HowTo: Use certreq.exe with a smartcard enrollment agent


I know this is my second post and its still related to smartcards, but I swear this isnt the only thing I work on. I also know that this may be an edge topic to many and as you read this you say – what is certreq.exe and what is an enrollment agent?? If so, I encourage the use of google ( ok ok … use MSN Search or at least try it before google and give it a chance)


I was looking through some newsgroup posts and found this:

The basic problem as described in the post is:



I am trying to issue smart card certificate (Ver 2 template on Win2003) on behalf of another user using certreq and ..inf file. The command is being run on a RA i.e. machine has enrollment agent certificate installed. Firstly, should this work?


I am getting this error. Below is the inf file used.





C:\>certreq test.inf

certreq.exe: 5.2.3790.0 retail (srv03_rtm.030324-2048)

1401.1715.0: 0x8009310b (ASN: 267)

1401.2150.0: 0x8009310b (ASN: 267)

1401.2647.0: 0x8009310b (ASN: 267)

1401.6903.0: 0x8009310b (ASN: 267)

1401.7080.0: 0x8009310b (ASN: 267)

Certificate Request Processor: ASN1 bad tag value met.

0x8009310b (ASN:



Before we begin.. a few notes:



1. Some have noted my grammar is horrid – yes i know , So Is My Speeling at Ttimes, and my typing skills are horrid (I use6 fingers tota) . I was kicked out of typing class back in high school and didnt care since I would *NEVER* use it……


2. I thought I would post some HOW TO items.. Ill preface the titles with :HowTo






Here is how one would do this – or at least how I would do it ;oP


  1. By default, a Windows 2003 Server CA does not permit subject alternative names that are specified in a certificate request to be accepted and inserted in the issued certificate. This applies for both stand-alone and enterprise CAs.  So do this from a command line:


            CERTUTIL -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2


Then cycle the certificate services.


  1. Create an INF file which looks like this:



Signature= “$Windows NT$”



KeySpec = 1

KeyUsage = 0x30

Providertype = 1

RequesterName = Crisco0\Administrator

RequestType = CMC

ProviderName = “Gemplus GemSAFE Card CSP”

Subject = “CN=sctest,ou=SAFER,DC=crisco,DC=com”

KeyContainer = “SCTEST”

KeyLength = 512





CertificateTemplate = SpatsSmartCard    



CertificateTemplate == name of custom V2 template

ProviderName  == CSP needed

RequesterName == name of enrollment agent logged in and has enrollment cert.



for more info on the syntax



  1. Modify the V2 template in the Subject Name tab – so we can provide the Subject in the request.


  1. Publish the template to your Enterprise CA


  1. From your enrollment station do the following:


C:\certutil>certreq -new inf.txt inf.req



C:\certutil>certreq -sign inf.req inf_signed.req




C:\certutil>certreq -attrib “” -submit inf_signed.req inf_cert.cer

RequestId: 57

Certificate retrieved(Issued) Issued



C:\certutil>certreq -accept inf_cert.cer



Now logon with the smartcard and you should logon as the user specified in the UPN you provided.




Have fun!





Comments (6)

  1. I was lurking at mailing list and saw a question that brought my attension. The guy wanted to be able to use LDAPS when querying the DC by it’s alias and was being rejected as the DCs cert did not include the alias either in the certificate’

  2. SPM says:

    This same error "0x8009310b (ASN: 267)" happens if someone submits an encrypted private key, instead of the csr, when requesting an SSL certificate.

  3. Brian Flynn says:

    I had to quickly learn how to use certreq.exe and found this one of the few helpful posts on the web.  I would have killed to have had an example INF & instructions walking through the process that fit my needs… since I figured it out, here’s just that!

    I created a file called router.inf. It’s contents looked like this :



    Exportable = TRUE


    KeySpec = 2

    KeyUsage = 0xa0

    MachineKeySet = FALSE

    Requestername = DOMAINVpnUserName

    Subject = "CN=VpnUserName"


    OID =


    CertificateTemplate = "OfflineRouter"


    I then walked through 3 commands at a command prompt :

    certreq -new router.inf router.req

    certreq -submit router.req

    certreq -accept router.cer

    Since having the INF specify to install it directly to the machine store produced a cert there that claimed to have the private key, but did not work, I specified to have it install into the user store then exported the key, including the private key and imported it to the machine store.

    VOILA!  My RRAS box could connect to the remote network using EAP-TLS auth for a PPTP VPN tunnel.

  4. SpatDSG says:

    Cool – sorry for the lack of documentation

    Check this paper out:


  5. ClubColby says:

    This was very helpful!