PKI – Script the Request, Submit, and Import Cert

email me

This is the client side process for creating a certificate request, submitting a request, and importing a returned certificate for workgroup computers. These steps need to be done in order. This assumes CEP and CES are properly working in your DMZ, and that you have set up the enrollment policy, locally. What is recommended…if you’re going to automate this, is to create a script, and then compile it. The account used in the enrollment process should have no access to do anything else on your domain.

 

Step 1 of 5 – Using an INF (which you’ve already saved), create request

certreq -new SCCM_WORKGROUP.INF SCCM_WORKGROUP.req

 

Step 2 of 5 – Submit request (this is dependent on a working CES and CEP)

certreq -submit -username DOMAIN\USERNAME -p PASSWORD -PolicyServer “https://server.external.com/ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP” -config “https://server.external.com/DOMAIN-CA_CES_UsernamePassword/service.svc/CES” -attrib “CertificateTemplate:WorkgroupCertificateNameHere” SCCM_WORKGROUP.req SCCM_WORKGROUP.cer

 

Step 3 of 5 – Accepting the Certificate

certreq -accept SCCM_Workgroup.cer

    

Step 4 of 5 – Exporting the Certificate

certutil -p PASSWORD -exportPFX %computername% SCCM_WORKGROUP.pfx

 

Step 5 of 5 – Import certificate returned from request

certutil -f -addstore “ROOT” SCCM_WORKGROUP.cer
certutil -p PASSWORD -importPFX SCCM_WORKGROUP.pfx NoExport

 

Notes

Submit request

certreq -submit -f -config “10.1.0.11\DOMAIN-CA” SCCM_Workgroup.req SCCM_Workgroup.cer


Delete cert url cache:

certutil -urlcache * delete


Delete cert user cache:

C:\Users\%username%\AppData\LocalLow\Microsoft\CryptnetUrlCache


Delete cert computer cache:

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache