certreq
This page is from Microsoft
Updated: January 21, 2005
Requests certificates from a certification authority (CA).
- To submit a request to a CA
- To retrieve a response to a previous request from a CA
- To create a new request from an .inf file
- To accept and install a response to a previous new request
- To construct a cross-certification or qualified subordination request from an existing
- To sign a cross=certification or qualified subordination request
To submit a request to a CA
Syntax
certreq[-submit] [-attrib
AttributeString] [-binary] [-config
CAMachineName\CAName] [-crl] [-rpc]
[RequestFileIn [CertFileOut[CertChainFileOut
[FullResponseFileOut]]]]
Parameters
-submit
Submits a request to a CA.
-attrib AttributeString
Specifies the Name and Value string
pairs, separated by a colon. Separate Name
and Value string pairs with \n (for
example, Name1:Value1\nName2:Value2).
-binary
Formats output files as binary instead of
base64-encoded.
-configCAMachineName\CAName
processes the operation by using the CA specified in
the configuration string (that is, CAMachineName\CAName).
-crl
Includes certificate revocation lists (CRLs) in the
output to the base64-encoded PKCS #7 file specified
by CertChainFileOut or to the base64-encoded
file specified by RequestFileOut.
-rpc
Instructs Certificate Services to use a remote
procedure call (RPC) server connection instead of
Distributed COM.
RequestFileIn
Specifies the base64-encoded or binary input file
that you want to use. The file can be a PKCS #10
certificate request, PKCS #7 certificate renewal
request, KEYGEN tag format certificate request, or a
Certificate Management protocol using Cryptographic
Message Syntax (CMS) request (this protocol is also
known as CMC).
CertFileOut
Specifies the binary or base64-encoded X.509 v3 file
to which you want to send output.
CertChainFileOut
Specifies the binary or base64-encoded PKCS #7 file
to which you want to send output.
FullResponseFileOut
Specifies the binary or base64-encoded Full Response
file to which you want to send output.
-?
Displays a list of certreq commands.
Remarks
- You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.
- If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.
To retrieve a response to a previous request from a CA
Syntax
certreq-retrieve[-binary] [-config
CAMachineName\CAName] [-crl] [-rpc]
RequestID[CertFileOut[CertChainFileOut [FullResponseFileOut]]]
Parameters
-retrieve
Retrieves a response.
-binary
Formats output files as binary instead of
base64-encoded.
-configCAMachineName\CAName
processes the operation by using the CA specified in
the configuration string (that is, CAMachineName\CAName).
Without this option, the default CA processes the
request.
-crl
Includes certificate revocation lists (CRLs) in the
output to the base64-encoded PKCS #7 file specified
by CertChainFileOut or to the base64-encoded
file specified by RequestFileOut.
-rpc
Instructs Certificate Services to use a remote
procedure call (RPC) server connection instead of
Distributed COM.
RequestID
Specifies the request or certificate that you want
to retrieve.
CertFileOut
Specifies the binary or base64-encoded X.509 v3 file
to which you want to send output.
CertChainFileOut
Specifies the binary or base64-encoded PKCS #7 file
to which you want to send output.
FullResponseFileOut
Specifies the binary or base64-encoded full response
file to which you want to send output.
-?
Displays a list of certreq commands.
Remarks
- You must specify the CAComputerName or CAName in -config CAComputerName\CAName. Otherwise, the Select Certificate Authority dialog box appears and displays a list of all CAs that are available.
- If you use -config - instead of -config CAComputerName\CAName, the operation is processed using the default CA.
- You can use certreq -retrieve RequestID to retrieve the certificate after the CA has actually issued it. You can also use it to retrieve any certificate that has ever been issued by the CA, including revoked or expired certificates, without regard to whether the certificate's request was ever in the pending state.
- If you submit a request to the CA, the policy module of the CA might leave the request in a pending state and return the RequestID to the Certreq caller for display. Eventually, the CA's administrator will issue the certificate or deny the request.
