The certreq command in Windows

Certreq can be used to request a certificate from a certificate authority (CA), in order to receive a response to a previous request from a CA, creating a new request from the .inf file.

Certreq can be used to request a certificate from a certificate authority (CA), to receive a response to a previous request from a CA, create a new request from the .inf file , accept and install set a response to the request, build a cross-authorization request, certificate of eligibility from the certificate or request an existing CA and sign a cross-qualification or eligibility request.


Previous versions of certreq may not provide all the options described in this document. You can see all the options that a specific version of certreq provides by running the commands shown in the Syntax Notation section below.

The verbs are used with the certreq command

The following table describes the verbs that can be used with the certreq command :

Verb-Submit Description Submit a request to CA. For more information, see Certreq -submit . -retrieve RequestID Retrieve feedback for a previous request from CA. For more information, see Certreq -retrieve. -New Create a new request from the .inf file . For more information, see Certreq -new section . -Accept Accept and install response for certificate request. For more information, see Certreq -accept. -Policy Set policies for a request. For more information, see the Certreq -policy section . -Sign a signed sub-request or cross certification. For more information, see Certreq -ign. -Enroll Register or renew the certificate. For more information, see Certreq -enroll. -? Displays the list of syntax, options and descriptions of the certreq command . -? Show help for the specified verb. -v -? Displays a detailed list for the syntax, options and certreq command descriptions .

Syntax notation

For the basic command line syntax, run:

 certreq -? 

For the syntax to use certutil with a specific verb, run:

 certreq -? 

To send all certutil syntax to a text file, run the following commands:

 certreq -v -? > certreqhelp.txt 
 notepad certreqhelp.txt 

The following table describes the symbol used to indicate the command line syntax.

Symbols Description Description Text without square brackets or curly brackets Items you must enter as shown text="" in="" on="" swa="" get="" mut="" Placeholder where you must provide the value [Text inside square brackets] Optional items {Text within curly braces} Select one of the required items Vertical bar (|) Separator for category items except for each other (choose one of the items) Ellipsis (.) Items can be repeated

Certreq -submit

This is the certreq.exe parameter by default, if no options are specified at the command prompt, certreq.exe will try to send a certificate request to CA.

 CertReq [-Submit] [Options] [RequestFileIn [CertFileOut [CertChainFileOut [FullResponseFileOut]]]] 

You must specify the certificate request file when using the -submit option . If this parameter is omitted, a File Open window will be displayed. This is where you can select the appropriate certificate request file.

You can use these examples as a starting point to create your certificate request. To submit a simple certificate request, use the example below:

 certreq –submit certRequest.req certnew.cer certnew.pfx 

Certreq -retrieve

 certreq -retrieve [Options] RequestId [CertFileOut [CertChainFileOut [FullResponseFileOut]]] 
  1. If you do not specify a CAComputerName or CAName in -config , a CAComputerNameCANamea dialog box will appear and display a list of all available CAs.
  2. If you use -config instead of -config CAComputerNameCAName, the operation is handled by the default CA.
  3. You can use the certreq -retrieve RequestID to get the certificate after the CA has actually released it. RequestIDPKC can be a decimal or hexadecimal with the 0x prefix and it can be a certificate serial number without a 0x prefix . You can also use it to retrieve any CA issued certificates, including revoked or expired certificates, regardless of whether the certificate's request is in a pending state.
  4. If you send a request to the CA, the CA policy module can leave a request in a pending state and return the RequestID to the person calling Certreq . Finally, the CA administrator will issue a certificate or deny the request.

The following command retrieves the id 20 certificate and creates a certificate file (.cer):

 certreq -retrieve 20 MyCertificate.cer 

Certreq -new

 certreq -new [Options] [PolicyFileIn [RequestFileOut]] 

Because INF files allow rich set of parameters and options, it is difficult to determine the default template that administrators should use for all purposes. Therefore, this section describes all the options that allow you to create an INF file that fits your specific needs. The following keywords are used to describe the INF file structure.

