Powershell Scripting Signing of SSL CSRs by CA?

Question

Hi All, I'm in a situation where I need to deploy around 200 SSL Certificates to various devices around our Agency (HP iLO - such joy they bring...). At present I have a powershell script that obtains a CSR from the iLO Device, but I now need to be able to sign this with our CA in an automated manner so I can pass back to the script and import into the device.

We are using Microsoft Certificate Services and I can download the CA Certificate, Certificate Chain, or CRL if required.

I do not really care how I get the signed certificate - what I mean is, if powershell needs to call an external app to get it signed, then thats fine. I've had a look at makecert.exe in the .NET SDK but it does not appear to do the job.

I have the feeling it may be possible using OpenSSL - If someone could enlighten me, that would be great.

Cheers

Answer 1

This article contains the steps to create a CA and sign a CSR from IIS: Creating a Self-Signed Certificate using OpenSSL for use with Microsoft Internet Information Services (IIS) 5

You can export the CA into a format OpenSSL can read, and follow the steps after "Sign the Certificate Request".

Answer 2

Here's a FAQ for OpenSSL on managing a CA with the tool.

http://www.gtlib.cc.gatech.edu/pub/linux/docs/HOWTO/other-formats/html%5Fsingle/SSL-Certificates-HOWTO.html

i've used OpenSSL successfully to create and manage a root CA, sign CSRs and generate certificates.

Powershell cannot handle this natively, but it can interact and script the whole process, definitely.

-Oisin

Answer 3

Having Dealt with Microsoft Engineer this morning, the most graceful solution in doing this with existing infrastructure is using certreq.exe. Once you have a CSR, you can run this command to obtain a certificate using MS CA:

certreq.exe --attrib "CertificateTemplate:WebServer" infile.csr outfile.cer

from there, you ca get the certificate using Get-Content outfile.cer to feed back into the script.

Cheers