PS: Request/Receive Third Party CA Certs

1 minute read

Description:

Needed to find a way to automate certificate issuing and retrieval, here is a rought first draft based on https://spaces.at.internet2.edu/display/ICCS/InCommon+CM+RESTful+API

###

To Resolve:

1a. To see the types of certs to request

curl 'https://cert-manager.com/api/ssl/v1/types/' -i \
-H 'Content-Type: application/json' \
-H 'login: email@yourdomain.com' \
-H 'password: Psswd' \
-H 'customerUri: InCommon'

Example response:

{"id":224,"name":"InCommon SSL (SHA-2)","terms":[365,730]},
  1. To Request a cert:
curl 'https://cert-manager.com/api/ssl/v1/enroll?' -i -X POST -H 'Content-Type: application/json' -H 'login: email@yourdomain.com' -H 'password: Psswd' -H 'customerUri: InCommon' -d '{"orgId":001,"csr":"-----BEGIN NEW CERTIFICATE REQUEST----- MIIEJDCCAwwCAQAwgacxHDAaBgNVBAMME29pdC1qeHE5cnEyLnV0YS5lZHUxLTAr BgNVBAsMJFRoZSBVbml2ZXJzaXR5IE9mIFRleGFzIEF0IEFybGluZ3RvbjEnMCUG A1UECgweVGhlIFVuaXZlcnNpdHkgT2YgVGV4YXMgU3lzdGVtMRIwEAYDVQQHDAlB cmxpbmd0b24xDjAMBgNVBAgMBVRleGFzMQswCQYDVQQGEwJVUzCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBAMMNDnhJBf+F10EmNxfR2F2WOMjq6Fh00ceM EJptn0dObBtg8BW+YF3yhqNRG94mbOjGNljAQNdtGsIqZm9s78GR5csH8YYKoqGB HNORToTaFVSvP5LXkxFpoGuJUvVsx5v59raF9WPTs+VAbYfY+yk3kzWaNksGByvu xo+LeSj6DUFDrCne44L4tIJ56STpq9YgPc3oH8Oeb8lSiRDegszD72rvjlio1RaP aokslX1tMyA+crvnBslQI6LrRIotY19DgX1jaSo43vFo3vJKUYYUCbZThMdL9Lc4 X4Xi6gS8uItcSMGtm7O1ruQWWjZaQYX++MA2MqETYDpR+JVzWs0CAwEAAaCCATUw HAYKKwYBBAGCNw0CAzEOFgwxMC4wLjE3MTM0LjIwTAYJKwYBBAGCNxUUMT8wPQIB CQwTT0lULUpYUTlSUTIudXRhLmVkdQwWT0lULUpYUTlSUTJcZ3dpbGxhZG1pbgwL Y2VydHJlcS5leGUwUwYJKoZIhvcNAQkOMUYwRDAOBgNVHQ8BAf8EBAMCBaAwEwYD VR0lBAwwCgYIKwYBBQUHAwEwHQYDVR0OBBYEFNYt8ml/x4q2q8iRiRr5Bsr4ewpv MHIGCisGAQQBgjcNAgIxZDBiAgEBHloATQBpAGMAcgBvAHMAbwBmAHQAIABSAFMA QQAgAFMAQwBoAGEAbgBuAGUAbAAgAEMAcgB5AHAAdABvAGcAcgBhAHAAaABpAGMA IABQAHIAbwB2AGkAZABlAHIDAQAwDQYJKoZIhvcNAQEFBQADggEBADd+vPez4HpO LFmFQUp4/gQJXCG6MgxnloBWKpDVI019OUKxr2mba27kd3+1/seF5xqVhleQxi3G 2rzfWIwiJrU= -----END NEW CERTIFICATE REQUEST-----","subjAltNames":"","certType":224,"numberServers":1,"serverType":14,"term":730,"comments":"SSL Cert Request"}'

Response:

{"renewId":"cM8m8zbDqepsdfsdfsdfm0PjtqyZG","sslId":123546549245461}
  1. To download a cert
curl 'https://cert-manager.com/api/ssl/v1/collect/123546549245461/base64' -i -H 'Content-Type: application/json' -H 'login: email@yourdomain.com' -H 'password: Psswd' -H 'customerUri: InCommon'

Response:

It should allow it. In my case, we have them set to manual approval so I was hit with:

{"code":-23,"description":"The certificate hasn't been approved yet!"}

But I will get that corrected in the Admin portal.

