The friendly name of a certificate can be helpful if multiple certificates with a similar subject exist in a certificate store.

One way to set the friendly name is through the certificate MMC SnapIn. Alternatively certutil.exe can be used in the following way:

1. Open Notepad and past the following text into the editor

   [Version]
   Signature = "$Windows NT$"
   [Properties]
   11 = "{text}My Friendly Name"

2. Save the file as friendlyname.inf
3. Determine the serialnumber of the certificate where the friendly name should be changed.
4. If the certificate exists in the user’s certificate store, run the following command at a command-line

certutil –repairstore –user my {SerialNumber} FriendlyName.inf

When a PKCS#10 request for a CA certificate is generated, a pre-defined set of certificate attributes is included. This blog entry explains how to eliminate attributes that would go into the CA certificate request by default.

Imagine that you are setting up a new subordinate CA where the parent CA is a non Windows CA. The parent CA may not support or accept certificate attributes like the certificate template name. To exclude an attribute from the CA certificate request you must create a capolicy.inf file in the %WINDIR% directory before creating or renewing a CA certificate. The capolicy.inf file lists the OIDs of the certificate extensions to be excluded in the Extensions section. See the Microsoft Knowledgebase for a list of Object IDs associated with Microsoft cryptography.

The following sample caplicy.inf file would exclude the CA version and the certificate template name from the CA certificate request.

[Version]
Signature= "$Windows NT$"

[Extensions]
1.3.6.1.4.1.311.21.1 =
1.3.6.1.4.1.311.21.7 =

Note: Certificate attributes should only be removed from a certificate request if there is real demand for it. Never do it just for cosmetics!

When working with a capolicy.inf file you should be aware of the behavior described in the Microsoft Knowledgebase article Custom extensions in the CAPolicy.inf file do not take effect after you renew the root CA certificate by using a new key. The article applies for Root and Subordinate CAs running on Windows Server 2003 SP1 or Windows Server 2003 SP2.

Windows Vista and Windows Server 2008 have a convenient user interface to create custom certificate requests. This is especially helpful since computer certificate enrollment through the web enrollment pages was discontinued from Windows Server 2008 and on.

If you want to create a custom certificate request, perform the following steps:

1. Start the Certificates MMC snap-in and expand the Personal – Certificates container in the left pane.

2. Right click the Certificates container and chose Create custom request from the context menu.

3. Click Next to accept the welcome page of the wizard.

4. If you have Enterprise CA connectivity in your Active Directory forest, you can chose from a list of available certificate templates and create the request based on a specific certificate template. If you want to be independent of any certificate template, select (No template) CNG key if the application can handle CNG keys. Else select the (No Template) Legacy Key instead. For more information on Cryptography Next Generation (CNG), see the documentation on MSDN. Click Next to continue.

5. To customize your certificate request click the little arrow next to the word Details in the Certificate Enrollment page.

6. Click the Properties button.

7. Use the dialog tabs to define the certificate properties.

8. After defining all certificate attributes, click OK.

9. Finally, specify a filename to save the offline certificate request and click Finish.

10. The pending certificate request appears in the Certificate Enrollment Requests container in the Certificates MMC snap-in until the offline request was accepted.

11. To verify the certificate request, double-click the pending request in the MMC snap-in. Alternatively use certutil [mycert.req] at a command-line where [mycert.req] is equal to the file that you saved in step 9.

12. To enroll for the certificate request, submit the request with certreq –submit. If no certificate template was selected in the wizard, it is required to specify one as command-line parameter. Also don’t forget the –config parameter to specify the name of the certification authority where you are enrolling from. The certreq command might look like the following example if the CA is accessible via DCOM:

certreq –config "myCAserver\myCAname" –submit –attrib "CertificateTemplate:User" mycert.req

If certreq is executed on a computer running Windows 7 or Windows Server 2008 R2, the following command leverages the new web enrollment protocol on a Windows Server 2008 R2 CA where DCOM access to the CA is not mandatory. The URL provided with the config command is configured at the CA and can be found out with the certutil -dump command:

certreq –config https://www.contoso.com/My-CES/service.svc/CEP –submit –attrib "CertificateTemplate:User" mycert.req

If the CA is only accessible via the web enrollment pages, you have to open the mycert.req file with Notepad and copy/paste it into the web enrollment pages.

13. To install the certificate once it was enrolled, accept the certificate. This will also remove the pending certificate request from the Certificate Enrollment Requests container. Use certreq -accept [certificatename.cer] to accept the certificate request.

A while ago I explained how to determine all certificates that will expire within a given period. Now I’d like to explain how to query the CA database based on certificate or request disposition. The disposition ID’s are defined in the certsrv.h include file in the Windows SDK.

The following two tables show the disposition ID’s for the request queue and the log.

Disposition values for requests in the queue:

Disposition values for requests in the log:

Show the SerialNumber of all issued and revoked certificates:

certutil -view -restrict "Disposition>=20,Disposition<=21" -out SerialNumber

Show the most recently issued certificate that is not revoked. To view the certificate copy everything between the line “-----BEGIN CERTIFICATE-----” and “-----END CERTIFICATE-----“ into a file with the file extension CER and open the file. The expression RequestID=$ instructs certutil to sort the database query from high to low and stop after the first entry is displayed.

certutil -view -restrict "RequestId=$,Disposition=20" -out RawCertificate

Show all certificate requests that failed for the certificate template with the common name "EnrollmentAgent" after September 24th 2008:

certutil -view -restrict "Disposition=30,notbefore=>9/24/2008,certificate template=EnrollmentAgent" -out RawCertificate

Show the SerialNumber and the Request Status Code for all certificate requests that have been submitted by CONTOSO\user1:

certutil -view -restrict "RequesterName=CONTOSO\user1" -out SerialNumber,StatusCode

Show all CRL attributes for the CRL that was published before the current CRL:

certutil -restrict "CRLRowID=$-1" –view CRL

Note: If you don’t know how to restrict the query by a certain attribute dump all certificate or request attributes by not specifying the –out parameter. Then take the output as a sample to build the query with the attributes that you are looking for.

You may be interested in one of our upcoming sessions that is focused on PKI design and is available for registration here: http://blogs.technet.com/mcstalks/archive/2008/09/02/session-4-details-security-and-pki-registration-now-available.aspx