How do I request an IU workstation authentication (offline request) certificate?

Notes:

  1. Prepare a certificate request file:
      ;----------------- request.inf -----------------
      [Version]
      
      Signature="$Windows NT$"
      
      [NewRequest]
      
      Subject = "CN=XX-UNIT-EXAMPLE.ads.iu.edu" 
      ; 
      ;replace XX-UNIT-EXAMPLE in this line with workstation name, follow UITS naming conventions
      ;
      KeySpec = 1
      KeyLength = 2048
      Exportable = TRUE
      FriendlyName = "IUWorkstation Authentication (Offline request)" 
      ;
      ;friendly name for request
      ;
      MachineKeySet = TRUE
      SMIME = False
      PrivateKeyArchive = FALSE
      UserProtected = FALSE
      UseExistingKeySet = FALSE
      ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
      ProviderType = 12
      RequestType = PKCS10
      KeyUsage = 0xa0
    
      [EnhancedKeyUsageExtension]
    
      OID=1.3.6.1.5.5.7.3.2 ; this is for Client Authentication
    
      [Extensions]
    
      2.5.29.17 = "{text}dns=XX-UNIT-EXAMPLE.ads.iu.edu" 
      ;
      ;replace XX-UNIT-EXAMPLE in this line with workstation name, follow UITS naming conventions
      ;
      ;-----------------------------------------------
  2. Create the CSR. Following is an example certreq.exe command:
      certreq -new request.inf offline-workstation.csr
  3. Select the correct CA config for your site:
    • IU-MSSG-BLCA.ads.iu.edu\Indiana University BL Issuing CA
      • IU Bloomington
      • IU Southeast
      • IUPUC Columbus
    • IU-MSSG-INCA.ads.iu.edu\Indiana University IN Issuing CA
      • IUPUI Indianapolis
      • IU East
      • IU Kokomo
      • IU Northwest
      • IU South Bend
  4. Submit the CSR.
    • Example certreq.exe commands:
      • certreq.exe -submit -config "IU-MSSG-BLCA.ads.iu.edu\Indiana University BL Issuing CA" -attrib
        "CertificateTemplate:IUWorkstationAuthentication(Offlinerequest)" offline-workstation.csr
      • certreq.exe -submit -config "IU-MSSG-INCA.ads.iu.edu\Indiana University IN Issuing CA" -attrib
        "CertificateTemplate:IUWorkstationAuthentication(Offlinerequest)" offline-workstation.csr
    • Example output:
        RequestId: 50
        RequestId: "50"
        Certificate request is pending: Taken Under Submission (0)
  5. Approve/deny request: The request will be processed within 1-2 business days.
  6. Retrieve certificate: The approval email message will include the certreq command with the CA config and RequestId to retrieve the offline workstation certificate. Examples:
    •   certreq -config "IU-MSSG-BLCA.ads.iu.edu\Indiana University BL Issuing CA" -retrieve 50 offline-workstation.cer
    •   certreq -config "IU-MSSG-INCA.ads.iu.edu\Indiana University IN Issuing CA" -retrieve 50 offline-workstation.cer
  7. Import certificate: Import the offline-workstation.cer to the Local Computer - Personal store.
  8. Export certificate with key: Export certificate from Local Computer - Personal store with private key (PFX).

This is document beef in the Knowledge Base.
Last modified on 2015-03-04 00:00:00.

  • Fill out this form to submit your issue to the UITS Support Center.
  • Please note that you must be affiliated with Indiana University to receive support.
  • All fields are required.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.

  • Fill out this form to submit your comment to the IU Knowledge Base.
  • If you are affiliated with Indiana University and need help with a computing problem, please use the I need help with a computing problem section above, or contact your campus Support Center.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.