The Powershell version of this is:

# see available
[Net.ServicePointManager]::SecurityProtocol = "Tls12, Tls11, Tls, Ssl3"
$URI = 'https://cert-manager.com/api/ssl/v1/types/'
$request = Invoke-WebRequest -URI $uri -Method GET -Headers @{
"Content-Type" = "application/json"
"login" = "email@yourdomain.com"
"password" = "Psswd"
"customerUri" = "InCommon"
}

# request
[Net.ServicePointManager]::SecurityProtocol = "Tls12, Tls11, Tls, Ssl3"
$URI = 'https://cert-manager.com/api/ssl/v1/enroll'
$cert = '-----BEGIN NEW CERTIFICATE REQUEST----- MIIEJDCCAwwCAQAwgacxHDAaBgNVBAMME29pdC1qeHE5cnEyLnV0YS5lZHUxLTAr BgNVBAsMJFRoZSBVbml2ZXJzaXR5IE9mIFRleGFzIEF0IEFybGluZ3RvbjEnMCUG aokslX1tMyA+crvnBslQI6LrRIotY19DgX1jaSo43vFo3vJKUYYUCbZThMdL9Lc4 X4Xi6gS8uItcSMGtm7O1ruQWWjZaQYX++MA2MqETYDpR+JVzWs0CAwEAAaCCATUw HAYKKwYBBAGCNw0CAzEOFgwxMC4wLjE3MTM0LjIwTAYJKwYBBAGCNxUUMT8wPQIB CQwTT0lULUpYUTlSUTIudXRhLmVkdQwWT0lULUpYUTlSUTJcZ3dpbGxhZG1pbgwL Y2VydHJlcS5leGUwUwYJKoZIhvcNAQkOMUYwRDAOBgNVHQ8BAf8EBAMCBaAwEwYD VR0lBAwwCgYIKwYBBQUHAwEwHQYDVR0OBBYEFNYt8ml/x4q2q8iRiRr5Bsr4ewpv MHIGCisGAQQBgjcNAgIxZDBiAgEBHloATQBpAGMAcgBvAHMAbwBmAHQAIABSAFMA QQAgAFMAQwBoAGEAbgBuAGUAbAAgAEMAcgB5AHAAdABvAGcAcgBhAHAAaABpAGMA IABQAHIAbwB2AGkAZABlAHIDAQAwDQYJKoZIhvcNAQEFBQADggEBADd+vPez4HpO LFmFQUp4/gQJXCG6MgxnloBWKpDVI019OUKxr2mba27kd3+1/seF5xqVhleQxi3G vvc4ATywT1GmeYa4GCJLfc7LnhziPAUOhxBkF/muGblG2vT0w2tLb59k/cTnJdcy K4alTV6Cb0Npcj/nmx86nmHdQIhNirkrXFiPlyXlSFx049n6kcQhzVJyiMu5Oh2+ UGEHtGDhEVfu3bgQf21hD7DDICs1EoC8zhIZPpx4z/zCC/niWBFPufVsYTTbVPYt nq6sdToEs1hiojnVEx7N0vMU/4vcbsRt2PmzpvDMhaqQajDjM6KtnU9qSNlUq6dU 2rzfWIwiJrU= -----END NEW CERTIFICATE REQUEST-----'
$json = @"
{
  "orgId":001,
  "csr":"$cert",
  "subjAltNames":"",
  "certType":224,
  "numberServers":1,
  "serverType":14,
  "term":730,
  "comments":"SSL Cert Request"
}
"@
$request = Invoke-RestMethod -URI $uri -Method Post -Body $json -Headers @{
"Content-Type" = "application/json"
"login" = "email@yourdomain.com"
"password" = "Psswd"
"customerUri" = "InCommon"
}

# Download
[Net.ServicePointManager]::SecurityProtocol = "Tls12, Tls11, Tls, Ssl3"
$SSL_ID = '1239564561261'
$URI = "https://cert-manager.com/api/ssl/v1/collect/$SSL_ID/base64"
$request = Invoke-WebRequest -URI $uri -Method GET -Headers @{
"Content-Type" = "application/json"
"login" = "email@yourdomain.com"
"password" = "Psswd"
"customerUri" = "InCommon"
}
$content = $request.RawContent
$begin_index = $content.indexof("-----BEGI", 1600)
$key = $content.substring($begin_index, (($content.Length -1) - $begin_index))
$servername = $env:computername + 'mydomain.com'
If (-not (Test-Path "c:\scripts"))
{
    New-Item -ItemType Directory -Path "c:\scripts" | Out-Null
}
If (-not (Test-Path "c:\scripts\$servername.crt"))
{
    New-Item -ItemType File -Path "c:\scripts\$servername.crt" -Value $key | Out-Null
}