PKI Procedure – Submitting a “Bring Your Own CSR” Style Cert Request via CMD Line

Overview

Often you may need a certificate for a web app, network appliance, etc. where you are starting from a CSR (Certificate Signing Request) generated from within that app, or provided to you by the maintainer of that app. 

In these scenarios, the process is different than a regular “Manual Request”, because the CSR (the request) has already been generated and provided to you. From here, you just need to submit this existing request to a CA and retrieve the generated certificate.

You may be familiar with another method of accomplishing the above by using the ADCS “Web Enrollment” web pages. We strongly recommend AGAINST using or isntalling Web Enrollment at all, and generally do not install or configure the ADCS Web Enrollment role in new PKI builds.

This procedure details how to accomplish the above via “certreq” command line, and DOES NOT require Web Enrollment to be installed in the environment.

When Manager Approval is not required

Manager Approval can be enforced at a template level on the “Issuance Requirements” tab of the particular Certificate Template. In the screenshot below, certificate manager approval is not required.

If you do not have certificate manager approval enabled at the template level as shown above, then you can use the following method.

Generate your 3rd party CSR

This will depend on what you need to generate a certificate for, so please refer to the manufacturer’s documentation for your specific use case.

In some cases, this CSR might be provided to you by someone else. For example, the admin of your network firewall may generate the CSR from within the firewall’s Admin UI, and then provide a CSR file to you.

The CSR file can have any number of different file extensions, but the most common are “.csr” and “.req”. In these examples, we have a CSR file ending in “.csr”.

 

Transfer the CSR to your Issuing CA

Submit the Cert Request

Open an administrative cmd prompt and navigate to the directory that contains your csr file

                                   certreq -submit -attrib “CertificateTemplate:TemplateName” Fortigate_CSR_Test_1.csr

Copy your .crt file and bring it over to your 3rd party device that requires the certificate

This will depend on what you need to generate a certificate for, so please refer to the manufacturer’s documentation for your specific use case.

When Manager Approval is Required

Manager Approval can be enforced at a template level on the “Issuance Requirements” tab of the particular Certificate Template. In the screenshot below, certificate manager approval is required. This must be enabled per EACH template that you wish to enforce certificate manager approval on.

Optionally, you can enforce which certificate managers will have permission to approve pending certificate requests at the CA level under Properties > Certificate Managers. It is not required for you to define certificate managers, however it is highly suggested that you do for security purposes.

Restricting certificate managers adds an extra layer of security, however it also add an extra layer of management in that it will require someone to manually approve any CSR that gets submitted.

If you have certificate manager approval enabled at the template level as shown above, then you can use the following method.

Generate your 3rd party CSR

This will depend on what you need to generate a certificate for, so please refer to the manufacturer’s documentation for your specific use case.

Transfer the CSR to your Issuing CA

Submit the Cert Request

Open an administrative cmd prompt and navigate to the directory that contains your 

                     certreq -submit -attrib “CertificateTemplate:TemplateName” Fortigate_CSR_Test_1.csr

 

Note: Pay attention to the RequestID number that is displayed after you submit the request. You will use this number when retrieving the certificate

Go to Certification Authority on CA01 and look under pending requests:

Right click the pending request > All Tasks > Issue

Return to the administrative command prompt to accept the issued certificate by running the following command. Ensure that you substitute the appropriate path as well as the correct RequestID:

                     certreq -retrieve 19 Cert_Output2.crt

And you will see your .crt file appear in your working directory

Copy your .crt file and bring it over to your 3rd party device that requires the certificate

This will depend on what you need to generate a certificate for, so please refer to the manufacturer’s documentation for your specific use case.