https://tech.uvoo.io/index.php?action=history&feed=atom&title=MSCA_certsrv 2026-05-10T18:43:13Z Revision history for this page on the wiki MediaWiki 1.35.2 https://tech.uvoo.io/index.php?title=MSCA_certsrv&diff=5579&oldid=prev 2025-07-08T21:08:04Z

<p>Created page with &quot;``` import argparse import base64 import re import time import requests from requests_ntlm import HttpNtlmAuth from cryptography import x509 from cryptography.x509.oid import...&quot;</p> <p><b>New page</b></p><div>```<br /> import argparse<br /> import base64<br /> import re<br /> import time<br /> import requests<br /> from requests_ntlm import HttpNtlmAuth<br /> from cryptography import x509<br /> from cryptography.x509.oid import NameOID<br /> from cryptography.hazmat.primitives import serialization, hashes<br /> from cryptography.hazmat.primitives.asymmetric import rsa<br /> <br /> <br /> def generate_key_and_csr(common_name, san_list=None):<br /> # Generate a private key<br /> key = rsa.generate_private_key(<br /> public_exponent=65537,<br /> key_size=2048,<br /> )<br /> <br /> # Build subject<br /> subject = x509.Name([<br /> x509.NameAttribute(NameOID.COMMON_NAME, common_name),<br /> ])<br /> <br /> # Build CSR<br /> csr_builder = x509.CertificateSigningRequestBuilder().subject_name(subject)<br /> if san_list:<br /> san = x509.SubjectAlternativeName([<br /> x509.DNSName(dns) for dns in san_list<br /> ])<br /> csr_builder = csr_builder.add_extension(san, critical=False)<br /> <br /> csr = csr_builder.sign(key, hashes.SHA256())<br /> csr_pem = csr.public_bytes(serialization.Encoding.PEM).decode('utf-8')<br /> return key, csr_pem<br /> <br /> <br /> def submit_csr(ca_url, csr_pem, template, auth):<br /> &quot;&quot;&quot;<br /> Submit a CSR to the Microsoft CA Web Enrollment service.<br /> Uses Mode=newreq, CertRequest and CertAttrib form fields. ([stackoverflow.com](https://stackoverflow.com/questions/31283476/submitting-base64-csr-to-a-microsoft-ca-via-curl))<br /> &quot;&quot;&quot;<br /> session = requests.Session()<br /> session.auth = auth<br /> # Initialize session (get cookies)<br /> session.get(f&quot;{ca_url}/certrqxt.asp&quot;, verify=False)<br /> <br /> data = {<br /> 'Mode': 'newreq',<br /> 'CertRequest': csr_pem,<br /> 'CertAttrib': f'CertificateTemplate:{template}',<br /> 'FriendlyType': '',<br /> 'TargetStoreFlags': '0',<br /> 'SaveCert': 'yes'<br /> }<br /> resp = session.post(f&quot;{ca_url}/certfnsh.asp&quot;, data=data, verify=False)<br /> resp.raise_for_status()<br /> <br /> # Extract the Request ID from the response<br /> match = re.search(r&quot;certnew\.cer\?ReqID=(\d+)&amp;&quot;, resp.text)<br /> if not match:<br /> raise RuntimeError(&quot;Failed to obtain Request ID from CA response&quot;)<br /> return match.group(1)<br /> <br /> <br /> def retrieve_cert(ca_url, req_id, auth, timeout=60):<br /> &quot;&quot;&quot;<br /> Retrieve issued certificate in DER from CA. ([certsrv.readthedocs.io](https://certsrv.readthedocs.io/en/latest/_modules/certsrv.html?utm_source=chatgpt.com))<br /> &quot;&quot;&quot;<br /> session = requests.Session()<br /> session.auth = auth<br /> end_time = time.time() + timeout<br /> while time.time() &lt; end_time:<br /> resp = session.get(<br /> f&quot;{ca_url}/certnew.cer&quot;, <br /> params={'ReqID': req_id, 'Enc': 'bin'},<br /> verify=False<br /> )<br /> if resp.headers.get('Content-Type') == 'application/pkix-cert':<br /> return resp.content<br /> time.sleep(2)<br /> raise TimeoutError(&quot;Certificate not issued within timeout period&quot;)<br /> <br /> <br /> def main():<br /> parser = argparse.ArgumentParser(<br /> description='Generate a key, CSR and submit to Microsoft CA Web Enrollment'<br /> )<br /> parser.add_argument('--ca-url', required=True,<br /> help='Base URL of CA Web Enrollment (e.g. https://ca-server/certsrv)')<br /> parser.add_argument('--template', required=True,<br /> help='Certificate template name')<br /> parser.add_argument('--username', required=True,<br /> help='User in DOMAIN\\user format for NTLM auth')<br /> parser.add_argument('--password', required=True,<br /> help='Password for NTLM auth')<br /> parser.add_argument('--cn', required=True,<br /> help='Common Name for certificate subject')<br /> parser.add_argument('--san', nargs='*', default=None,<br /> help='Optional Subject Alternative Names (DNS)')<br /> parser.add_argument('--output-key', default='private_key.pem',<br /> help='Output path for private key (PEM)')<br /> parser.add_argument('--output-cert', default='certificate.pem',<br /> help='Output path for certificate (PEM)')<br /> args = parser.parse_args()<br /> <br /> auth = HttpNtlmAuth(args.username, args.password)<br /> <br /> # Generate key and CSR<br /> key, csr_pem = generate_key_and_csr(args.cn, args.san)<br /> <br /> # Save private key<br /> with open(args.output_key, 'wb') as f:<br /> f.write(<br /> key.private_bytes(<br /> encoding=serialization.Encoding.PEM,<br /> format=serialization.PrivateFormat.TraditionalOpenSSL,<br /> encryption_algorithm=serialization.NoEncryption()<br /> )<br /> )<br /> print(f'Private key saved to {args.output_key}')<br /> <br /> # Submit CSR<br /> req_id = submit_csr(args.ca_url.rstrip('/'), csr_pem, args.template, auth)<br /> print(f'Submitted CSR, Request ID = {req_id}')<br /> <br /> # Retrieve issued certificate<br /> cert_der = retrieve_cert(args.ca_url.rstrip('/'), req_id, auth)<br /> <br /> # Convert DER to PEM and save<br /> cert = x509.load_der_x509_certificate(cert_der)<br /> with open(args.output_cert, 'wb') as f:<br /> f.write(cert.public_bytes(serialization.Encoding.PEM))<br /> print(f'Certificate saved to {args.output_cert}')<br /> <br /> <br /> if __name__ == '__main__':<br /> main()<br /> <br /> ```</div>

Busk