  1. A section is an area in the INF file that includes a group of logical keys. The section always appears in brackets in the INF file.
  2. Key is the parameter to the left of the equals sign.
  3. Value is the parameter to the right of the equals sign.

For example, a minimal INF file will look like this:

 [NewRequest] ; At least one value must be set in this section Subject = "" 

The following are some sections that can be added to the INF file. This section is required for the INF file, which acts as a template for the new certificate request. This section requires at least one key of value:

KeyDefinitionValueSubject Some applications rely on subject information in a certificate. Therefore, you should specify a value for this key. If the subject is not placed here, you should include the subject name in the extension to replace the subject for the certificate. Value = "CN =" Subject = "CN = John Smith, CN = Users, DC = Contoso, DC = com" Exportable If this attribute is set to TRUE, private key Can be exported with certificate. To ensure a high level of security, it is not possible to export the private key. However, in some cases, private keys can be exported, if some computers or users have to share the same private key. true, falseExportable = TRUE.CNG keys can distinguish between this and the exported raw text. The key CAPI1 cannot.ExportableEncrypted Specifies whether the private key should be set to exportable. true, falseExportableEncrypted = true
Tip : Not all sizes and algorithms of public keys will work with all hash algorithms. Tamehe specified CSP must also support the specified hash algorithm. To see a list of supported hash algorithms, you can run the command:
 certutil -oid 1 | findstr pwszCNGAlgid | findstr /v CryptOIDInfo 
HashAlgorithm Hash algorithm is used for this requirement. Sha256, sha384, sha512, sha1, md5, md4, md2HashAlgorithm = sha1To see a list of supported hashing algorithms, use:
 certutil -oid 1 | findstr pwszCNGAlgid | findstr /v CryptOIDInfo 
KeyAlgorithm The algorithm will be used by the service provider to create a public and private key pair. RSA, DH, DSA, ECDH_P256, ECDH_P521, ECDSA_P256, ECDSA_P384, ECDSA_P521 KeyAlgorithm = RSA KeyContainer This parameter should not be set for new requests, where the new key document is created. Key container is automatically created and maintained by the system. For requests using the current key document, this value can be set to key-container name of the current key. Use the certutil –key command to display the list of available key containers for the machine context. Use the certutil command –key –user for the context of the current user. Random string value
Tip: You should use quotation marks around any key INF value with spaces or special characters, to avoid the potential INF parsing problems. KeyContainer = {C347BD28-7F69-4090-AA16-BC58CF4D749C} KeyLength Determine the length of the public key and private key. Key length has an impact on the security level of the certificate. Larger key lengths often provide a higher level of security. However, some applications may have limited key lengths. Any valid key length is supported by the encryption service provider. KeyLength = 2048 KeySpec Specifies whether the key can be used for signature, for Exchange, or for both. AT_NONE, AT_SIGNATURE, AT_KEYEXCHANGE KeySpec = AT_KEYEXCHANGE KeyUsage Determine what certificate keys should be used for. CERT_DIGITAL_SIGNATURE_KEY_USAGE - 80 (128)
Tip: The values ​​displayed are hexadecimal values ​​(decimal) for each bit. The older syntax can also be used: A single hexadecimal value with multiple bits set, instead of expressing by symbol. For example, KeyUsage = 0xa0.
Tip : If there are multiple values, use the (|) sign. Make sure you use quotation marks when using multiple values ​​to avoid INF parsing problems. KeyUsageProperty Get a value that defines a specific purpose, but a private key can be used. NCRYPT_ALLOW_DECRYPT_FLAG - 1
NCRYPT_ALLOW_ALL_USAGES - ffffff (16777215) KeyUsageProperty = "NCRYPT_ALLOW_DECRYPT_FLAG | NCRYPT_ALLOW_SIGNING_FLAG" MachineKeySet This key is very important when you need to create a certificate owned by the machine, not the user. The generated key document maintains in the context of the security principle (user or computer account) that has created the request. When the admin creates a certificate request on behalf of the computer, this key document must be created in the machine's security context, not the admin's security context. Otherwise, the machine cannot access private key because it will be in admin's security context. true, false MachineKeySet = true
Tip : The default value is False. NotBefore Specifies the date or date and time, before the request cannot be made. NotBefore can be used with ValidityPeriod and ValidityPeriodUnits. Date or date and time NotBefore = "7/24/2012 10:31 AM"
Tip: NotBefore and NotAfter only for the RequestType = cert. The date analysis will try to be done in the local area. Using the name of the month will distinguish and work in all local areas. NotAfter Specify the date or date and time that the request cannot be made. NotAfter cannot be used with ValidityPeriod or ValidityPeriodUnits. Date or date and time NotAfter = "9/23/2014 10:31 AM"
Tip: NotBefore and NotAfter only for the RequestType = cert. The date analysis will try to be done in the local area. Using the name of the month will distinguish and work in all local areas. PrivateKeyArchive PrivateKeyArchive settings only work if the corresponding RequestType is set to "CMC", because only the Certificate Management Messages over CMS (CMC management notice) is abbreviated as CMC, allowing Transfer the requester's private key to CA to store the key. trueKey false PrivateKeyArchive = True EncryptionAlgorithm The encryption algorithm used.The options may vary, depending on the operating system and collection version that the provider has installed. To see a list of available algorithms, run the command:
