How do I request an IU workstation authentication (offline request) certificate?


  1. Prepare a certificate request file:
      ;----------------- request.inf -----------------
      Signature="$Windows NT$"
      Subject = "" 
      ;replace XX-UNIT-EXAMPLE in this line with workstation name, follow UITS naming conventions
      KeySpec = 1
      KeyLength = 2048
      Exportable = TRUE
      FriendlyName = "IUWorkstation Authentication (Offline request)" 
      ;friendly name for request
      MachineKeySet = TRUE
      SMIME = False
      PrivateKeyArchive = FALSE
      UserProtected = FALSE
      UseExistingKeySet = FALSE
      ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
      ProviderType = 12
      RequestType = PKCS10
      KeyUsage = 0xa0
      OID= ; this is for Client Authentication
  = "{text}" 
      ;replace XX-UNIT-EXAMPLE in this line with workstation name, follow UITS naming conventions
  2. Create the CSR. Following is an example certreq.exe command:
      certreq -new request.inf offline-workstation.csr
  3. Select the correct CA config for your site:
    •\Indiana University BL Issuing CA
      • IU Bloomington
      • IU Southeast
      • IUPUC Columbus
    •\Indiana University IN Issuing CA
      • IUPUI Indianapolis
      • IU East
      • IU Kokomo
      • IU Northwest
      • IU South Bend
  4. Submit the CSR.
    • Example certreq.exe commands:
      • certreq.exe -submit -config "\Indiana University BL Issuing CA" -attrib
        "CertificateTemplate:IUWorkstationAuthentication(Offlinerequest)" offline-workstation.csr
      • certreq.exe -submit -config "\Indiana University IN Issuing CA" -attrib
        "CertificateTemplate:IUWorkstationAuthentication(Offlinerequest)" offline-workstation.csr
    • Example output:
        RequestId: 50
        RequestId: "50"
        Certificate request is pending: Taken Under Submission (0)
  5. Approve/deny request: The request will be processed within 1-2 business days.
  6. Retrieve certificate: The approval email message will include the certreq command with the CA config and RequestId to retrieve the offline workstation certificate. Examples:
    •   certreq -config "\Indiana University BL Issuing CA" -retrieve 50 offline-workstation.cer
    •   certreq -config "\Indiana University IN Issuing CA" -retrieve 50 offline-workstation.cer
  7. Import certificate: Import the offline-workstation.cer to the Local Computer - Personal store.
  8. Export certificate with key: Export certificate from Local Computer - Personal store with private key (PFX).

This is document beef in the Knowledge Base.
Last modified on 2015-03-04 00:00:00.

Contact us

For help or to comment, email the UITS Support Center.