question

YuriG-5303 avatar image
0 Votes"
YuriG-5303 asked Certdog-3167 answered

API allowing to import a CSR to Microsoft CA and receive a certificate

Hi,

I need to find a way to import/submit SCR and receive a certificate from Microsoft CA via some endpoint. The best option is REST, but if there is another API (SOAP or other protocol) allowing to do a request from our server to Microsoft CA will be good enough.

Let's say that CA runs on Windows Server 2012 or upper.

I found that there are a few options here:
1. Terminal utils like certreq
2. AFAIK, .Net platform allowing to send/import CSR
3. CA Web Enrollment
4. CA Web Services

Terminal utils will not work for me, I need to do a call programmatically.

Our server is an on-prem solution and written on Java. It may run on Windows and Unix-based platforms and we have customers that run it on Unix... It means that the first option is not really an option...

The second option allows uploading an SCR to Microsoft CA via a browser, i.e. I can try to submit an HTML form and parse a response...extract the link for the cert, but it feels it is not the best option.

I found that the windows server contains the component called CA Web Services that theoretically allowing what I want, but the problem I can't find how to use it. I followed the guidance here: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831625(v=ws.11) and Certificate Enrollment Policy Web Service and Certificate Enrollment Web Service are enabled on the server.
This topic is new to me. So it will be nice if someone could say to me that I'm looking in the right direction and send me a link to the documentation. And if it's not the right direction, maybe someone knows a better option.

Thanks in advance


windows-server
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello anonymous userG-5303,

Thank you for posting here.

Based on the description above, are you looking for the similar case below?

Unable to sign CSR with Microsoft Windows CA
https://docs.microsoft.com/en-us/answers/questions/89382/unable-to-sign-csr-with-microsoft-windows-ca.html

If no, please describe your request in details so that we can help you better.

If anything is unclear, Please feel free to let us know.


Best Regards,
Daisy Zhou

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

YuriG-5303 avatar image
0 Votes"
YuriG-5303 answered

Hello @DaisyZhou-MSFT,

Not really,
I know about the web page (.../certsrv/certrqxt.asp). In general, I may send a request to this endpoint with content-type=application/x-www-form-urlencoded, receive an HTML page, extract request-id from the page, construct the URL, and receive the certificate.
But this method is problematic because it's not an "official" API (the result of the request is an HTML page), the web page could be changed or maybe there are differences between different versions of Windows Servers, etc..
What I'm looking for is an API that I can use to send a CSR from my server to Windows Server CA.
Is there any REST API or SOAP API or something that allows us to do it?

I've read that Windows Server has Web Services (CEP and CES) allowing me to do what I need, but I couldn't find the documentation about it.
This topic is new to me, so I can be not clear enough.

Thanks in advance,
Yuri.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered DaisyZhou-MSFT edited

Hello anonymous userG-5303,

Based on my knowledge, the function of CES and CEP is like below:

Starting with Windows Server 2008 R2, you can utilize Certificate Enrollment Web Services to provide certificates across forests that do not require forest trust relationships. There is no need to have a forest trust between the two forests.

For example:
If we have a forest named forest A and there is CA in forest A. If we deploy CES and CEP in forest A.
And we have the other forest named forest B, but there is no CA in forest B.
Meanwhile, there is no two-way forest trust between forest A and forest B.
We can enroll certificate in forest B using CEP and CES in forest A.

I am not sure if CES and CEP meet your requirement. If so, you can set up such a CES and CEP lab in your test AD environment.

Reference:
Test Lab Guide Mini-Module: Cross-Forest Certificate Enrollment using Certificate Enrollment Web Services
https://social.technet.microsoft.com/wiki/contents/articles/14715.test-lab-guide-mini-module-cross-forest-certificate-enrollment-using-certificate-enrollment-web-services.aspx


For the REST API or SOAP API you mentioned, I am sorry, we mainly focus on the issues or problems about AD DS (including AD CS).

I do not know much about REST API or SOAP API, so do you want to use REST API or SOAP API to programmatically achieve your needs?

Thank you for your understanding and support.



Best Regards,
Daisy Zhou

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

YuriG-5303 avatar image
0 Votes"
YuriG-5303 answered DaisyZhou-MSFT commented

Hi @DaisyZhou-MSFT ,

Thanks, I will review the article.
But yeah, I want to use REST API or SOAP API to submit CSRs to CA programmatically.

Thanks for the help,
Yuri

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello anonymous userG-5303,

Thank you for your update.

I am sorry, we don’t know much about programming.
I suggest we can post our request on REST API or SOAP API forum or the related forum if there are such forums.
Thank you for your understanding and support.


