pkix.net
pkix.net copied to clipboard
[Feature request] Implement equivalent of certreq -sign for CSRs in native code
certreq -sign
allows to sign CSRs with personal certificates, allowing to use the "This number of authorized signatures" feature from the "Issuance requirements" tab of certificate templates.
It is also used for enrolment agents to sign on behalf of someone else I believe (I never used that feature though).
Having this in native code would be really helpful, especially because currently there are some things that can only be done with this command.
SignedCms
never worked for me but I managed to use the X509Enrollment
COM classes to sign a PKCS#10, never a PKCS#7 or CMC directly.
Note that this should work with any kind of CSP/KSP. In my environment for instance I am using a signing certificate stored on a smart card and using a 3rd party KSP (which is why SignedCms
did not work if I recall correctly...).
$csr = Get-CertificateRequest -Path $Path
if ($csr.RequestType -eq [System.Security.Cryptography.X509CertificateRequests.X509CertificateRequestType]::PKCS10) {
$pkcs10 = New-Object -ComObject X509Enrollment.CX509CertificateRequestPkcs10
$pkcs10.InitializeDecode([Convert]::ToBase64String($csr.RawData), 0x1)
$pkcs7 = New-Object -ComObject X509enrollment.CX509CertificateRequestPkcs7
$pkcs7.InitializeFromInnerRequest($pkcs10)
$signer = New-Object -ComObject X509Enrollment.CSignerCertificate
$signer.Initialize(0, 0, 0xC, $cert.Thumbprint)
$pkcs7.SignerCertificate = $signer
$pkcs7.Encode()
$pkcs7.RawData(0x0) | Out-File -FilePath $outFile -Force
[void] [Runtime.InteropServices.Marshal]::ReleaseComObject($pkcs7)
[void] [Runtime.InteropServices.Marshal]::ReleaseComObject($pkcs10)
[void] [Runtime.InteropServices.Marshal]::ReleaseComObject($signer)
} else {
certreq.exe -sign -cert $cert.Thumbprint $Path $outFile
}