Link Search Menu Expand Document

Certdog Free Installation and Setup


  • An internet connection (as additional components may be downloaded)
  • .NET v4.8 runtime
  • Administrator privileges
  • Windows Server 2016/2019
  • Windows 10

If installing on Windows 10 and you require access to a Microsoft ADCS Certificate Authority the RSAT (Remote Server Administration Tools) for Windows 10 are also required


  1. Download from here

    File Hashes:

    • SHA1: 70f513df4f526c9582f8623bb5e178af81218452

    • SHA256: a1d9475c84baca8679fc3883fd1dbc5280951dace3a92d844555b04e01d9449e

  2. Right click the zip file (e.g., choose Properties and tick the Unblock check box (if present). Depending on your security settings, this will prevent several prompts when running the scripts

  3. Unzip to a location on your drive e.g. if you unzip to C:\ you will end up with a directory C:\certdogfree (but you can place this anywhere on your system)


  1. Open a PowerShell as Administrator, navigate to the certdogfree\install directory and run:


    Note: if you do not have a component installed (VC++ runtime or the correct .NET version) the installer will halt at this point and prompt you to install these components

  2. Accept the license agreement

  3. In the Database User Admin Account Setup section, at the prompt Please enter the password for this account: enter a password

  4. In the First Admin User Account Setup section enter a username, email (this email will be used to send certificate renewal reminders - if configured) and password e.g.

    Enter the username: admin
    Enter the email address:
    Please enter the password: password

​ This is the account you will first log on to the app with

  1. In the Available interfaces section, choose (Listen on all) (or if you want to limit to local machine access only) and accept the default port of 443 (but change this if required)

  2. In the Installing Application Service section, enter a password e.g.:

    Please enter the master password: password

  3. At the prompt Do you wish to install the ADCS agent on this machine (y/n)? Enter y

    Note: This is required if you wish to interface to Microsoft ADCS instances

If installation was a success and no errors were observed, a browser should open at If local restrictions disallow this, manually navigate to that address from your chosen browser

Login with the username and password entered in step 5 above

Note that a default TLS certificate is configured for You can issue a new TLS certificate to replace this or temporarily install the root from here: .\certdogfree\config\sslcerts\dbssl_root.cer

If you hit any issues, see the troubleshooting guide here


1. Create a Local CA

  1. From the menu, select Local CA > Key Stores and click Add New Key Store. Choose a name (e.g. Software Key Store), for the Type choose Software and enter a password

  2. Select Local CA > CA Configuration and click Add New CA

  3. Enter the details for a new Root CA - provide a name, Subject DN **(e.g. CN=Test Root CA) and **lifetime, everything else can be left at the defaults. Note: CRL Distribution Points, AIA extensions and CRL generation options can be edited later, other settings (key size etc.) cannot (though you can generate new Root CACAs with different settings)

  4. Click Create

You can now Create more CAs (including Subordinate CAs) as required

2. Create a Certificate Profile

  1. From the menu, select Local CA > Profiles and click Add New Profile

  2. Give the Profile a name (e.g. TLS Profile), and select TLS (Server Auth) from the Common Profiles, you can leave the remaining settings at the default for now

  3. Click Add

3. Create a Certificate Issuer

  1. From the menu, select Certificate Issuers and click Add New Issuer

  2. Select Local CA from the drop down and click Next

  3. Provide a Name for this issuer e.g. TLS Issuer (this is the name you will reference when requesting certificates)

  4. select the Local CA Configuration and the Profile created above

  5. Select the Admin Team and click Add

4. Create a CSR Generator

  1. From the menu, select CSR Generators and click New CSR Generator

  2. Give the generator a Name (e.g. RSA) and click Add

5. Issue a Certificate

  1. Now select Request > DN Request from the menu
  2. Enter a Subject DN (e.g. CN=First Cert) and a P12 Password and click Request Certificate

Your certificate will be issued from the CA you just created. It will include the details you configured in the profile

  1. Download the PKCS#12 if required

  2. For further details, click More

You can now also issue certificates via the REST API, or by using the .NET client or the Java client. Use the IIS Script to automate IIS cert issuance and renewal or use the scripts to manage windows machine certificates

Further Options

To allow the download of the PKCS#12 files (or JKS, PKCS#8) at a later time, from the menu, select Settings > Settings

Set Private Key Retention Period to a value greater than zero and click Update

If you now issue a certificate its key will be retained for this period and can be downloaded with the certificate in PKCS#12, JKS or PKCS#8 formats

If you installed the ADCS Agent, select Agents from the menu and you should see an agent entry for the host machine name, set as Not Approved. Select it and click Approve. You will now be able to configure a Microsoft CA as a Certificate Issuer

Full Documentation: