Powershell Cryptography

Table of Contents

• Generate a CSR

Generate a CSR

1. Create a file named request.inf in ~/Downloads.

2. Paste the following in request.inf. Update {Username} with the users info.

   [Version] 
   Signature = "$Windows NT$" 
   [NewRequest] 
   Subject = "C=US,S=UT,L=Salt Lake City,O=Xenter,CN={Username}"
   Exportable = True 
   KeyAlgorithm = ECDSA_P256 
   KeyLength = 256 
   KeySpec = AT_KEYEXCHANGE 
   KeyUsage = "CERT_DIGITAL_SIGNATURE_KEY_USAGE|CERT_DATA_ENCIPHERMENT_KEY_USAGE" MachineKeySet = False 
   ProviderName = "Microsoft Software Key Storage Provider" 
   ProviderType = 12 
   Silent = True 
   SMIME = True 
   RequestType = PKCS10

3. In powershell, create the CSR:

   certreq -new request.inf request.csr

4. After submitting the CSR to get a new certificate, you can import the cert with this command:

   import-certificate -filepath cert.crt -certstorelocation cert:\CurrentUser\my

5. Confirm the certificate was installed:

   Get-ChildItem -Path cert: -Recurse | select Subject, FriendlyName, SerialNumber | where {$_.Subject –like '*username*'}

6. If needed, the certificate can be installed on a second computer or another system. You will need to export a PFX copy and import it onto the other devices. (Reissuing again will revoke the certificate you just installed.) To export a PFX copy of the certificate, run this powershell command with admin privileges (replace serial_number with the corresponding serial number you want to export):

   certutil -exportpfx -user my serial_number test.pfx