Request an IU workstation authentication (offline request) certificate
Notes:
- This process needs to be completed on a domain-joined computer with a domain user account.
- Subject name (
CN=
) and alternate subject name (dns=
) must follow UITS required workstation naming conventions for certificate submission; see Recommended naming conventions for IU Windows computers and groups.
- Prepare a certificate request file:
;----------------- request.inf ----------------- [Version] Signature="$Windows NT$" [NewRequest] Subject = "CN=XX-UNIT-EXAMPLE.ads.iu.edu" ; ;replace XX-UNIT-EXAMPLE in this line with workstation name, follow UITS naming conventions ; KeySpec = 1 KeyLength = 2048 Exportable = TRUE FriendlyName = "IUWorkstation Authentication (Offline request)" ; ;friendly name for request ; MachineKeySet = TRUE SMIME = False PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 RequestType = PKCS10 KeyUsage = 0xa0 [EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.2 ; this is for Client Authentication [Extensions] 2.5.29.17 = "{text}dns=XX-UNIT-EXAMPLE.ads.iu.edu" ; ;replace XX-UNIT-EXAMPLE in this line with workstation name, follow UITS naming conventions ; ;-----------------------------------------------
- Create the CSR. Following is an example
certreq.exe
command:certreq -new request.inf offline-workstation.csr
- Select the correct CA config for your site:
- At IU Bloomington, IU Southeast, or IUPUC, select either of the following:
IU-MSSG-BLCA.ads.iu.edu\Indiana University BL Issuing CA
BL-CCI-ECA.ads.iu.edu\Indiana University BL Issuing CA 2
- At IUPUI, IU East, IU Kokomo, IU Northwest, or IU South Bend, select either of the following:
IU-MSSG-INCA.ads.iu.edu\Indiana University IN Issuing CA
IN-CCI-ECA.ads.iu.edu\Indiana University IN Issuing CA 2
- At IU Bloomington, IU Southeast, or IUPUC, select either of the following:
- Submit the CSR.
- Example
certreq.exe
commands:-
certreq.exe -submit -config "IU-MSSG-BLCA.ads.iu.edu\Indiana University BL Issuing CA" -attrib "CertificateTemplate:IUWorkstationAuthentication(Offlinerequest)" offline-workstation.csr
-
certreq.exe -submit -config "IU-MSSG-INCA.ads.iu.edu\Indiana University IN Issuing CA" -attrib "CertificateTemplate:IUWorkstationAuthentication(Offlinerequest)" offline-workstation.csr
-
- Example output:
RequestId: 50 RequestId: "50" Certificate request is pending: Taken Under Submission (0)
- Example
- Approve/deny request: The request will be processed within two business days.
- Retrieve certificate: The approval email message will include the
certreq
command with the CA config and RequestId to retrieve the offline workstation certificate. Examples:-
certreq -config "IU-MSSG-BLCA.ads.iu.edu\Indiana University BL Issuing CA" -retrieve 50 offline-workstation.cer
certreq -config "IU-MSSG-INCA.ads.iu.edu\Indiana University IN Issuing CA" -retrieve 50 offline-workstation.cer
-
- Import certificate: Import the
offline-workstation.cer
to theLocal Computer - Personal
store. - Export certificate with key: Export certificate from
Local Computer - Personal
store with private key (PFX).
Related documents
This is document beef in the Knowledge Base.
Last modified on 2023-07-17 12:00:18.