Issuing certificates from the command line is usually not a straightforward task that you succeed at first shot.
Thus, in order to understand how all this is working, you probably may do some additional tests and import certificates several times through different ways.
However, some undocumented behaviors are very misleading, and you will certainly draw the wrong conclusions.
Here is why:
- Despite the certreq -submit command creates a .cer file, this file contains the private key if you follow the right procedure.
- As soon as you have imported the certificate once, the operating system removes the private key from the .cer file (which is not the case for a .pfx file). Therefore, all following attempts with the same .cer file will inescapably result in having a certificate without the private key in your store.
- The Certificate Authority memorizes the creation date of the file you use for your request with the certreq -submit command, and only exports the private key once for the same file. As a result, if for test purposes you want to issue the certificate several times, you must every time create a new request file with the certreq -new command.
- If you combine the last two points together, every time you import a .cer certificate containing a private key (if you have imported the private key successfully or not), and you want to import it again with the private key, you have first to go through the whole process again (the certreq -new command followed by certreq -submit command).
- You can only import the certificate with the private key into a store of the computer on which the certreq -submit command has run. If you copy your .cer certificate to another computer, you will not be able to import the private key. You may want to save directly the certificate to the target computer, instead of first saving it locally, but this doesn’t work either.
- As a consequence of the former point, it is better to run the certreq -submit command directly from the computer where you want to import the certificate with the private key. However, that’s not possible if the final computer cannot communicate with the Certification Authority or is not member of the same forest. In this case, you have to go through a little longer but a well-known process.