iis - Submitting Base64 CSR to a Microsoft CA (via cURL) -


i have written bash script automate iis7 certificate generation per serverfault link.

i automate sending code signing request (csr) internal microsoft certification authority (ms ca) via curl, following code promising , submitting csr ms ca:

$ curl -k -u '<domain>\<username>':<password> --ntlm 'https://<internalmsca>/certsrv/certfnsh.asp' -h 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -h 'accept-encoding: gzip, deflate' -h 'accept-language: en-us,en;q=0.5' -h 'connection: keep-alive' -h 'host: <internalmsca>' -h 'referer: https://<internalmsca>/certsrv/certrqxt.asp' -h 'user-agent: mozilla/5.0 (windows nt 6.3; wow64; trident/7.0; rv:11.0) gecko' -h 'content-type: application/x-www-form-urlencoded' --data 'mode=newreq&certrequest=-----begin+certificate+request-----%0d%0amiidbjccae4caqawadelmakga1uebhmcqvuxddakbgnvbagta05tvzepma0ga1ue%0d%0abxmgu3lkbmv5mqwwcgydvqqkewnzdw0xdjambgnvbastbvl1bultmrwwggydvqqd%0d%0aexn0zxn0lmf1lmludc50z3iubmv0miibijanbgkqhkig9w0baqefaaocaq8amiib%0d%0acgkcaqeaygzvkhfs0mw4tmodevtxoiz7eyym%2b1axnv8fqonykr7xtqsbominzf8r3rz%0d%0a4ctcu5nv7oc7ghpmhnf7adso4xexwnkfnckofecgko6o4otmrfupla38nv1%2bmytb%0d%0alrqal272jqdm9lsxtyw0or9qo4mjah1tvlf3icc1okoh6unubdrffe7dexwnk%2bsf%0d%0am8tgl0t3sfsrxrzl3vkgl%2b%2femvdokxeoiey%2f7umnewrcwtks1mw30hjvitjdqgzi%0d%0agyj6ldxrritvke9qxvvtxsl9nfzphyp4yf%2fzvajqmglz16aqo0pbeefjkgkrcy5j%0d%0amnvi2q8yc%2bw9bg%3d%3d%0d%0a-----end+certificate+request-----&certattrib=certificatetemplate%3a*webserver%0d%0auseragent%3amozilla%2f5.0+%28windows+nt+6.3%3b+wow64%3b+trident%2f7.0%3b+rv%3a11.0%29+like+gecko%0d%0a&friendlytype=saved-request+certificate+%287%2f7%2f2015%2c+3%3a46%3a39+pm%29&thumbprint=&targetstoreflags=0&savecert=yes' | firefox "data:text/html;base64,$(base64 -w 0 <&0)"

i interested in replaying request after modifying it:

  1. decode --data (ok)
  2. modify --data (ok)
  3. re-encode... (not ok)

encoded:

mode=newreq&certrequest=-----begin+certificate+request-----%0d%0amiidbjccae4caqawadelmakga1uebhmcqvuxddakbgnvbagta05tvzepma0ga1ue%0d%0abxmgu3lkbmv5mqwwcgydvqqkewnzdw0xdjambgnvbastbvl1bultmrwwggydvqqd%0d%0aexn0zxn0lmf1lmludc50z3iubmv0miibijanbgkqhkig9w0baqefaaocaq8amiib%0d%0acgkcaqeaygzvkhfs0mw4tmodevtxoiz7eyym%2b1axnv8fqonykr7xtqsbominzf8r3rz%0d%0a4ctcu5nv7oc7ghpmhnf7adso4xexwnkfnckofecgko6o4otmrfupla38nv1%2bmytb%0d%0alrqal272jqdm9lsxtyw0or9qo4mjah1tvlf3icc1okoh6unubdrffe7dexwnk%2bsf%0d%0am8tgl0t3sfsrxrzl3vkgl%2b%2femvdokxeoiey%2f7umnewrcwtks1mw30hjvitjdqgzi%0d%0agyj6ldxrritvke9qxvvtxsl9nfzphyp4yf%2fzvajqmglz16aqo0pbeefjkgkrcy5j%0d%0amnvi2q8yc%2bw9bg%3d%3d%0d%0a-----end+certificate+request-----&certattrib=certificatetemplate%3a*webserver%0d%0auseragent%3amozilla%2f5.0+%28windows+nt+6.3%3b+wow64%3b+trident%2f7.0%3b+rv%3a11.0%29+like+gecko%0d%0a&friendlytype=saved-request+certificate+%287%2f7%2f2015%2c+3%3a46%3a39+pm%29&thumbprint=&targetstoreflags=0&savecert=yes

decoded:

