Request a Client Server Authentication (offline request) certificate at IU
To request a Client Server Authentication (offline request) certificate at Indiana University:
Note:
This process must be completed on a domain-joined computer with a domain user account. The subject name (CN=) and alternate subject name (DNS=) entries must follow UITS-required workstation naming conventions for certificate submission; see Recommended naming conventions for IU Windows computers and groups.
- Prepare a certificate request file (for example,
request.inf
):;----------------- request.inf ----------------- [Version] Signature="$Windows NT$" [NewRequest] Subject = "CN=XX-UNIT-EXAMPLE.ads.iu.edu" ; ;replace XX-UNIT-EXAMPLE in this line with workstation name, follow UITS naming conventions ; KeySpec = 1 KeyLength = 2048 Exportable = TRUE FriendlyName = "IU Client Server Authentication (Offline request)" ; ;friendly name for request ; MachineKeySet = TRUE SMIME = False PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 RequestType = PKCS10 KeyUsage = 0xa0 [EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.2; Client authentication OID=1.3.6.1.5.5.7.3.1; Server authentication [Extensions] 2.5.29.17 = "{text}dns=XX-UNIT-EXAMPLE.ads.iu.edu" ; ;replace XX-UNIT-EXAMPLE in this line with workstation name, follow UITS naming conventions ; ;-----------------------------------------------
- Use the
certreq.exe
command to create the certificate signing request (for example,offline-csa.csr
) from your.inf
file (for example,request.inf
); for example:certreq.exe -new request.inf offline-csa.csr
- Submit the CSR (for example,
offline-csa.csr
) to the correct certificate authority (CA) for your site:- At IU Bloomington, IU Southeast, and IUPUC, submit to
IU-MSSG-BLCA.ads.iu.edu\Indiana University BL Issuing CA
; for example:certreq.exe -submit -config "IU-MSSG-BLCA.ads.iu.edu\Indiana University BL Issuing CA" -attrib "CertificateTemplate:IUClientServerAuthentication(Offlinerequest)" offline-csa.csr
- At IUPUI, IU East, IU Kokomo, IU Northwest, or IU South Bend, submit to
IU-MSSG-INCA.ads.iu.edu\Indiana University IN Issuing CA
; for example:certreq.exe -submit -config "IU-MSSG-INCA.ads.iu.edu\Indiana University IN Issuing CA" -attrib "CertificateTemplate:IUClientServerAuthentication(Offlinerequest)" offline-csa.csr
- At IU Bloomington, IU Southeast, and IUPUC, submit to
- As a result, you should see output that includes your request ID (for example,
RequestID: 50
); it should look similar to this:RequestId: 50 RequestId: "50" Certificate request is pending: Taken Under Submission (0)
The request will be processed within one to two business days.
- You will receive an approval email message that includes the
certreq
command (including the issuing CA and your request ID) for retrieving the offline certificate (for example,offline-csa.cer
). For example:- To retrieve an offline certificate for a computer at IU Bloomington, IU Southeast, or IUPUC:
certreq -config "IU-MSSG-BLCA.ads.iu.edu\Indiana University BL Issuing CA" -retrieve <RequestId> offline-csa.cer
- To retrieve an offline certificate for a computer at IUPUI, IU East, IU Kokomo, IU Northwest, IU South Bend, or IU Fort Wayne:
certreq -config "IU-MSSG-INCA.ads.iu.edu\Indiana University IN Issuing CA" -retrieve <RequestId> offline-csa.cer
- To retrieve an offline certificate for a computer at IU Bloomington, IU Southeast, or IUPUC:
- Import the offline certificate (for example,
offline-csa.cer
) to the store. - Export the certificate from the store with the private key (PFX).
This is document beyk in the Knowledge Base.
Last modified on 2023-07-18 09:16:17.