 certutil -oid 2 | findstr pwszCNGAlgid 
The specified CSP to use also must support the algorithm and the corresponding encoding length specified.EncryptionAlgorithm = 3des EncryptionLength The length of the encryption algorithm used. Any length allowed by the specified encryption algorithm. EncryptionLength = 128 ProviderName Provider name is the display name of CSP. If you do not know the provider name of the CSP you are using, run certutil –csplist from a command line. The command will display the names of all CSPs available on the local system. ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType Provider type is used to select specific vendors based on specific algorithm capabilities such as "RSA Full". If you do not know what type of CSP provider you are using, run certutil –csplist from a command line. The command displays the provider type of all CSPs available on the local system. ProviderType = 1 RenewalCert If you need to renew the certificate that exists on the system where the certificate request is created, you must specify its hash value as the value for this key. The hash value of any certificate is available at the computer where the certificate request was created. If you do not know the hash value of the certificate, use the Certificates MMC Snap-In and see if the certificate needs to be renewed. Open the certificate property and see the "Thumbprint" attribute of the certificate. Certificate extension requires PKCS # 7 or CMC format. RenewalCert = 4EDF274BD2919C6E9EC6A522F0F3B153E9B1582D RequesterName
Note: This is for requesting registration on behalf of other users. The request must also be signed with an Enrollment Agent certificate, otherwise the CA will reject the request. Use the - cert option to specify the Enrollment Agent certificate. Requester name can be specified for certificate requests, if RequestType is set to PKCS # 7 or CMC. If the RequestType is set to PKCS # 10, this key will be ignored. Requestername can only be set as part of the request. You cannot manipulate Requestername in a pending request. DomainUser Requestername = "ContosoBSmith" RequestType Specifies the standard used to create and submit a certificate request. PKCS10 - 1
PKCS7 - 2
CMC - 3
Cert - 4
Tip: This option indicates a self-signed or self-issued certificate. It does not create a request, but a new certificate and then install this certificate. Self-signed is the default option. Specify a signing certificate by using the -cert option to create a self-signed certificate, but do not sign it yourself. RequestType = CMC SecurityDescriptor
Tip : This only relates to non-smart card keys in the context of the device. Contains confidential information related to security objects. For most security objects, you can specify security descriptions for the object in the call function to create the object. The string is based on the security descriptive language. SecurityDescriptor = "D: P (A ;; GA ;;; SY) (A ;; GA ;;; BA)" AlternateSignatureAlgorithm Specifies and retrieves the Boolean value, indicating whether the signature algorithm for object identification code (OID) for PKCS # 10 requirements or certificate signatures are discrete or combined. true, false AlternateSignatureAlgorithm = false
Tip : For RSA signatures, False value indicates Pkcs1 v1.5 signature. True value indicates signature v2.1. Silent By default, this option allows CSP access to an interactive user's desktop and requires information such as PIN smart card from the user. If this key is set to TRUE, CSP cannot interact with the desktop and will be blocked from displaying any interface to the user. true, false Silent = true SMIME If this parameter is set to TRUE, then the extension with OID value 1.2.840.113549.1.9.15 will be added to the request. The number of OID codes depends on the installed operating system version and CSP capabilities, ie referring to symmetric encryption algorithms that can be used by Multipurpose Internet Mail Extensions (S / MIME) like Outlook. true, false SMIME = true UseExistingKeySet This parameter is used to determine that an existing key pair will be used in building a certificate request. If this key is set to TRUE, you must also specify a value for the RenewalCert key or KeyContainer key. You have not set the key Exportable because you cannot change the properties of the existing key. In this case, no key documents are created when the certificate request is created. true, false UseExistingKeySet = true KeyProtection Specifies a value that indicates how private key is protected before use. XCN_NCRYPT_UI_NO_PROTCTION_FLAG - 0
XCN_NCRYPT_UI_FORCE_HIGH_PROTECTION_FLAG - 2 KeyProtection = NCRYPT_UI_FORCE_HIGH_PROTECTION_FLAG SuppressDefaults Specifies a Boolean value indicating whether the broad and default attributes are included in the request. Default values ​​are represented by their object identifiers (OIDs). true, false SuppressDefaults = true FriendlyName Short name for the new certificate. Text FriendlyName = "Server1" ValidityPeriodUnits
Note : This is only used when requesting type = cert. Specify some units to be used with ValidityPeriod. The ValidityPeriodUnits = 3 ValidityPeriod number
Note : This is only used when requesting type = cert. VValidityPeriod must be a plural in English. Years, Months, Weeks, Days, Hours, Minutes, SecondsValidityPeriod = Years

