Request an IU IPsec (offline request) certificate

  1. Prepare a certificate request file:
      ;----------------- request.inf -----------------
      Signature="$Windows NT$"
      Subject = "" 
      ;replace XX-UNIT-EXAMPLE in this line with workstation name, follow UITS naming conventions
      KeySpec = 1
      KeyLength = 2048
      Exportable = TRUE
      FriendlyName = "IUIPSec (Offline request)" 
      ;friendly name for request
      MachineKeySet = TRUE
      SMIME = False
      PrivateKeyArchive = FALSE
      UserProtected = FALSE
      UseExistingKeySet = FALSE
      ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
      ProviderType = 12
      RequestType = PKCS10
      KeyUsage = 0xa0
      OID=; this is for IP security IKE intermediate
  = "{text}" 
      ;replace XX-UNIT-EXAMPLE in this line with workstation name, follow UITS naming conventions
  2. Create the CSR. Following is an example certreq.exe command:
      certreq.exe -new request.inf offline-ipsec.csr
  3. Select the correct CA config for your site:
    •\Indiana University BL Issuing CA
      • IU Bloomington
      • IU Southeast
      • IUPUC Columbus
    •\Indiana University IN Issuing CA
      • IUPUI Indianapolis
      • IU East
      • IU Kokomo
      • IU Northwest
      • IU South Bend
  4. Submit the CSR.
    • Example certreq.exe commands:
      • certreq.exe -submit -config "\Indiana University BL Issuing CA" -attrib 
        "CertificateTemplate:IUIPSec(Offlinerequest)" offline-ipsec.csr
      • certreq.exe -submit -config "\Indiana University IN Issuing CA" -attrib 
        "CertificateTemplate:IUIPSec(Offlinerequest)" offline-ipsec.csr
    • Example output:
        RequestId: 50
        RequestId: "50"
        Certificate request is pending: Taken Under Submission (0)
  5. Approve/deny request: The request will be processed within 1-2 business days.
  6. Retrieve certificate: The approval email message will include the certreq command with the CA config and RequestId to retrieve the offline certificate. Examples:
    • certreq -config "\Indiana University BL Issuing CA" -retrieve 50 offline-ipsec.cer
    • certreq -config "\Indiana University IN Issuing CA" -retrieve 50 offline-ipsec.cer
  7. Import certificate: Import the offline-ipsec.cer certificate to the Local Computer - Personal store.
  8. Export certificate with key: Export certificate from Local Computer - Personal store with private key (PFX).

This is document beeg in the Knowledge Base.
Last modified on 2020-01-23 12:54:22.

Contact us

For help or to comment, email the UITS Support Center.