PS: Request/Receive Third Party CA Certs
Description:
Needed to find a way to automate certificate issuing and retrieval, here is a rought first draft based on Incommon Rest API Guide
###
To Resolve:
-
To see the types of certs to request
1 2 3 4 5
curl 'https://cert-manager.com/api/ssl/v1/types/' -i \ -H 'Content-Type: application/json' \ -H 'login: email@yourdomain.com' \ -H 'password: Psswd' \ -H 'customerUri: InCommon'
Example response:
1
{"id":224,"name":"InCommon SSL (SHA-2)","terms":[365,730]},
-
To Request a cert:
1
curl 'https://cert-manager.com/api/ssl/v1/enroll?' -i -X POST -H 'Content-Type: application/json' -H 'login: email@yourdomain.com' -H 'password: Psswd' -H 'customerUri: InCommon' -d '{"orgId":001,"csr":"-----BEGIN NEW CERTIFICATE REQUEST----- MIIEJDCCAwwCAQAwgacxHDAaBgNVBAMME29pdC1qeHE5cnEyLnV0YS5lZHUxLTAr BgNVBAsMJFRoZSBVbml2ZXJzaXR5IE9mIFRleGFzIEF0IEFybGluZ3RvbjEnMCUG A1UECgweVGhlIFVuaXZlcnNpdHkgT2YgVGV4YXMgU3lzdGVtMRIwEAYDVQQHDAlB cmxpbmd0b24xDjAMBgNVBAgMBVRleGFzMQswCQYDVQQGEwJVUzCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBAMMNDnhJBf+F10EmNxfR2F2WOMjq6Fh00ceM EJptn0dObBtg8BW+YF3yhqNRG94mbOjGNljAQNdtGsIqZm9s78GR5csH8YYKoqGB HNORToTaFVSvP5LXkxFpoGuJUvVsx5v59raF9WPTs+VAbYfY+yk3kzWaNksGByvu xo+LeSj6DUFDrCne44L4tIJ56STpq9YgPc3oH8Oeb8lSiRDegszD72rvjlio1RaP aokslX1tMyA+crvnBslQI6LrRIotY19DgX1jaSo43vFo3vJKUYYUCbZThMdL9Lc4 X4Xi6gS8uItcSMGtm7O1ruQWWjZaQYX++MA2MqETYDpR+JVzWs0CAwEAAaCCATUw HAYKKwYBBAGCNw0CAzEOFgwxMC4wLjE3MTM0LjIwTAYJKwYBBAGCNxUUMT8wPQIB CQwTT0lULUpYUTlSUTIudXRhLmVkdQwWT0lULUpYUTlSUTJcZ3dpbGxhZG1pbgwL Y2VydHJlcS5leGUwUwYJKoZIhvcNAQkOMUYwRDAOBgNVHQ8BAf8EBAMCBaAwEwYD VR0lBAwwCgYIKwYBBQUHAwEwHQYDVR0OBBYEFNYt8ml/x4q2q8iRiRr5Bsr4ewpv MHIGCisGAQQBgjcNAgIxZDBiAgEBHloATQBpAGMAcgBvAHMAbwBmAHQAIABSAFMA QQAgAFMAQwBoAGEAbgBuAGUAbAAgAEMAcgB5AHAAdABvAGcAcgBhAHAAaABpAGMA IABQAHIAbwB2AGkAZABlAHIDAQAwDQYJKoZIhvcNAQEFBQADggEBADd+vPez4HpO LFmFQUp4/gQJXCG6MgxnloBWKpDVI019OUKxr2mba27kd3+1/seF5xqVhleQxi3G 2rzfWIwiJrU= -----END NEW CERTIFICATE REQUEST-----","subjAltNames":"","certType":224,"numberServers":1,"serverType":14,"term":730,"comments":"SSL Cert Request"}'
Response:
1
{"renewId":"cM8m8zbDqepsdfsdfsdfm0PjtqyZG","sslId":123546549245461}
-
To download a cert
1
curl 'https://cert-manager.com/api/ssl/v1/collect/123546549245461/base64' -i -H 'Content-Type: application/json' -H 'login: email@yourdomain.com' -H 'password: Psswd' -H 'customerUri: InCommon'
Response:
It should allow it. In my case, we have them set to manual approval so I was hit with:
1
{"code":-23,"description":"The certificate hasn't been approved yet!"}
But I will get that corrected in the Admin portal.
