeySet = TRUE
SMIME = FALSE
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
RequestType = PKCS10
KeyUsage = 0xa0
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
FriendlyName = "<friendly description of the certificate>"
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
OID=1.3.6.1.5.5.7.3.2 ; Client Authentication
[RequestAttributes]
CertificateTemplate = WebServer
;Use section below if Subject Alternate Names (SAN's) are needed, otherwise delete this line and everything below.
[Extensions]
2.5.29.17 = "{text}"
continue = "dns=<Main FQDN>&"
continue = "dns=<1st Subject Alternate Name FQDN>&"

Replace all the <> blocks with the required values so you will have a text file like below. The example below could be used for an Exchange server that needs the FQDN’s ‘mail.onkelx.nl’ and ‘autodiscover.onkelx.nl’ and a keylength of 2048. The certificate that will be created based on this CSR will be exportable because the value for the ‘Exportable’ option is set to TRUE.

If several FQDN’s are needed, also include the common name (CN=mail.onkelx.nl) in the SAN section (dns=mail.onkelx.nl&). This is required because if an SSL certificate has a Subject Alternative Name (SAN), then SSL clients are supposed to ignore the Common Name value and seek a match in the SAN list. 

[NewRequest]
Subject = "CN=mail.onkelx.nl, OU=IT Department, O=OnkelX, L=Vleuten, S=Utrecht, C=NL"
Exportable = TRUE
KeySpec = 1
KeyLength = 2048
HashAlgorithm = SHA384
MachineKeySet = TRUE
SMIME = FALSE
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
RequestType = PKCS10
KeyUsage = 0xa0
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
FriendlyName = "<friendly description of the certificate>"
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
OID=1.3.6.1.5.5.7.3.2 ; Client Authentication
[RequestAttributes]
CertificateTemplate = WebServer
;Use section below if Subject Alternate Names (SAN's) are needed, otherwise delete this line and everything below.
[Extensions]
2.5.29.17 = "{text}"
continue = "dns=mail.onkelx.nl&"
continue = "dns=autodiscover.onkelx.nl&"

Save this text to a file named ‘template.inf’. Open a Command Prompt as an Administrator and go to the folder where you saved the template file.

Use the following command to create a CSR file named ‘mail_onkelx_nl.csr’ based on the information from the template file. The file is saved in the current folder.

certreq -new template.inf mail_onkelx_nl.csr

When the CSR file has been created and saved, you can open the CSR file with a text editor. The first line should be ‘—–BEGIN NEW CERTIFICATE REQUEST—–‘ and the last line should be ‘—–END NEW CERTIFICATE REQUEST—–‘.

To verify the CSR file, you can use a CSR checker on the Internet.

https://www.digicert.com/ssltools/view-csr/

Open the CSR file, copy the content to the webpage and click the ‘Check CSR’ button.

Check if all values are correct.

Now you can use the CSR to request an SSL SAN certificate. You can use your own (Microsoft) CA, or a commercial CA.

If you want to create a (SAN) CSR using the Microsoft Management Console (MMC), check the following article.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.