Certificate Generator & Request Tool / Script

This tool was born out of my frustrations of having to pre-create certificate requests on servers without IIS or Skype for Business management tools.  A while back I posted an article that showed how to do this through Certreq.exe on any Windows workstation or server. You can see this post here: https://skype4b.uk/2015/05/05/generating-csr-using-certreq-exe/

However, I am bored of having to create an inf file all the time, and there are times where I forget and spend unaffordable minutes of my day wasting time with Google. So this script I have created does all the heavy lifting I need. It allows me to answer some simple questions and then goes off and does it’s thing!

This is not a Skype script, it can be applied to any certificate request you probably ever will need to make, unless you have specific requirements, which in this case I recommend doing it manually and not be constrained to a scripted process. But for the most common apps, this script will suffice.

So what does it do?

  • Enter all the details you need to generate a CSR, such as Common Name, Location Information
  • Choose your Hashing Algorithm
  • Choose your Key Algorithm
  • Choose your Key Length
  • Choose your certificate template to use
  • Do you want the private key to be exportable?
  • Choose if the certificate is a user or machine cert
  • Do you need to add Subject Alternative Names (DNS SANs supported only)?
  • Send requests directly to your CA for issuance and install certificate
  • Create request to send to trusted SSL provider
  • Create Self-Signed Certificates
  • Install trusted SSL Provider root and intermediate certificates

Demo

Download

certificatemaker-v2

Input Options

  • Organisation Name = This is your org name (enter in quotes) e.g. “Myfluffy Cloud Ltd”
  • Country 2 Letter ISO Code e.g. GB, US, ES etc.
  • Common Name = This must be the FQDN of the server / service you are requesting the certificate on behalf e.g. sts.myfluffy.cloud
  • Friendly Name = This is a name to identify the certificate for vanity purposes e.g. “Adfs certificate” (in quotes) if empty Common Name is used
    • Hash Algorithm = Choose between SHA256,SHA384,SHA512,SHA1,MD5,MD4 OR MD2 (default is SHA256 if nothing entered)
    • Key Algorithm = Choose between RSA,DH,DSA,ECDH_P256,ECDH_P521,ECDSA_P256,ECDSA_P384 OR ECDSA_P521 (default RSA if nothing entered)
    • Key Length = Choose between 1024, 2048, 4096, 8192 or 16384 (default 2048 if nothing entered)
    • Choose to export Private Key = default is NO if nothing entered
    • Machine Key = default is NO if nothing entered
    • Request Type = default is PKCS10 if nothing entered, other options are CMC or SELF for self signed certificate

Additional Inputs

  • Choose if you need to authenticate with the CA using different credentials other than what you have logged in with
  • Choose if you need to specify a particular Issuing CA if not the default in AD (or leave and choose with popup box)

Root Certificate Import

At the moment the script only imports a limited number of trusted root and intermediate certificates based on the most common used. When asked this question:

“Please enter the name of your Certificate Issuer (Supports: GoDaddy, Digicert, Comodo, GeoTrust, GlobalSign)”

enter the right command input in the table below:

Command Input Root Certificate Chain
GoDaddy1 GoDaddy Certificate Chain
GoDaddy2 GoDaddy Certificate Chain G2
GoDaddy3 GoDaddy Certificate Chain G3
GoDaddy4 GoDaddy Certificate Chain G4
Digicert1 Digicert Certificate Chain
Digicert2 Digicert Certificate Chain – G2
Digicert3 Digicert Certificate Chain – G3
Digicert4 Digicert Certificate Chain – G4
Comodo Comodo Certificate Chain
GlobalSign1 Global Sign Certificate Chain
GlobalSign2 Global Sign Certificate Chain – R2
GlobalSign3 Global Sign Certificate Chain – R3
GeoTrust1 GeoTrust Root Certificate
GeoTrust2 GeoTrust Root Certificate – G2
GeoTrust3 GeoTrust Root Certificate – G3

 

Requirements

The script utilises certutil and certreq executables found in all Windows Operating Systems. Therefore the script should run on servers 2003 to 2016. The only requirements for the script to run are:

  • Internet access to download the trusted root certificates
  • CA must be discoverable automatically or via DNS if you want to send the request to the CA for issuing
  • For hardened servers choose the option to specify a CA and enter the CA name e.g. FQDN\CANAME

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s