Off-line certificate enrolment on Windows 2000/XP
Last update: Feb 12, 2006
There are several procedures that you can use to obtain a
certificate on Windows 2000 and Windows XP clients. A number of
procedures have been discussed on my webpage "Using a Linux L2TP/IPsec VPN
server with Windows 2000/XP".
The following procedure was forwarded to me by Brian Candler. It is
based on a procedure
published by Microsoft. This procedure was intended to be used for
Windows 2000/2003 Servers where the CA is off-line (not connected to a
network for security reasons) and running Microsoft Windows Certificate
However, Brian's procedure described below is for Windows 2000/XP
clients. Also, the CA is based on some other (Open Source) CA software
such as OpenSSL or TinyCA so you don't have to buy
a licence for a Windows Server with Certificate Services.
One advantage of this procedure is that you don't have to distribute
certificates and private keys in PKCS#12 files, whose security are under
discussion. The private key is generated by the client itself and
should never leave that client.
Back to top
2. The procedure
2.1 Procedure overview
- (Parts of) the Windows Server 2003 Service Pack 1 Administration
Tools Pack are installed on the Windows 2000/XP client.
- The Windows 2000/XP client uses these tools to generate a private
key and a certificate signing request (CSR).
- This CSR is transferred to the CA.
- The CA signs the CSR.
- The resulting certificate is transferred to the Windows 2000/XP
client and installed.
2.2 Procedure details
2.3 Procedure tips
- Download the Windows
Server 2003 Service Pack 1 Administration Tools Pack (Adminpak).
See also Knowledge Base article KB304718.
- Install this Adminpak on a supported operating system (despite
the name it can be installed on Windows XP Professional as well as
Windows Server 2003). I don't know about XP Home.
- If you are using Windows 2000 Professional (or XP Home?), copy
the files certreq.exe, certutil.exe, certcli.dll
and certadm.dll from the Windows XP/2003 box to a new
directory on the Windows 2000 Professional client. Do not overwrite any
existing files with these names on the Windows 2000 box. (The existing
of certreq cannot be used for this procedure, it does not have the
- Once you have the necessary tools, create a file called newreq.inf
with these contents:
- Generate a new public/private key pair and CSR with:
certreq -new newreq.inf newreq.pem
Note that by default this always creates a fresh key pair. If you want
to use an existing key pair, then add to the .INF file:
where ..GUID.. is the key container ID, as shown by certutil
-store my. You can examine the contents of this PEM file using: certutil
- Transfer newreq.pem to your OpenSSL machine, and run "CA.sh
-sign" to generate the certificate.
- Transfer newcert.pem back to the Windows machine.
- Import the certificate with: certreq -accept newcert.pem
Here are some useful admin commands:
# show all certificates to stdout
my # show
all certificates in GUI window
certutil -viewdelstore my #
delete certificate using GUI window
certutil -delstore my <certid> # delete certificate
For <certid> you can use the certificate subject Common
Name, the certificate serial number, a public key hash, or the numeric
certificate index as shown by 'certutil -store my'. More information
can be obtained using:
certreq -v -? | more
certutil -v -? | more
certutil -store -? | more
This procedure was forwarded to me by Brian Candler. Note: read the
Adminpak's EULA carefully. It is not clear to me if you are allowed to
copy files from an installed Adminpak to another Windows box. This is
your own responsibility.
Jacco de Leeuw