CertReq.exe is a Windows tool that allows you to interface with the Microsoft Certificate subsystem. It is especially useful to create a certificate request using keys generated on the card, so that you can have an external Certificate Authority sign certificates.
The following tutorial goes through the process of generating a certificate request using Certreq.exe, and importing a signed certificate to the card.
Certreq uses an .inf file to configure the certificate request. An example of such an inf is included below. To use this inf with PIVkey make sure that ProviderName = "Microsoft Base Smart Card Crypto Provider". This forces the smart card to generate the key.
The Root certificate of the CA must be imported into Computer Trusted Roots.
The PIVKey Minidriver is installed.
Generating the Certificate Request
As an example, the inf file is located in a directory called "tst" on the C drive, and this directory is used to store the certificate request and certificate as well.
Run the following as administrator
certreq -new request.inf certreq.txt
c:\tst>certreq -new request.inf certreq.txt
CertReq: Request Created
You will be prompted for the PIN twice.
The certificate request will be written to the certreq.txt file in the tst directory.
The certificate request file can now be used to get a signed certificate from the external Certificate Authority.
Importing the Certificate into the PIVKey
Write the certificate to file "signed.cer" in the tst directory.
Run the following as administrator:
certreq -accept signed.cer
c:\tst>certreq -accept signed.cer
Serial Number: 053f
Subject: CN=Name Of The Subject, OU=Organizational_Unit, O=Organization, L=City, S=State, C=Country
NotBefore: 2/21/2016 1:58 PM
NotAfter: 4/22/2022 1:58 PM
You will be prompted for the PIN to import the certificate.
The Certificate is now stored on the PIVKey.
The following is an example of the INF file needed for Certreq.exe. Customize the Subject as needed. Microsoft has additional documentation on the certificate request parameters here: Certreq Documentation.
;----------------- request.inf -----------------
Subject = "CN=Name Of The Subject, OU=Organizational_Unit, O=Organization, L=City, S=State, C=Country"
KeySpec = 1
KeyLength = 2048
HashAlgorithm = SHA256
Exportable = FALSE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft Base Smart Card Crypto Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
OID=184.108.40.206.220.127.116.11.1 ; this is for Server Authentication