windowspowershellpkicsrcertificate-authority

PowerShell PKI Module (PSPKI) Submit-CertificateRequest without storing CSR in file


I am using the PowerShell PKI Module to manage my certificates on Enterprise ADCS. I have created a simple tool that is using PS scripts for better convenience and to save some time.

When issuing certificates, I am using the Submit-CertificateRequest command, which takes as an input CSR stored in the file through -Path parameter:

Submit-CertificateRequest -Path $csrFileName -CertificationAuthority $cca -Attribute "CertificateTemplate:$certificateTemplate"

This means that whenever I provide the CSR in the script, I need to store it first in the file, than use the command to issue certificate, and after that delete the file with the CSR. This is a complexity I would like to remove.

Is there any way how I can provide the CSR as input to the command without storing it in the file? The -Path parameter is required and I need somehow reference file that will be used as CSR to issue certificate. Can I avoid that? Is there a better way how I can submit requests without storing them in the file?

My primary interface is PowerShell, if this would be feasible with the current PSPKI commands, it would be great.


Solution

  • You could emulate what Submit-CertificateRequest does, but it's probably longer than wrapping it in a function:

    $req = "
    -----BEGIN NEW CERTIFICATE REQUEST-----
    MIICZzCCAdACAQAwETEPMA0GA1UEAwwGVGVzdFBTMIGfMA0GCSqGSIb3DQEBAQUA
    A4GNADCBiQKBgQCoSlRfphyVgWrwEPipstSe1pr4+mDOhBDP2ZJPsAevoTTQqt9x
    iOnJnfPMLBWEiqYmPklf9WKBkzLKeC2RfE3a8FGNhRBZb3Vzj8PvBoCMc63hvy+i
    q5hwVWDnWm96mpk+F3ykB60JWAAzL9vY+w2U6kAUQYo8/RPMZ1bLLCV0XQIDAQAB
    oIIBFDAcBgorBgEEAYI3DQIDMQ4WDDEwLjAuMTc3NjMuMjBABgkrBgEEAYI3FRQx
    MzAxAgEFDA5jYTIudzJrMTkudGVzdAwTVzJLMTlcYWRtaW5pc3RyYXRvcgwHTU1D
    LkVYRTBKBgkqhkiG9w0BCQ4xPTA7MBoGA1UdEQQTMBGCD3d3dy5leGFtcGxlLm9y
    ZzAdBgNVHQ4EFgQUsDOyEAUoOyC7dIdbbKZDNiSMXI8wZgYKKwYBBAGCNw0CAjFY
    MFYCAQAeTgBNAGkAYwByAG8AcwBvAGYAdAAgAFMAbwBmAHQAdwBhAHIAZQAgAEsA
    ZQB5ACAAUwB0AG8AcgBhAGcAZQAgAFAAcgBvAHYAaQBkAGUAcgMBADANBgkqhkiG
    9w0BAQsFAAOBgQArPgWJ77GxhDlVLXQT2yB2XZh+SVCewDYjoBuqjnSQWFjpS5uB
    ZK1XTNIYCCfb1uPgLxlB17cEd8/gZrLrOr9zwGEsOcqSL9LaaetEbkq5qPhfAvi0
    e3DXpZ0BDkneYHGNKR5GPBuKMcKHgMkDPqj/kMgl7LFIfkR4St3ffoeF3Q==
    -----END NEW CERTIFICATE REQUEST-----
    "
    
    $CertConfig = New-Object -ComObject CertificateAuthority.Config
    $ConfigString = $CertConfig.GetConfig(1)
    $CertRequest = New-Object -ComObject CertificateAuthority.Request
    $Status = $CertRequest.Submit(0,$req,"CertificateTemplate:WebServer",$ConfigString)
    

    Note that the above was blatantly plagiarised from the author of Submit-CertificateRequest's web page (which was offline when I wrote this, so here is a cached version).

    The GetConfig() method takes a single argument:

    Value Meaning
    CC_DEFAULTCONFIG 0x00000000 Retrieves the default certification authority.
    CC_UIPICKCONFIG 0x00000001 Displays a user interface that allows the user to select a certification authority.
    CC_FIRSTCONFIG 0x00000002 Returns the first certification authority.
    CC_LOCALACTIVECONFIG 0x00000004 Retrieves the local certification authority if it is running.
    CC_LOCALCONFIG 0x00000003 Retrieves the local certification authority.
    CC_UIPICKCONFIGSKIPLOCALCA 0x00000005 Displays a user interface that allows the user to select a certification authority. The UI excludes any local certification authority. This exclusion is useful during subordinate certification authority certificate renewal when the subordinate certification authority certificate request is submitted to a certification authority other than the current certification authority.

    If you know your CA Config string beforehand, then you can simplify this into two lines:

    $CertRequest = New-Object -ComObject CertificateAuthority.Request
    $Status = $CertRequest.Submit(0,$req,"CertificateTemplate:WebServer","ca1.example.org\Example CA1")