Generate Certificates and Keys Using Windows Server PKI

  • I've been looking all over the place and all I see is information for using easy-rsa on Windows. We have a Windows Server 2008 Active Directory Certificate Services server running PKI in the environment already and I was wondering if I could just use it for all my certificates.

    Now, I'm pretty sure I can figure out the ca.crt, server.crt, server.key and client information. What I don't have any clue to do is how would I generate the dh1024.pem using a Windows PKI? I am a novice with certificates but I am learning so maybe there is something simple I am overlooking. I'm really not even sure what the DH key does.

    Thank you,

  • Just use the script "build-dh".
    If you need more specifics what to do when: read the howtos on

  • @GruensFroeschli:

    Just use the script "build-dh".
    If you need more specifics what to do when: read the howtos on

    Ok, can you explain how the script "build-dh" uses the windows server PKI to build the DH key? I was under the impression that script was only a part of the easy-rsa package. I have the pfsense book and understand how to create all the certs and keys with the easy-rsa but the point of my question was how to do it with just the windows tools.

  • Which windows tools are you talking about?
    If you install openVPN on windows you automatically install easy-rsa as well.

    Edit: ah now i get it. ^^;
    You're trying to use the AD certificate service to generate them.
    Sorry i dont know anything about that.

  • Ok, thanks. Your reply did get me thinking though. Possibly the DH key is not related to the other certificates and I can just generate that once with easy RSA then still manage all the other certificates with the AD Certificate Services…. maybe I'll give that a shot.

  • Rebel Alliance Developer Netgate

    Yes, the DH parameters are not directly related to the key, they are just used during the key exchange. You can use easyrsa to generate this one file as needed.

    In 2.0 it is generated automatically, all you do is pick the DH parameter length.

  • Thanks Jim,

    I had some tunnel vision when reading the instructions and thought the DH key was specific to your CA and everything else. I'll give it a shot just generating that one file and doing the rest from Windows. It's nice to know it's generated in 2.0 automatically. 2.0 might come before I have this in production anyways.

  • Well, I was hoping it would be easier to manage the certificates using the windows interface. If not for me, for the others maybe not so familiar with the command line. I couldn't find a way to get at the text version of the private key though without using some 3rd party tool so I scrapped the idea.

    For anyone who is curious, I just decided to go with the easy-rsa scripts that come with OpenVPN. It really is quite easy and once set up I think I'll just put together a small set of instructions for anyone else in my organization who might need to create the certs in the future.

  • Rebel Alliance Developer Netgate

    There are already some EasyRSA instructions for pfSense:

  • I realize that and I also have the pfSense book which I was following as well. The small set of instructions for my own organization that I was referring to will probably be taken from those with a little side commentary is all. I did not mean to infer that mine would somehow fill a need for the community at large; just my workplace.

Log in to reply