How to create a web server SSL certificate manually

The Internet Information Server (IIS) and Microsoft Internet Security and Acceleration (ISA) provide wizards in the administration user interface to request and install SSL certificates. With this blog post I want to explain how to request a SSL server certificate manually. The manual steps are required if the Certification Authority (CA) is not available in the same forest as the IIS or ISA is a member of.

1. Creating an INF file to set the certificate properties

Use Notepad to modify the following sample INF file according to your needs. Safe the file as ssl.inf for example

Signature="$Windows NT$"

Subject = "CN=SERVER.CONTOSO.COM"   ; For a wildcard use "CN=*.CONTOSO.COM" for example
; For an empty subject use the following line instead or remove the Subject line entierely
; Subject =

Exportable = FALSE                  ; Private key is not exportable
KeyLength = 2048                    ; Common key sizes: 512, 1024, 2048, 4096, 8192, 16384
KeySpec = 1                         ; AT_KEYEXCHANGE
KeyUsage = 0xA0                     ; Digital Signature, Key Encipherment
MachineKeySet = True                ; The key belongs to the local computer account
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = CMC

; At least certreq.exe shipping with Windows Vista/Server 2008 is required to interpret the [Strings] and [Extensions] sections below


%szOID_SUBJECT_ALT_NAME2% = "{text}"

CertificateTemplate= WebServer


  • leave off the Subject= line if you want the subject to be empty
  • if you don’t need the template to be specified, remove the RequestAttributes section
  • the specification of the enhanced key usage OID is not explicitly required since the EKU is defined in the certificate template. The OID in the INF file above is for explanatory purposes
  • you can click on “OK” for the template not found UI from certreq if the client has no access to templates
  • you can ignore the unreferenced “[Strings]” section dialog when it appears

2. Compiling the INF file into a REQ file

The following command-line command will generate key material and turn the INF file into a certificate request.

certreq –new ssl.inf ssl.req

Once the certificate request was created you can verify the request with the following command:

certutil ssl.req

3. Submitting the REQ file to the CA

If the CA is reachable via RPC over the network, use the following command to submit the certificate request to the CA:

certreq –submit ssl.req

You will get a selection dialog to select the CA from. If the CA is configured to issue certificates based on the template settings, the CA may issue the certificate immediately.

If RPC traffic is not allowed between the computer where the certificate request was created and the CA, transfer the certificate request to the CA and perform the above command locally at the CA.

If the certificate template name was not specified in the certificate request above, you can specify it as part of the submission command:

certreq -attrib "CertificateTemplate:webserver" –submit ssl.req

4. Installing the certificate at the IIS or ISA computer

Once the certificate was issued and is available as a file on the target computer, use the following command to install it.

certreq –accept ssl.cer

The installation actually puts the certificate into the computer’s personal store, links it with the key material created in step #1 and builds the certificate property. The certificate property stores information such as the friendly name which is not part of a certificate.

After performing steps 1 to 4 the certificate will show up in the IIS or ISA management interface and can be bound to a web site or a SSL listener.

Comments (25)

  1. Anonymous says:

    This work brilliantly, thanks for taking the time to publish. I managed to create a batch file to automate the whole process via Task Scheduler every 2 years, works a treat. I would like to know how to add a friendly name to the certificate within the ssl.inf file if possible.

  2. Anonymous says:

    I am trying to use what you have here to automate the enrollment of certificates for IIS 7.0 under Windows 2008 Server from our AD Certificate Server.  When I use the WebServer template, I am denied permission to submit the certificate.

    When I use the template name ‘Computer’ (which matched the template name I see when I create a certificate via the MMC certificate console), I get a ‘Template not found’ error.  How do I get the template name that is used when I enroll via MMC?

  3. Anonymous says:

    This worked for me, except that I needed to add a SAN name equal to the subject name to avoid an error where the browser warns that the name of the site does not match the certificate when browsing using https.




    %szOID_SUBJECT_ALT_NAME2% = “{text},”

  4. Could you please share the INF file that you have used. You only have to change the Subject attribute from the above sample.

  5. Anonymous says:

    Hi, I can’t finish second step. Got an error on certreq –new ssl.inf ssl.req command:

    Active Directory Enrollment Policy



    Certificate Request Processor: The string contains an invalid X500 name attribut

    e key, oid, value or delimiter. 0x80092023 (-2146885597)

    cert.inf([NewRequest] Subject = “MySub”)

    Could you please list mandatory parameters and those I have to change for my server?

  6. Rafael, what OS version is the CA running on?

  7. Anonymous says:

    One more question. When I’m creating certificate using Windows Server 2008, could be possible that it is not compatible with windows XP?