The Powershell version of this is:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55
# see available [Net.ServicePointManager]::SecurityProtocol = "Tls12, Tls11, Tls, Ssl3" $URI = 'https://cert-manager.com/api/ssl/v1/types/' $request = Invoke-WebRequest -URI $uri -Method GET -Headers @{ "Content-Type" = "application/json" "login" = "email@yourdomain.com" "password" = "Psswd" "customerUri" = "InCommon" } # request [Net.ServicePointManager]::SecurityProtocol = "Tls12, Tls11, Tls, Ssl3" $URI = 'https://cert-manager.com/api/ssl/v1/enroll' $cert = '-----BEGIN NEW CERTIFICATE REQUEST----- MIIEJDCCAwwCAQAwgacxHDAaBgNVBAMME29pdC1qeHE5cnEyLnV0YS5lZHUxLTAr BgNVBAsMJFRoZSBVbml2ZXJzaXR5IE9mIFRleGFzIEF0IEFybGluZ3RvbjEnMCUG aokslX1tMyA+crvnBslQI6LrRIotY19DgX1jaSo43vFo3vJKUYYUCbZThMdL9Lc4 X4Xi6gS8uItcSMGtm7O1ruQWWjZaQYX++MA2MqETYDpR+JVzWs0CAwEAAaCCATUw HAYKKwYBBAGCNw0CAzEOFgwxMC4wLjE3MTM0LjIwTAYJKwYBBAGCNxUUMT8wPQIB CQwTT0lULUpYUTlSUTIudXRhLmVkdQwWT0lULUpYUTlSUTJcZ3dpbGxhZG1pbgwL Y2VydHJlcS5leGUwUwYJKoZIhvcNAQkOMUYwRDAOBgNVHQ8BAf8EBAMCBaAwEwYD VR0lBAwwCgYIKwYBBQUHAwEwHQYDVR0OBBYEFNYt8ml/x4q2q8iRiRr5Bsr4ewpv MHIGCisGAQQBgjcNAgIxZDBiAgEBHloATQBpAGMAcgBvAHMAbwBmAHQAIABSAFMA QQAgAFMAQwBoAGEAbgBuAGUAbAAgAEMAcgB5AHAAdABvAGcAcgBhAHAAaABpAGMA IABQAHIAbwB2AGkAZABlAHIDAQAwDQYJKoZIhvcNAQEFBQADggEBADd+vPez4HpO LFmFQUp4/gQJXCG6MgxnloBWKpDVI019OUKxr2mba27kd3+1/seF5xqVhleQxi3G vvc4ATywT1GmeYa4GCJLfc7LnhziPAUOhxBkF/muGblG2vT0w2tLb59k/cTnJdcy K4alTV6Cb0Npcj/nmx86nmHdQIhNirkrXFiPlyXlSFx049n6kcQhzVJyiMu5Oh2+ UGEHtGDhEVfu3bgQf21hD7DDICs1EoC8zhIZPpx4z/zCC/niWBFPufVsYTTbVPYt nq6sdToEs1hiojnVEx7N0vMU/4vcbsRt2PmzpvDMhaqQajDjM6KtnU9qSNlUq6dU 2rzfWIwiJrU= -----END NEW CERTIFICATE REQUEST-----' $json = @" { "orgId":001, "csr":"$cert", "subjAltNames":"", "certType":224, "numberServers":1, "serverType":14, "term":730, "comments":"SSL Cert Request" } "@ $request = Invoke-RestMethod -URI $uri -Method Post -Body $json -Headers @{ "Content-Type" = "application/json" "login" = "email@yourdomain.com" "password" = "Psswd" "customerUri" = "InCommon" } # Download [Net.ServicePointManager]::SecurityProtocol = "Tls12, Tls11, Tls, Ssl3" $SSL_ID = '1239564561261' $URI = "https://cert-manager.com/api/ssl/v1/collect/$SSL_ID/base64" $request = Invoke-WebRequest -URI $uri -Method GET -Headers @{ "Content-Type" = "application/json" "login" = "email@yourdomain.com" "password" = "Psswd" "customerUri" = "InCommon" } $content = $request.RawContent $begin_index = $content.indexof("-----BEGI", 1600) $key = $content.substring($begin_index, (($content.Length -1) - $begin_index)) $servername = $env:computername + 'mydomain.com' If (-not (Test-Path "c:\scripts")) { New-Item -ItemType Directory -Path "c:\scripts" | Out-Null } If (-not (Test-Path "c:\scripts\$servername.crt")) { New-Item -ItemType File -Path "c:\scripts\$servername.crt" -Value $key | Out-Null }
Comments