There is great possibility that you won’t need this to accomplish certificate installation. Windows server has set of GUI tools that will help you easily generate certificate request and install it. My issue was that SBS2003 doesn’t have updated list of country codes and our CA has, so I had to do it manually which isn’t that hard at all.
In my case I needed certificate for OWA listener on ISA 2004 SP3 server which is bridging outside world with external certificate and inside with internal certificate.
Create folder like C:/certs and create file “certreq.inf” in that folder:
[NewRequest] Subject="O=MyCompany,OU=MyWebmail,C=CC,S=MyCountry,L=MyCity,CN=corp.mydomain.com" KeyLength=2048 KeySpec = 1 KeyUsage = 0xA0 Exportable = FALSE MachineKeySet=TRUE Silent=FALSE
Replace value for MyCompany – you can place your name there, for OU you can put something descriptive like Webmail, then update country and CC which is two letter country code. Enter your domain name which you are protecting with SSL certificate. Our CA (Commodo) is generating 2048bit certificates, you can put any length that is required for keylength there by your CA. All that you enter here under Subject must match what you have submitted to your CA through online application.
Next, open command line and issue command:
certreq -new certreq.inf certreq.req
There, we have generated our “certificate request”. Now – open that file with text editor like notepad++ and copy-paste that request to your CA online interface or submit file to their system. Usually you’ll have to wait couple of hours before your new certificate is created.
When you receive your certificate you can put it inside proper certificate store using MMC. Open MMC and use add/remove snap-ins to add Certificates for “Computer Account > Local Computer”. Then import certificate to Personal store and if needed to Trusted Root Certification Authorites. You can also add certificate to ISA store through Services in “Service Account > Local Computer”.
After that you should be able to choose your new certificate in OWA listener.
If you don’t see the certificate listed in OWA you may be missing private key that is usually generated during creation of certificate request. Don’t worry you can fix that in two easy steps.
First put your certificate (example: corp_mydomain_com.cer) in C:/certs and open command line. Enter:
certutil -addstore my corp_mydomain_com.cer
You should see something like “CertUtil: -addstore command completed successfully.” Leave command prompt open.
Second. Open MMC and find your imported certificate in Personal store. Right click certificate and choose AllTasks->Open, now select Details tab and select All in dropdown list. In the Field list select Thumbprint and then select all numbers/letters that appear in view pane and press ctrl+c since you cannot use mouse to do right click and copy. After that return to command prompt and issue command:
certutil -repairstore my "thumbprint"
Where “thumbprint” is what you have just copied over from opened certificate.
You should see message like: “Encryption test passed CertUtil: = repairstore command completed successfully.”
If you want you can now import your certificate to your webserver like IIS.
There is one more way you can check if certificate is valid and if pending certificate request is deleted before install. Ususally we use this procedure if we already have certificate for a website in IIS and we want to add new one without deleting previous. Just right click default website and create new website, call it testsite and give it an empty folder like c:/testsite. Then right click testsite and go to Properties->DirectorySecurity and add our new certificate. After that try “view certificate” and if you try to export it and option is grayed out then it is probable that you have missing private key. Without private key ISA server won’t be able to see the certificate.
This concludes quick certificate generation from command line.