Request a Client Server Authentication (offline request) certificate at IU

To request a Client Server Authentication (offline request) certificate at Indiana University:

Note:
This process must be completed on a domain-joined computer with a domain user account. The subject name (CN=) and alternate subject name (DNS=) entries must follow UITS-required workstation naming conventions for certificate submission; see Recommended naming conventions for IU Windows computers and groups.
  1. Prepare a certificate request file (for example, request.inf):
    ;----------------- request.inf -----------------
    [Version]
    
    Signature="$Windows NT$"
    
    [NewRequest]
    
    Subject = "CN=XX-UNIT-EXAMPLE.ads.iu.edu" 
    ;
    ;replace XX-UNIT-EXAMPLE in this line with workstation name, follow UITS naming conventions
    ;
    KeySpec = 1
    KeyLength = 2048
    Exportable = TRUE
    FriendlyName = "IU Client Server Authentication (Offline request)" 
    ;
    ;friendly name for request
    ;
    MachineKeySet = TRUE
    SMIME = False
    PrivateKeyArchive = FALSE
    UserProtected = FALSE
    UseExistingKeySet = FALSE
    ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
    ProviderType = 12
    RequestType = PKCS10
    KeyUsage = 0xa0
    
    [EnhancedKeyUsageExtension]
    
    OID=1.3.6.1.5.5.7.3.2; Client authentication
    OID=1.3.6.1.5.5.7.3.1; Server authentication
    
    [Extensions]
    
    2.5.29.17 = "{text}dns=XX-UNIT-EXAMPLE.ads.iu.edu" 
    ;
    ;replace XX-UNIT-EXAMPLE in this line with workstation name, follow UITS naming conventions
    ;
    ;-----------------------------------------------
  2. Use the certreq.exe command to create the certificate signing request (for example, offline-csa.csr) from your .inf file (for example, request.inf); for example:
    certreq.exe -new request.inf offline-csa.csr
  3. Submit the CSR (for example, offline-csa.csr) to the correct certificate authority (CA) for your site:
    • At IU Bloomington, IU Southeast, and IUPUC, submit to IU-MSSG-BLCA.ads.iu.edu\Indiana University BL Issuing CA; for example:
      certreq.exe -submit -config "IU-MSSG-BLCA.ads.iu.edu\Indiana University BL Issuing CA" -attrib "CertificateTemplate:IUClientServerAuthentication(Offlinerequest)" offline-csa.csr
    • At IUPUI, IU East, IU Kokomo, IU Northwest, or IU South Bend, submit to IU-MSSG-INCA.ads.iu.edu\Indiana University IN Issuing CA; for example:
      certreq.exe -submit -config "IU-MSSG-INCA.ads.iu.edu\Indiana University IN Issuing CA" -attrib "CertificateTemplate:IUClientServerAuthentication(Offlinerequest)" offline-csa.csr
  4. As a result, you should see output that includes your request ID (for example, RequestID: 50); it should look similar to this:
    RequestId: 50
    RequestId: "50"
    Certificate request is pending: Taken Under Submission (0)

    The request will be processed within one to two business days.

  5. You will receive an approval email message that includes the certreq command (including the issuing CA and your request ID) for retrieving the offline certificate (for example, offline-csa.cer). For example:
    • To retrieve an offline certificate for a computer at IU Bloomington, IU Southeast, or IUPUC:
      certreq -config "IU-MSSG-BLCA.ads.iu.edu\Indiana University BL Issuing CA" -retrieve <RequestId> offline-csa.cer
    • To retrieve an offline certificate for a computer at IUPUI, IU East, IU Kokomo, IU Northwest, IU South Bend, or IU Fort Wayne:
      certreq -config "IU-MSSG-INCA.ads.iu.edu\Indiana University IN Issuing CA" -retrieve <RequestId> offline-csa.cer
  6. Import the offline certificate (for example, offline-csa.cer) to the Local Computer - Personal store.
  7. Export the certificate from the Local Computer - Personal store with the private key (PFX).

This is document beyk in the Knowledge Base.
Last modified on 2023-07-18 09:16:17.