8

I have a lot of CSRs that I need to have signed/issued and exported in windows. I was hoping I could batch process them somehow (certutil sounds like it can do some of the work) but I'm not quite sure how I can go about doing this. Is it feasible?

Any help would be greatly appreciated.

Ryan Ries
  • 55,011
  • 9
  • 138
  • 197
user183178
  • 81
  • 1
  • I think you could use Powershell to do this (I've never done it on Windows). There are quite a few articles to be had: http://rrustean.blogspot.co.uk/2010/11/automating-ssl-using-powershell.html It really is worth the effort of scripting this in some form even if you have to learn about PowerShell to do it. It makes everything much more precise. – gm3dmo Jul 26 '13 at 15:50

2 Answers2

1

Check Public Key Infrastructure PowerShell module. Approve-CertificateRequest and Receive-Certificate command lets can help you.

Stanislav Chromec
  • 78
  • 7
0

I can say that yes, it is feasible. But this is going to be a good deal of work, and I doubt anyone on a free Q&A site on the internet is going to volunteer to do all this free sysadmin work for you... that said, I can at least get you started.

There are two primary ways to attack this. One, as you've already identified, is with certutil. You will likely be using Powershell to write a "wrapper" around certutil.exe that feeds it inputs and parses its outputs.

Second, there are the Certificate Services COM components CERTENROLLib, CERTCLIENTLib, etc.. These allow you to script any and all work that would otherwise be manual, as long as you're willing to put in the gruesome effort of scripting it.

Look, this guy is using C# and the aforementioned COM interfaces to create a CSR, submit the CSR to the Certificate Authority, and get the response and install the cert. C# is easily ported to Powershell.

Secondly, certutil... you can do most things with certutil, but it's not object-oriented, it's all text parsing like old-world Unix stuff. As an example, I will share with you a short Powershell script that I wrote that uses certutil to scan for pending certificate request on a Certificate Authority, and alerts the admins if there are any pending CSRs that need approval.

[String]$CAName     = 'SERVER01\MY-ISSUING-CA'
[String]$MailFrom   = 'noreply@mydomain.com'
[String[]]$MailTo   = 'CA-Team@domain.com'
[String]$SMTPServer = 'smtp.domain.com'
$Output = certutil -view -out "Request ID, Request Submission Date, Request Common Name, Requester Name, Request Email Address, Request Distinguished Name" -Restrict "Request Disposition=9"
If ($Output[-1] -NotLike '*successfully.')
{
    Write-Error $Output
    $Body = "<p>An error occurred on $CAName while checking for pending certificate requests.</p><pre>"
    Foreach ($Line In $Output)
    {
        $Body += "$Line" + [Environment]::NewLine
    }
    $Body += "</pre>"
    Send-MailMessage -SmtpServer $SMTPServer -From $MailFrom -To $MailTo -Subject "$CAName Encountered An Error!" -Body $Body -BodyAsHtml
    Return
}

[Int]$NumberOfRequests = 0

If ([Int]::TryParse($Output[-2].Trim().Split(' ')[0], [ref] $NumberOfRequests))
{
    If ($NumberOfRequests -GT 0)
    {
        $Body = "<p>There are pending certificate requests on $CAName.</p><pre>"
        Foreach ($Line In $Output)
        {
            $Body += "$Line" + [Environment]::NewLine
        }
        $Body += "</pre>"
        Send-MailMessage -SmtpServer $SMTPServer -From $MailFrom -To $MailTo -Subject "$CAName Has Pending Requests" -Body $Body -BodyAsHtml
    }
    Else
    {
        Write-Host "No pending certificate requests found."
    }
}
Else
{
    $Body = "<p>An error occurred on $CAName while checking for pending certificate requests.</p><pre>"
    Foreach ($Line In $Output)
    {
        $Body += "$Line" + [Environment]::NewLine
    }
    $Body += "</pre>"
    Send-MailMessage -SmtpServer $SMTPServer -From $MailFrom -To $MailTo -Subject "$CAName Encountered An Error!" -Body $Body -BodyAsHtml
}
Ryan Ries
  • 55,011
  • 9
  • 138
  • 197