Certreq sign

Updated: April 17, 2012

Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012

Sign a certificate request with an enrollment agent or qualified subordination signing certificate.


certreq -sign [Options] [RequestFileIn [RequestFileOut]]


Options Description


Force ICertRequest::Submit to determine encoding type.

-attrib <AttributeString>

Specifies the Name and Value string pairs, separated by a colon.

Separate Name and Value string pairs with \n (for example, Name1:Value1\nName2:Value2).


Formats output files as binary instead of base64-encoded.

Cert <CertId>

Specify signing certificate by common name, serial number, or by sha-1 key or certificate hash.

-PolicyServer <PolicyServer>

-config <ConfigString>

Processes the operation by using the CA specified in the configuration string, which is CAHostName\CAName. For an https connection, specify the enrollment server URI. For the local machine CA, use a minus (-) sign.



-ClientCertificate <ClientCertId>

-UserName <UserName>

-p <Password>

-pin <PIN>

This option allows for accessing smart cards when the command is using silent mode.


Includes certificate revocation lists (CRLs) in the output to the base64-encoded PKCS #7 file specified by CertChainFileOut or to the base64-encoded file specified by RequestFileOut.


Instructs Active Directory Certificate Services (AD CS) to use a remote procedure call (RPC) server connection instead of Distributed COM.


Force existing files to be overwritten


Use silent mode; suppress all interactive prompts.


Writes Unicode output when standard output is redirected or piped to another command, which helps when invoked from Windows PowerShell® scripts).


Sends Unicode output when writing base64 text encoded data blobs to files.


Do not filter signing certificate selection by Enhanced Key Usage (EKU).

-HashAlgorithm <HashAlgorithm>

Use the specified hash algorithm.


Parameters Description


Base64-encoded or binary input file name: PKCS #10 certificate request, CMS certificate request, PKCS #7 certificate renewal request, X.509 certificate to be cross-certified, or KeyGen tag format certificate request.


Base64-encoded output file name


Base64-encoded X-509 file name.


Base64-encoded PKCS10 output file name.


Base64-encoded PKCS #7 file name.


Base64-encoded full response file name.


INF file containing a textual representation of extensions used to qualify a request.


  • If you type the certreq -sign without any additional parameter it will open a dialog window so you can select the requested fie (req, cmc, txt, der, cer or crt).

  • Signing the qualified subordination request may require Enterprise Administrator credentials. This is a best practice for issuing signing certificates for qualified subordination.

  • The certificate used to sign the qualified subordination request is created using the qualified subordination template. Enterprise Admins will have to sign the request or grant user permissions for the individuals that will sign the certificate.

  • When you sign the CMC request, you may need to have multiple personnel sign this request, depending on the assurance level that is associated with the qualified subordination.

  • If the parent CA of the qualified subordinate CA you are installing is offline, you must obtain the CA certificate for the qualified subordinate CA from the offline parent. If the parent CA is online, specify the CA certificate for the qualified subordinate CA during the Certificate Services Installation Wizard.


The sequence of commands below will show how to create a new certificate request, sign it and submit it:

certreq -new policyfile.inf MyRequest.req
certreq -sign MyRequest.req MyRequest_Sign.req
certreq -submit MyRequest_Sign.req MyRequest_cert.cer