To create a new request from an .inf file
Syntax
certreq-new[-attrib AttributeString] [-binary]
[-cert CertID] [PolicyFileIn [RequestFileOut]]
Parameters
-new
Creates a new request.
-attribAttributeString
Specifies the Name and Value string pairs, separated
by a colon. Separate Name and Value
string pairs with \n (for example, Name1:Value1\nName2:Value2).
-binary
Formats output files as binary instead of
base64-encoded.
-certCertID
Specifies the signing certificate by common name,
serial number, Secure Hash Algorithm (SHA-1) key, or
certificate hash.
PolicyFileIn
Specifies the .inf input file that contains the
extension definitions that you want to use to
qualify a request.
RequestFileOut
Specifies the base64-encoded file to which you want
to send output.
-?
Displays a list of certreq commands.
To accept and install a response to a previous new request
Syntax
certreq-accept [{CertChainFileIn |
FullResponseFileIn | CertFileIn}]
Parameters
-accept
Accepts and installs a response.
CertChainFileIn
Specifies the binary or a base64-encoded input file
that you want to use.
FullResponseFileIn
Specifies the binary or a base64-encoded input file
that you want to use.
CertFileIn
Specifies the binary or a base64-encoded input file
that you want to use.
-?
Displays a list of certreq commands.
To construct a cross-certification or qualified subordination request from an existingCA certificate or request
Syntax
certreq-policy [-attrib AttributeString] [-binary]
[-cert CertID] [RequestFileIn [PolicyFileIn[RequestFileOut
[PKCS10FileOut]]]]
Parameters
-policy
Sets the policy for a request.
-attribAttributeString
Specifies the Name and Value string pairs, separated
by a colon. Separate Name and Value
string pairs with \n (for example, Name1:Value1\nName2:Value2).
-binary
Formats output files as binary instead of
base64-encoded.
-certCertID
Specifies the signing certificate by common name,
serial number, Secure Hash Algorithm (SHA-1) key, or
certificate hash.
RequestFileIn
Specifies the base64-encoded or binary input file
that you want to use. The file can be a PKCS #10
certificate request, PKCS #7 certificate renewal
request, KEYGEN tag format certificate request, a
Certificate Management protocol using Cryptographic
Message Syntax (CMS) request (this protocol is also
known as CMC), or a certificate file of the CA that
you want to cross-certify.
PolicyFileIn
Specifies the .inf input file that contains the
extension definitions that you want to use to
qualify a request.
RequestFileOut
Specifies the base64-encoded file to which you want
to send output.
PKCS10FileOut
Specifies the base64-encoded PKCS #10 file to which
you want to send output.
-?
Displays a list of certreq commands.
To sign a cross-certification or qualified subordination request
Syntax
certreq-sign [-binary] [-certCertID]
[-crl] [RequestFileIn[RequestFileOut]]
Parameters
-sign
Signs a cross-certification or qualified
subordination request.
-binary
Formats output files as binary instead of
base64-encoded.
-certCertID
Specifies the signing certificate by common name,
serial number, Secure Hash Algorithm (SHA-1) key, or
certificate hash.
-crl
Includes certificate revocation lists (CRLs) in the
output to the base64-encoded PKCS #7 file specified
by CertChainFileOut or to the base64-encoded
file specified by RequestFileOut.
RequestFileIn
Specifies the base64-encoded or binary input file
that you want to use. The file can be a PKCS #10
certificate request, PKCS #7 certificate renewal
request, KEYGEN tag format certificate request, a
Certificate Management protocol using Cryptographic
Message Syntax (CMS) request (this protocol is also
known as CMC).
RequestFileOut
Specifies the base64-encoded file to which you want
to send output.
-?
Displays a list of certreq commands.
Formatting legend
| Format | Meaning |
| Italic | Information that the user must supply |
| Bold | Elements that the user must type exactly as shown |
| Ellipsis (...) | Parameter that can be repeated several times in a command line |
| Between brackets ([]) | Optional items |
| Between braces ({}); choices separated by pipe (|). Example: {even|odd} | Set of choices from which the user must choose only one |
| Courier font | Code or program output |