  8. To issue a certificate to your TMG box, see…/cc302625.aspx.

    Withouth seeing the actual certificate request, it's impossible to say why the CA is ignoring it. What does the eventlog say?

  9. The "permission denied" problem can be corrected by changing the template permissions with certtempl.msc

    The "Computer" template is not found if the machine is not connected to the forest where the CA is installed. In this case the error can be ignored unless the name of the template is provided in the certutil -submit command (as explained in step #3

  10. From Windows Server 2008 and on you cannot request computer certificates through the web enrollment pages anymore. See also…/cc732517(WS.10).aspx
    and search for "computer certificate"

  11. The [Strings] and [Extensions] sections are NOT understood by the certreq version shipping with Windows XP.

  12. Rafael Monteiro says:

    I'm having trouble requesting a new certificating using web enrollment page, with the error THAT NOT CERTIFICATE TEMPLATES COULD BE FOUND, and already followed all the solutions saying i should set the permissions on the certificates templates, and checking adsiedit config dnshostname with the file on windowssystem32certsrv and nothing worked….I tried requesting the certificate using command line, and I'm receiving the message Certificate not issued (Incomplete)… nothing else….. any ideias?

  13. Rafael Monteiro says:

    I'm running Windows Server 2008 R2 fully updated…. Any ideias? I can request certificates from mmc console -> certificates >request a new certificate…. Recently I installed Lync Server, and had no problem requesting certificates….The problem is only with the web enrollment interface….

    I don't know where to look anymore… I'm almost installing a now CA on my environment just to request this certificate…. Any ideias??? Tks for your help…

  14. Rafael Monteiro says:

    I know it's a different topic, but the issue is related….Let me explain what I'm trying to do.

    I'm trying to create a certificate for exchange server 2010 outlook anywhere.

    I create de .req file on EMC and try to submit it using the certification authority on administrative tools, submit new request, i select the .req file created using exchange emc, but nothing happens. Nothing appears on "Pending requests"  or "failed requests"….

    When I go to MMC, Certificates, Computer certificates, and request a certificate from there, It works, I add a service for the certificate, in this case, iis since i'm trying to get outlook anywhere to work, and the certificate to my computer account on my tmg….add the certificate to my web listener…it recognizes my certificate as a valid one, but when i test it, i show the message that my target principal name is incorrect….since i never issued a certificate like this, possibly, there's something wrong with the information i'm adding…. requesting the certificate using the .reg file would make everything easy…..maybe i don't know where to look, but i don't see anything related to this matter in event viewer….

    Do you have any ideas why the certificates I'm trying do submit using MMC Certification Authority using the .req file are not been issued?

    Thanks for your help, and, I'm sorry for my english….It's not my first language, and I not really good at it…

  15. Anonymous says:

    I will confess to not being a security expert. So this article is not about how the process works, instead

  16. krger says:

    Anonymous, would you mind sharing that batch file on pastebin?


  17. LMS says:

    The link was very useful and we imported the certificate with private key on local server store. But we failed to export the certificate with private key from store to a file. Also we removed the certificate from store and tried to import it again using
    command certreq –accept and that also failed. Expect your comment on this

  18. populardesign says:

    all information is really useful.

  19. Joe says:

    My organization name "O=" has a comma in it. I receive an error when using certreq that the data is invalid. How can I get around this? I need to have the comma in the name.

  20. m0dest0 says:

    I know that validity period is handled in the CA Template so I wonder if using certutil or programatically (powershell, c#, etc..) I could update the validity attribute of an existing CA Template. Thanks,

  21. Phil says:

    How do your request it without putting a SAN in it, does that line have to go in?

  22. Roberto says:

    If I want to send a cert request to a public CA, for a certificate that will be used by two different computers, can I use certreq then, with this .inf file?

    ;—————– request.inf —————–


    Signature=”$Windows NT$”


    Subject = “C=US, S=StateName, L=LocalityName, O=OrganizationName,”
    KeySpec = 1
    KeyLength = 2048
    Exportable = TRUE
    MachineKeySet = TRUE
    SMIME = False
    PrivateKeyArchive = FALSE
    UserProtected = FALSE
    UseExistingKeySet = FALSE
    ProviderName = “Microsoft RSA SChannel Cryptographic Provider”
    ProviderType = 12
    RequestType = PKCS10
    KeyUsage = 0xa0


    OID= ; this is for Server Authentication
    OID= ; this is for Client Authentication


    Or will the MachineKeySet = TRUE value mean that I can only use the cert on a single computer?

  23. Rich says:

    step 3 was helpful thank you kindly.
    Las Vegas

  24. PKIFan says:

    To automate life, is there options to add email address into certification? So that later when the certification is coming to be expired, we know whom to contact?

Skip to main content