PIVKey and CertReq.exe

CertReq.exe is a Windows tool that allows you to interface with the Microsoft Certificate subsystem.  It is especially useful to create a certificate request using keys generated on the card, so that you can have an external Certificate Authority sign certificates.

The following tutorial goes through the process of generating a certificate request using Certreq.exe, and importing a signed certificate to the card.

Certreq Inf:

Certreq uses an .inf file to configure the certificate request. An example of such an inf is included below. To use this inf with PIVkey make sure that ProviderName = "Microsoft Base Smart Card Crypto Provider". This forces the smart card to generate the key.

Additional Requirements

The Root certificate of the CA must be imported into Computer Trusted Roots.
The PIVKey Minidriver is installed.

Generating the Certificate Request

As an example, the inf file is located in a directory called "tst" on the C drive, and this directory is used to store the certificate request and certificate as well.

Run the following as administrator

cd c:\tst
certreq -new request.inf certreq.txt

Result:
c:\tst>certreq -new request.inf certreq.txt
CertReq: Request Created

Notes:
You will be prompted for the PIN twice.
The certificate request will be written to the certreq.txt file in the tst directory.
The certificate request file can now be used to get a signed certificate from the external Certificate Authority.

Importing the Certificate into the PIVKey

Write the certificate to file "signed.cer" in the tst directory.

Run the following as administrator:

cd c:\tst
certreq -accept signed.cer

Example result:
c:\tst>certreq -accept signed.cer
Installed Certificate:
  Serial Number: 053f
  Subject: CN=Name Of The Subject, OU=Organizational_Unit, O=Organization, L=City, S=State, C=Country
  NotBefore: 2/21/2016 1:58 PM
  NotAfter: 4/22/2022 1:58 PM
  Thumbprint: c69896f6ae2bbafd5e2f563339d8220b7c6cc589

c:\tst>

Note:
You will be prompted for the PIN to import the certificate.

The Certificate is now stored on the PIVKey.

INF File

The following is an example of the INF file needed for Certreq.exe. Customize the Subject as needed. Microsoft has additional documentation on the certificate request parameters here: Certreq Documentation

;----------------- request.inf -----------------
[Version]

Signature="$Windows NT$"

[NewRequest]

Subject = "CN=Name Of The Subject, OU=Organizational_Unit, O=Organization, L=City, S=State, C=Country"
KeySpec = 1
KeyLength = 2048
HashAlgorithm = SHA256
Exportable = FALSE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft Base Smart Card Crypto Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication

;-----------------------------------------------

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk