I am using the PowerShell PKI Module to manage my certificates on Enterprise ADCS. I have created a simple tool that is using PS scripts for better convenience and to save some time.
When issuing certificates, I am using the Submit-CertificateRequest command, which takes as an input CSR stored in the file through -Path parameter:
Submit-CertificateRequest -Path $csrFileName -CertificationAuthority $cca -Attribute "CertificateTemplate:$certificateTemplate"
This means that whenever I provide the CSR in the script, I need to store it first in the file, than use the command to issue certificate, and after that delete the file with the CSR. This is a complexity I would like to remove.
Is there any way how I can provide the CSR as input to the command without storing it in the file? The -Path parameter is required and I need somehow reference file that will be used as CSR to issue certificate. Can I avoid that? Is there a better way how I can submit requests without storing them in the file?
My primary interface is PowerShell, if this would be feasible with the current PSPKI commands, it would be great.
You could emulate what Submit-CertificateRequest does, but it's probably longer than wrapping it in a function:
$req = "
-----BEGIN NEW CERTIFICATE REQUEST-----
MIICZzCCAdACAQAwETEPMA0GA1UEAwwGVGVzdFBTMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQCoSlRfphyVgWrwEPipstSe1pr4+mDOhBDP2ZJPsAevoTTQqt9x
iOnJnfPMLBWEiqYmPklf9WKBkzLKeC2RfE3a8FGNhRBZb3Vzj8PvBoCMc63hvy+i
q5hwVWDnWm96mpk+F3ykB60JWAAzL9vY+w2U6kAUQYo8/RPMZ1bLLCV0XQIDAQAB
oIIBFDAcBgorBgEEAYI3DQIDMQ4WDDEwLjAuMTc3NjMuMjBABgkrBgEEAYI3FRQx
MzAxAgEFDA5jYTIudzJrMTkudGVzdAwTVzJLMTlcYWRtaW5pc3RyYXRvcgwHTU1D
LkVYRTBKBgkqhkiG9w0BCQ4xPTA7MBoGA1UdEQQTMBGCD3d3dy5leGFtcGxlLm9y
ZzAdBgNVHQ4EFgQUsDOyEAUoOyC7dIdbbKZDNiSMXI8wZgYKKwYBBAGCNw0CAjFY
MFYCAQAeTgBNAGkAYwByAG8AcwBvAGYAdAAgAFMAbwBmAHQAdwBhAHIAZQAgAEsA
ZQB5ACAAUwB0AG8AcgBhAGcAZQAgAFAAcgBvAHYAaQBkAGUAcgMBADANBgkqhkiG
9w0BAQsFAAOBgQArPgWJ77GxhDlVLXQT2yB2XZh+SVCewDYjoBuqjnSQWFjpS5uB
ZK1XTNIYCCfb1uPgLxlB17cEd8/gZrLrOr9zwGEsOcqSL9LaaetEbkq5qPhfAvi0
e3DXpZ0BDkneYHGNKR5GPBuKMcKHgMkDPqj/kMgl7LFIfkR4St3ffoeF3Q==
-----END NEW CERTIFICATE REQUEST-----
"
$CertConfig = New-Object -ComObject CertificateAuthority.Config
$ConfigString = $CertConfig.GetConfig(1)
$CertRequest = New-Object -ComObject CertificateAuthority.Request
$Status = $CertRequest.Submit(0,$req,"CertificateTemplate:WebServer",$ConfigString)
Note that the above was blatantly plagiarised from the author of Submit-CertificateRequest's web page (which was offline when I wrote this, so here is a cached version).
The GetConfig() method takes a single argument:
| Value | Meaning |
|---|---|
| CC_DEFAULTCONFIG 0x00000000 | Retrieves the default certification authority. |
| CC_UIPICKCONFIG 0x00000001 | Displays a user interface that allows the user to select a certification authority. |
| CC_FIRSTCONFIG 0x00000002 | Returns the first certification authority. |
| CC_LOCALACTIVECONFIG 0x00000004 | Retrieves the local certification authority if it is running. |
| CC_LOCALCONFIG 0x00000003 | Retrieves the local certification authority. |
| CC_UIPICKCONFIGSKIPLOCALCA 0x00000005 | Displays a user interface that allows the user to select a certification authority. The UI excludes any local certification authority. This exclusion is useful during subordinate certification authority certificate renewal when the subordinate certification authority certificate request is submitted to a certification authority other than the current certification authority. |
If you know your CA Config string beforehand, then you can simplify this into two lines:
$CertRequest = New-Object -ComObject CertificateAuthority.Request
$Status = $CertRequest.Submit(0,$req,"CertificateTemplate:WebServer","ca1.example.org\Example CA1")