This section is optional.

OID extension Definition Example2.5.29.17 = "{text}" continue continue = "" continue continue = "" continue continue = "DNS = host & " continue continue =" DirectoryName = CN = Name, DC = Domain, DC = com & " continue continue =" URL = http:/// " continue continue =" IPAddress = 10.0 .0.1 & " continue continue =" RegisteredId = & " continue continue =" = {utf8} String & " continue continue =" = {octet} AAECAwQFBgc = & " continue continue = " = {octet} {hex} 00 01 02 03 04 05 06 07 &" continue continue = " = {asn} BAgAAQIDBAUGBw == &" continue continue = " = {hex} 04 08 00 01 02 03 04 05 06 07 " =" {text} " continue continue =" continue continue = " .1 "" {text} ca = 0pathlength = 3 "Critical Critical = KeySpec AT_NONE - 0
AT_KEYEXCHANGE - 1 RequestType PKCS10 - 1
PKCS7 - 2
CMC - 3
CT_FLAG_SUBJECT_REQUIRE_DNS_AS_CN - 10000000 (268435456)
CT_FLAG_SUBJECT_REQUIRE_EMAIL - 20000000 (536870912)
CT_FLAG_SUBJECT_ALT_REQUIRE_DNS - 8000000 (134217728)
CT_FLAG_SUBJECT_ALT_REQUIRE_UPN - 2000000 (33554432) X500NameFlags CERT_NAME_STR_NONE - 0
CERT_NAME_STR_SEMICOLON_FLAG - 40000000 (1073741824)
CERT_NAME_STR_NO_PLUS_FLAG - 20000000 (536870912)
CERT_NAME_STR_NO_QUOTING_FLAG - 10000000 (268435456)
CERT_NAME_STR_CRLF_FLAG - 8000000 (134217728)
CERT_NAME_STR_COMMA_FLAG - 4000000 (67108864)
CERT_NAME_STR_REVERSE_FLAG - 2000000 (33554432)
CERT_NAME_STR_FORWARD_FLAG - 1000000 (16777216)


SubjectNameFlags allow INF file to specify which Subject and SubjectAltName extension will be automatically filled by certreq based on the user or current machine properties: DNS name, UPN, etc. Using the word "template" means SubjectNameFlags used instead. This allows a single INF file to be used in many contexts, to create requirements that match each specific context.

X500NameFlags specifies flags that are passed directly to the CertStrToName API when the Subject INF keys are converted to the ASN.1 encoded Distinguished Name.

To request a certificate through the use of certreq, use the steps from the example below:


The content in this section is based on the default settings for Windows Server 2008 AD CS. For example, set the key length to 2048, select Microsoft Software Key Storage Provider as the CSP and use Secure Hash Algorithm 1 (SHA1). Please rate these options based on the requirements of your company's privacy policy.

To create a Policy File (.inf) and save the example below in Notepad as RequestConfig.inf:

 [NewRequest] Subject = "CN=" Exportable = TRUE KeyLength = 2048 KeySpec = 1 KeyUsage = 0xf0 MachineKeySet = TRUE [RequestAttributes] CertificateTemplate="WebServer" [Extensions] OID = OID = 

On the computer on which you are requesting a certificate type, enter the following command:

 CertReq –New RequestConfig.inf CertRequest.req 

The following example illustrates the implementation of [Strings] section syntax for OIDs and other unexplained data. For example, the new {text} syntax for EKU extension, uses a comma-separated list of OIDs:

 [Version] Signature="$Windows NT$ [Strings] szOID_ENHANCED_KEY_USAGE = "" szOID_PKIX_KP_SERVER_AUTH = "" szOID_PKIX_KP_CLIENT_AUTH = "" [NewRequest] Subject = "CN=TestSelfSignedCert" Requesttype = Cert [Extensions] %szOID_ENHANCED_KEY_USAGE%="{text}%szOID_PKIX_KP_SERVER_AUTH%," _continue_ = "%szOID_PKIX_KP_CLIENT_AUTH%" 

Certreq -accept

 CertReq -accept [Options] [CertChainFileIn | FullResponseFileIn | CertFileIn] 

The parameter –accept of the private key link created earlier with the certificate has been issued and removes the pending certificate request from the certificate request system (if required).

You can use this example to accept the certificate manually:

 certreq -accept certnew.cer 


The –accept parameter, the -user and -machine options indicate whether the cert is installed in the user or machine context. If there are special requirements in both contexts that match the currently installed public key, these options are not necessary. If there are no special requirements, then one of these requirements must be specified.

Certreq -policy

 certreq -policy [-attrib AttributeString] [-binary] [-cert CertID] [RequestFileIn [PolicyFileIn [RequestFileOut [PKCS10FileOut]]]] 
  1. The configuration file defines the constraints that are applied to the CA certificate when the qualifying clause is defined as Policy.inf.
  2. If you type certreq -policy without any additional parameters, it will open a dialog window so you can select the required file (req, cmc, txt, der, cer or crt). When you select the required file and press the Open button , another dialog window will open to select the INF file.

You can use this example to create a cross-certificate request:

 certreq -policy Certsrv.req Policy.inf newcertsrv.req 

Certreq -sign

 certreq -sign [Options] [RequestFileIn [RequestFileOut]] 
  1. If you type certreq -ign without any additional parameters, it will open a dialog window so you can select the required file (req, cmc, txt, der, cer or crt).
  2. Signing an eligible sub-request may require a login for the Enterprise Administrator. This is the best way to get a qualified secondary certificate.
  3. The certificate used to sign a sub-request is created using a qualified sub-template. Enterprise administrators will have to sign a request or grant user rights to individuals who will sign the certificate.
  4. When you sign a CMC request, you need to have multiple employees sign this request, depending on the level of assurance associated with the eligibility sub-request.
  5. If the secondary CA CA qualifies you to install as offline, you must have a CA certificate for the eligible secondary CA from the offline root CA. If the root CA is online, specify the CA certificate for the eligible secondary CA in the Certificate Services Installation Wizard.

The following command sequence will show how to create a new certificate request, sign it and submit it:

 certreq -new policyfile.inf MyRequest.req certreq -sign MyRequest.req MyRequest_Sign.req certreq -submit MyRequest_Sign.req MyRequest_cert.cer 

Certreq -enroll

To register for a certificate:

 certreq –enroll [Options] TemplateName 

To renew an existing certificate:

 certreq –enroll –cert CertId [Options] Renew [ReuseKeys] 

You can only renew a valid certificate on time. Expired certificates cannot be renewed and must be replaced with a new certificate.

Here is an example of certificate renewal with its serial number:

 certreq –enroll -machine –cert "61 2d 3c fe 00 00 00 00 00 05" Renew 

Below is an example of registering a certificate template called WebServer using an asterisk (*) to select a policy server via U / I:

 certreq -enroll –machine –policyserver * "WebServer" 


Option Description-any Force ICertRequest :: Submit to specify the encoding type. -attrib Specifies a pair of Name and Value strings, separated by colons.
Separate pairs of Name and Value strings with n (for example, Name1: Value1nName2: Value2). -binary Format the output file in binary instead of base64-encoded. -PolicyServer "ldap:"
Insert a unique URI or ID for the computer running the Certificate Enrollment Policy Web Service.
To determine that you want to use the required file by browsing, simply use the minus sign ( - ) for. -config Processing works by using the CA specified in the configuration string, is CAHostNameCAName. For https connections, specify the registered server URI. For local CA machines, use a minus sign (-). -Anonymous Use anonymous login information for Certificate Enrollment Web Services. -Kerberos Use Kerberos (domain) login information for Certificate Enrollment Web Services. -ClientCertificate You can replace with the thumbprint of certificate, CN, EKU, template, email, UPN and new syntax name = value. -UserName Used with Certificate Enrollment Web Services. You can replace it with the SAM name or domainuser name. This option is used with the -p parameter . -p Used with Certificate Enrollment Web Services. Replace with the actual user's password. This option is used with the option - UserName. -user Configures the user context for a new certificate request or specifies a certificate acceptance context. This is the default context, if there is not specified in INF or template. -machine Configure new certificate request or specify certificate acceptance context for machine context. For new requirements, it must match MachineKeyset's INF key and template context. If this option is not specified and the template does not have context, then the default is the user's context. -crl Include certificate revocation lists (CRL) in the output of the PKCS # 7 file specified by CertChainFileOut or base64 encoded file specified by RequestFileOut. -rpc Instructions for Active Directory Certificate Services (AD CS) to use a remote procedure server connection instead of Distributed COM. -AdminForceMachine Use the Key Service or alternative option to send a request from the local system context. The user who calls this option requires to be a local administrator. -RenewOnBehalfOf Send the renewal on behalf of the entity identified in the certificate. This option sets CR_IN_ROBO when calling ICertRequest :: Submit -f Force existing files to be overwritten. This also ignores the cached templates and policies. -q Use silent mode; Prevent all interaction reminders. -Unicode Writes Unicode output when standard output is redirected or leads to another command, useful when called from Windows PowerShell scripts). -UnicodeText Send Unicode output when writing base64 encoded data blocks to files.


Format DescriptionRequestFileIn Base64 encoded or binary input file name: Request for PKCS # 10 certificate, request for CMS certificate, request for renewal of PKCS # 7 certificate, X.509 certificate cross-validation, or request request a certificate of KeyGen tag format. RequestFileOut Base64 encoded output file name. CertFileOut The X-509 file name is Base64 encoded. PKCS10FileOut Only use Certreq -policy. The output file name of PKCS10 is encoded as Base64. CertChainFileOut The PKCS # 7 filename is Base64 encrypted. FullResponseFileOut The full response file name is Base64 encoded. PolicyFileIn Only use Certreq -policy. The INF file contains the text representation of the extensions used to meet the eligibility requirements.

See more:

  1. Diskshadow command in Windows
  2. Diskcopy command in Windows
  3. Diskcomp command in Windows