Completing certificate request via command line in Windows Server

2

I administrate a number of Windows Servers (mostly 2008 R2 or 2012 R2) and I have to process a lot of SSL certificate renewals. When we renew from our vendor, Globalsign, they automatically generate a certificate request used for the renewal. When I install the completed certificate through the Server Certificates section in IIS, it accepts the certificate with no fuss. However, when I try and use certreq -accept "C:\certpath.cer" to install the completed certificate, it returns an error like the following:

Certificate Request Processor: Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)

Is there any way to get around this without generating a certificate request on the server beforehand, or is there another command that would work better? The aforementioned command does work if the request has been generated on the server manually, but the fact that I can still get the certificate installed with private key via the GUI means that it should be possible through command line somehow too.

windows-server-2008-r2
ssl-certificate
asked on Server Fault Jan 18, 2016 by bluegrey

1 Answer

2

You wrote:
...they automatically generate a certificate request used for the...
But then you ask:
Is there any way to get around this without generating a certificate request on the server...

  1. Are you trying to install the same cert on multiple servers?
  2. Are you taking steps locally on your server to initiate the cert req?
  3. Or are you initiating the req through the vendors web portal?
  4. Are you looking for a method to generate the local request?
  5. Or a method to install the completed cert they send you?

If you're looking for #3 and #5 (possibly #1)...

Use CERTUTIL.EXE
https://technet.microsoft.com/en-us/library/cc732443.aspx#BKMK_addstore

CertUtil -addstore CertificateStoreName InFile
CertUtil -addstore My C:\certpath.cer
certutil -addstore -?

Certutil -addstore My defaults to the Computer Personal store. Add "-user" to install it the cert to the current User's Personal store.

Or use the Import-Certificate cmdLet, for servers with an OS that has a new enough version of powershell where that cmdLet is available.
https://technet.microsoft.com/en-us/%5Clibrary/hh848630%28v=wps.630%29.aspx

answered on Server Fault Jan 25, 2016 by Clayton • edited Jan 26, 2016 by Clayton

User contributions licensed under CC BY-SA 3.0