Best Regards,
Daisy Zhou

0 Votes 0 ·
YuriG-5303 avatar image
0 Votes"
YuriG-5303 answered DaisyZhou-MSFT edited

Hello @DaisyZhou-MSFT ,

So you may post my question on my behalf in other forums? If you can do it, it would be nice.
How may I get the list of all existing Microsoft forums?

Thank you,
Yuri.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello anonymous userG-5303,

Thank you for your update.

You need to post your request yourself.

If your question is related to Microsoft product, you can post it on this Q&A forum. You can write the request and select the related tag corresponding to your question topic and post it.

If your question is not related to Microsoft produce, you can post it on the forum corresponding to the product.

Thank you for your understanding and support.


Best Regards,
Daisy Zhou

0 Votes 0 ·
Certdog-3167 avatar image
0 Votes"
Certdog-3167 answered

A little late to the party but krestfield have an app that does just this called certdog (https://www.krestfield.com/certdog). You can get the demo version as a Docker image. You can use a web UI or REST API to obtain certificates from Microsoft, PrimeKey EJBCA or an Internal CA

Thanks!

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MoacirFerreira-4955 avatar image
0 Votes"
MoacirFerreira-4955 answered

I got the same problem here. On a Linux client I want to create a CSR and using the Microsoft CA REST API submit the CSR, get the certificate issued and then download the signed certificate, all using Linux CLI via API GET and POST. The CSR will be created via openssl at the Linux CLI.

Can anyone share thoughts or any document explaining how I can use the Microsoft CA REST API to do it?

Thanks!

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Certdog-3167 avatar image
0 Votes"
Certdog-3167 answered

You could install the free version of certdog. See the guide here

Setup with your Microsoft CA as an issuer as outlined here

Then see right at the end of this doc: where it talks about using curl to obtain a certificate as a PKCS#12

You can test this now against the online test environment (https://certdog.net). This would work the same way if you configured to point to your own Microsoft CA. Try running the following (this requires jq - install using brew install jq):

 # Login
 token=$(curl --header "Content-Type: application/json" --request POST --data '{"username":"certdogtest","password":"password"}'  https://certdog.net/certdog/api/login | jq -r '.token')
    
 # Obtain a P12
 p12Data=$(curl --data '{ "caName":"Certdog TLS", "dn":"CN=testcert.com", "csrGeneratorName":"RSA2048", "p12Password":"password", "teamName":"Test Team" }' --header "Content-Type: application/json" --header "Authorization: Bearer $token" --request POST https://certdog.net/certdog/api/certs/request | jq -r '.p12Data')
    
 # Or submit a CSR
 certData=$(curl --data '{ "caName":"Certdog TLS", "csr":"-----BEGIN CERTIFICATE REQUEST-----MIICXDCCAUQCAQAwFzEVMBMGA1UEAwwMdGVzdGNlcnQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAogsE7mwg4+VrAgcE0U/CSHE4UMiftvdFzdtawzJzjOVL+i1WwuI/TT8SNP851+gkIafYoSCw7DBViJwPlgErPqAxbGv7DuZ1PRTVopA5o4Mtj8vKeZfOcgL/D1UTlMo9krfWKO6tunL2hHIpD1NP7/glDFffqdFWX+f8xwaUrgMNVhdsm4N2mn9DZa2U6E42tSzM/ZjKgueO075aMNQwVg7WYT1kK+/ns83/sxJUtY4GqiOQ2dS0L12gzqMyAlpRJkxG1Q1YCo3LHQFL6XMvlB3A4gWDg5slyYF9vZM52OKz9ic3LUKz9+Xv3jgy6li059qp2fDptyk5mUX9dlenCwIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAJpjqNU9u9CJL1Yjbze5FI34ppBVmsnqGD2d9nrLPXEhz/Pq6OCXqoyTkhoezZMeafY1cZZWkMVL3/bjYpVsArW3R1cHYPlqt6ecPWwFgWIYA1o8nCzQDh4Tq/UQWdMZUAxAsfFGs9AyLsPCnZuomaaQMvbwxXH3MJV+p+TVYAJUG5aa3yXN3a4yHr1J7qUT6WsElp0uK7/zjo1lkKmJ4LoCdmSDEvuysfvvLyxhycDkvYjvoYutLAvUF9wilRLGNNOYd8F44wE6fwl1fEaR/zdVgOfaP6wvDAHDvH/O8LgT0KyY0bjETWXgprgFAJgIP/EsdUjo79u6+bq9CpG4V/c=-----END CERTIFICATE REQUEST-----", "teamName":"Test Team" }' --header "Content-Type: application/json" --header "Authorization: Bearer $token" --request POST https://certdog.net/certdog/api/certs/requestp10 | jq -r '.pemCert')


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.