At IU, how do I request a Client Server Authentication (offline request) certificate?

Follow are instructions for requesting a Client Server Authentication (offline request) certificate at Indiana University.

Note: This process must be completed on a domain-joined computer with a domain user account. The subject name (CN=) and alternate subject name (DNS=) entries must follow UITS-required workstation naming conventions for certificate submission; see At IU, what naming conventions does UITS recommend for Windows computers and groups?.

  1. Prepare a certificate request file (e.g., request.inf):
      ;----------------- request.inf -----------------
      [Version]
      
      Signature="$Windows NT$"
    
      [NewRequest]
       
      Subject = "CN=XX-UNIT-EXAMPLE.csa.offline" 
      ;
      ;replace XX-UNIT-EXAMPLE in this line with workstation name, follow UITS naming conventions
      ;
      KeySpec = 1
      KeyLength = 2048
      Exportable = TRUE
      FriendlyName = "IU Client Server Authentication (Offline request)" 
      ;
      ;friendly name for request
      ;
      MachineKeySet = TRUE
      SMIME = False
      PrivateKeyArchive = FALSE
      UserProtected = FALSE
      UseExistingKeySet = FALSE
      ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
      ProviderType = 12
      RequestType = PKCS10
      KeyUsage = 0xa0
     
      [EnhancedKeyUsageExtension]
      
      OID=1.3.6.1.5.5.7.3.2; Client authentication
      OID=1.3.6.1.5.5.7.3.1; Server authentication
    
      [Extensions]
      
      2.5.29.17 = "{text}dns=XX-UNIT-EXAMPLE.csa.offline" 
      ;
      ;replace XX-UNIT-EXAMPLE in this line with workstation name, follow UITS naming conventions
      ;
      ;-----------------------------------------------
  2. Use the certreq.exe command to create the certificate signing request (e.g., offline-csa.csr) from your .inf file (e.g., request.inf); for example:
      certreq.exe -new request.inf offline-csa.csr
  3. Submit the CSR (e.g., offline-csa.csr) to the correct certificate authority (CA) for your site:
    • At IU Bloomington, IU Southeast, and IUPU Columbus, submit to IU-MSSG-BLCA.ads.iu.edu\Indiana University BL Issuing CA; for example:
        certreq.exe -submit -config "IU-MSSG-BLCA.ads.iu.edu\Indiana University BL Issuing CA" -attrib "CertificateTemplate:IUClientServerAuthentication(Offlinerequest)" offline-csa.csr
    • At IUPUI, IU East, IU Kokomo, IU Northwest, or IU South Bend, submit to IU-MSSG-INCA.ads.iu.edu\Indiana University IN Issuing CA; for example:
        certreq.exe -submit -config "IU-MSSG-INCA.ads.iu.edu\Indiana University IN Issuing CA" -attrib "CertificateTemplate:IUClientServerAuthentication(Offlinerequest)" offline-csa.csr
  4. As a result, you should see output that includes your request ID (e.g., RequestID: 50); it should look similar to this:
      RequestId: 50
      RequestId: "50"
      Certificate request is pending: Taken Under Submission (0)

    The request will be processed within one to two business days.

  5. You will receive an approval email message that includes the certreq command (including the issuing CA and your request ID) for retrieving the offline certificate (e.g., offline-csa.cer). For example:
    • To retrieve an offline certificate for a computer at IUB, IUS, or IUPUC:
        certreq -config "IU-MSSG-BLCA.ads.iu.edu\Indiana University BL Issuing CA" -retrieve <RequestId> offline-csa.cer
    • To retrieve an offline certificate for a computer at IUPUI, IUE, IUK, IUN, or IUSB:
        certreq -config "IU-MSSG-INCA.ads.iu.edu\Indiana University IN Issuing CA" -retrieve <RequestId> offline-csa.cer
  6. Import the offline certificate (e.g., offline-csa.cer) to the Local Computer - Personal store.
  7. Export the certificate from the Local Computer - Personal store with the private key (PFX).

This is document beyk in the Knowledge Base.
Last modified on 2014-08-19 00:00:00.

  • Fill out this form to submit your issue to the UITS Support Center.
  • Please note that you must be affiliated with Indiana University to receive support.
  • All fields are required.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.

  • Fill out this form to submit your comment to the IU Knowledge Base.
  • If you are affiliated with Indiana University and need help with a computing problem, please use the I need help with a computing problem section above, or contact your campus Support Center.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.