Home / server / Questions / 1089058
Accepted
Daniel
Asked: 2022-01-06 05:17:08 +0800 CST

How to import a CSR on a root CA into the Pending Requests queue and viewing the applied policy on the command line?

  • 772

I have a standalone root CA base on Windows Server 2019 Core.

I know that with certutil.exe -dump certificate.req I can inspect the CSR, but the root CA's policies may override the requested extension attributes.

On the Desktop edition, after importing the CSR into the root CA, I can inspect the pending request and see where root CA policies may override requested extension attributes, add additional extensions or remove them.

For example, the CSR requests the Key Usage extension to be critical, but the root CA policy overrides the Key Usage requests and removes the critical flag, as you can see in the picture below.

enter image description here

My questions are:

  1. How do I import a CSR file to the Pending Requests queue on the command line or in PowerShell?
  2. How can I see how the CA would actually issue the certificate, on the command line or in PowerShell?
pki

0 Answers

  1. Best Answer

    To import a CSR to the queue, use:

    certreq.exe -submit <csr file>

    To view request extensions, you'll need to know the RequestId, which the above command would have returned. Use (for RequestId of 123):

    certutil.exe -view -restrict "ExtensionRequestId=123" Ext

    To view request attributes:

    certutil.exe -view -restrict "AttributeRequestId=123" Attrib

    While you're at it, you can view the request itself with:

    certutil.exe -view -restrict "RequestId=123" Queue

    Or, for previously issued certs:

    certutil.exe -view -restrict "RequestId=123" Log

    You can add -v after the -view for more verbose information and you can add csv at the end for CSV output.

    • 2