Marc Davis
asked on
Powershell and Create CA Sign Cert Request
What is the best way to create a CA Sign Cert Request with multiple SAN's in Powershell?
I need to request a cert with about 120 SAN's in it. Obviously, I know that can be done in the GUI but I'd rather not go through the pain of that.
I know Powershell has the cmdlet: New-SelfSignedCertificate. I am not creating or attempting to create a selfassigned. I need to create a CA signed request so that I can send to the CA..
Any information on this would be greatly appreciated. If possible, an example with SAN creations would be great.
Thanks!
I need to request a cert with about 120 SAN's in it. Obviously, I know that can be done in the GUI but I'd rather not go through the pain of that.
I know Powershell has the cmdlet: New-SelfSignedCertificate.
Any information on this would be greatly appreciated. If possible, an example with SAN creations would be great.
Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Michael B. Smith, what you provided is based off VBS technology and older Windows Server systems. That will not work. Really need the powershell.
Michael Pfister, you provided *may* work. I might need to tweak a few things especially for the SAN's because it's not going to be a cert per SAN as it indicates with the import-csv. But I will look into that more as well.
I will let you know what how that works .
Michael Pfister, you provided *may* work. I might need to tweak a few things especially for the SAN's because it's not going to be a cert per SAN as it indicates with the import-csv. But I will look into that more as well.
I will let you know what how that works .
The script Info shows :
It also possible to request a SAN certificate by using the "SAN" parameter.
It also possible to request a SAN certificate by using the "SAN" parameter.
ASKER
Right, I am looking at that. I am needing to create 1 cert with like almost 100 SAN's. I know they state the "," delimited so I am going to be looking at that. I know it's using the certreq.exe but if that's what we have then we have to work with that.
VBS works just as well today as it did a decade ago - and it isn't going anywhere.
You can create the same certreq.exe input file with PowerShell as with VBS. But it's still going to call certreq.exe.
Vadim Podan's PKI PowerShell module wraps certreq (and other cert* commands and .NET framework entrypoints) with PowerShell. If you've got to have PowerShell, it's the way to go. I've not used it, but he works for one of the few companies that specialize in Window's PKI: https://www.pkisolutions.com/tools/pspki/
You can create the same certreq.exe input file with PowerShell as with VBS. But it's still going to call certreq.exe.
Vadim Podan's PKI PowerShell module wraps certreq (and other cert* commands and .NET framework entrypoints) with PowerShell. If you've got to have PowerShell, it's the way to go. I've not used it, but he works for one of the few companies that specialize in Window's PKI: https://www.pkisolutions.com/tools/pspki/
ASKER
Thanks for the info and appreciated.
You need to create an INF file that gets passed to certreq.exe. See here: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff625722(v=ws.10)#to-create-a-requestpolicyinf-file
I think the above is pretty clear. If you have questions, let me know.
Thanks.