Request an IU workstation authentication (offline request) certificate
Notes:
- This process needs to be completed on a domain-joined computer with a domain user account.
- Subject name (
CN=) and alternate subject name (dns=) must follow UITS required workstation naming conventions for certificate submission; see Recommended naming conventions for IU Windows computers and groups.
- Prepare a certificate request file:
;----------------- request.inf ----------------- [Version] Signature="$Windows NT$" [NewRequest] Subject = "CN=XX-UNIT-EXAMPLE.ads.iu.edu" ; ;replace XX-UNIT-EXAMPLE in this line with workstation name, follow UITS naming conventions ; KeySpec = 1 KeyLength = 2048 Exportable = TRUE FriendlyName = "IUWorkstation Authentication (Offline request)" ; ;friendly name for request ; MachineKeySet = TRUE SMIME = False PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 RequestType = PKCS10 KeyUsage = 0xa0 [EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.2 ; this is for Client Authentication [Extensions] 2.5.29.17 = "{text}dns=XX-UNIT-EXAMPLE.ads.iu.edu" ; ;replace XX-UNIT-EXAMPLE in this line with workstation name, follow UITS naming conventions ; ;----------------------------------------------- - Create the CSR. Following is an example
certreq.execommand:certreq -new request.inf offline-workstation.csr - Select the correct CA config for your site:
- At IU Bloomington, IU Southeast, or IUPUC, select either of the following:
IU-MSSG-BLCA.ads.iu.edu\Indiana University BL Issuing CABL-CCI-ECA.ads.iu.edu\Indiana University BL Issuing CA 2
- At IUPUI, IU East, IU Kokomo, IU Northwest, or IU South Bend, select either of the following:
IU-MSSG-INCA.ads.iu.edu\Indiana University IN Issuing CAIN-CCI-ECA.ads.iu.edu\Indiana University IN Issuing CA 2
- At IU Bloomington, IU Southeast, or IUPUC, select either of the following:
- Submit the CSR.
- Example
certreq.execommands:-
certreq.exe -submit -config "IU-MSSG-BLCA.ads.iu.edu\Indiana University BL Issuing CA" -attrib "CertificateTemplate:IUWorkstationAuthentication(Offlinerequest)" offline-workstation.csr -
certreq.exe -submit -config "IU-MSSG-INCA.ads.iu.edu\Indiana University IN Issuing CA" -attrib "CertificateTemplate:IUWorkstationAuthentication(Offlinerequest)" offline-workstation.csr
-
- Example output:
RequestId: 50 RequestId: "50" Certificate request is pending: Taken Under Submission (0)
- Example
- Approve/deny request: The request will be processed within two business days.
- Retrieve certificate: The approval email message will include the
certreqcommand with the CA config and RequestId to retrieve the offline workstation certificate. Examples:-
certreq -config "IU-MSSG-BLCA.ads.iu.edu\Indiana University BL Issuing CA" -retrieve 50 offline-workstation.cer certreq -config "IU-MSSG-INCA.ads.iu.edu\Indiana University IN Issuing CA" -retrieve 50 offline-workstation.cer
-
- Import certificate: Import the
offline-workstation.certo theLocal Computer - Personalstore. - Export certificate with key: Export certificate from
Local Computer - Personalstore with private key (PFX).
Related documents
This is document beef in the Knowledge Base.
Last modified on 2023-07-17 12:00:18.