 mode=newreq&certrequest=-----begin certificate request-----  miidbjccae4caqawadelmakga1uebhmcqvuxddakbgnvbagta05tvzepma0ga1ue  bxmgu3lkbmv5mqwwcgydvqqkewnzdw0xdjambgnvbastbvl1bultmrwwggydvqqd  exn0zxn0lmf1lmludc50z3iubmv0miibijanbgkqhkig9w0baqefaaocaq8amiib  cgkcaqeaygzvkhfs0mw4tmodevtxoiz7eyym+1axnv8fqonykr7xtqsbominzf8r3rz  4ctcu5nv7oc7ghpmhnf7adso4xexwnkfnckofecgko6o4otmrfupla38nv1+mytb  lrqal272jqdm9lsxtyw0or9qo4mjah1tvlf3icc1okoh6unubdrffe7dexwnk+sf  m8tgl0t3sfsrxrzl3vkgl+/emvdokxeoiey/7umnewrcwtks1mw30hjvitjdqgzi  gyj6ldxrritvke9qxvvtxsl9nfzphyp4yf/zvajqmglz16aqo0pbeefjkgkrcy5j  mnvi2q8yc+w9bg==  -----end certificate request-----&certattrib=certificatetemplate:*webserver  useragent:mozilla/5.0 (windows nt 6.3; wow64; trident/7.0; rv:11.0)  gecko &friendlytype=saved-request certificate (7/7/2015, 3:46:39  pm)&thumbprint=&targetstoreflags=0&savecert=yes

re-encoded: (urlencode1, urlencode2, urlencode3 ):

mode%3dnewreq%26certrequest%3d-----begin+certificate+request-----+miidbjccae4caqawadelmakga1uebhmcqvuxddakbgnvbagta05tvzepma0ga1ue+bxmgu3lkbmv5mqwwcgydvqqkewnzdw0xdjambgnvbastbvl1bultmrwwggydvqqd+exn0zxn0lmf1lmludc50z3iubmv0miibijanbgkqhkig9w0baqefaaocaq8amiib+cgkcaqeaygzvkhfs0mw4tmodevtxoiz7eyym%2b1axnv8fqonykr7xtqsbominzf8r3rz+4ctcu5nv7oc7ghpmhnf7adso4xexwnkfnckofecgko6o4otmrfupla38nv1%2bmytb+lrqal272jqdm9lsxtyw0or9qo4mjah1tvlf3icc1okoh6unubdrffe7dexwnk%2bsf+m8tgl0t3sfsrxrzl3vkgl%2b%2femvdokxeoiey%2f7umnewrcwtks1mw30hjvitjdqgzi+gyj6ldxrritvke9qxvvtxsl9nfzphyp4yf%2fzvajqmglz16aqo0pbeefjkgkrcy5j+mnvi2q8yc%2bw9bg%3d%3d+-----end+certificate+request-----%26certattrib%3dcertificatetemplate%3a%2awebserver+useragent%3amozilla%2f5.0+%28windows+nt+6.3%3b+wow64%3b+trident%2f7.0%3b+rv%3a11.0%29+like+gecko+%26friendlytype%3dsaved-request+certificate+%287%2f7%2f2015%2c+3%3a46%3a39+pm%29%26thumbprint%3d%26targetstoreflags%3d0%26savecert%3dyes

the 3 websites linked above (in re-encoded) fail re-encode properly. tricky part "=" , "&" should not encoded.

url encode simple:         cr lf           %0d%0a (not %)         space           + (not %20)         -               - (not %2d)         &               & (not %26)         =               = (not %3d)         + (in csr)      %2b         \ (in csr)      %2f         (               %28         )               %29

i specifically use sed example, know if there way know encoding server expecting, , encode in proper charset automatically. possible ?

i solved in linux on bash , curl:

#!/bin/sh  # tested on suse linux 12 sp1  # $1 - cn object name # $2 - username # $3 - password  msca='hostname'  # internal microsoft certification authority username=$2 password=$3  function show_usage() {     echo "scrip retrive certificate ms subca"     echo "usage: $0 <cn> [domain\\\\username] [password]"     echo " "     echo "example: $0 example.com workgroup\\\\foo bar"     exit 0 }  if [ -z "$1" ]     show_usage     exit 0 fi  if [ -z "$2" ]     username="workgroup\\foo"     password="bar" fi   echo -e "\e[32m1. generate private key...\e[0m" openssl req -new -nodes -out $1.pem -keyout $1.key -subj "/c=ru/st=state/l=city/o=org/cn=$1/emailaddress=postmaster@example.com" cert=`cat $1.pem | tr -d '\n\r'` data="mode=newreq&certrequest=${cert}&c&targetstoreflags=0&savecert=yes" cert=`echo ${cert} | sed 's/+/%2b/g'` cert=`echo ${cert} | tr -s ' ' '+'` certattrib="certificatetemplate:server%0d%0a"  echo -e "\e[32m2. request cert...\e[0m" outputlink=`curl -k -u "${username}":${password} --ntlm \ "https://${msca}/certsrv/certfnsh.asp" \ -h 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \ -h 'accept-encoding: gzip, deflate' \ -h 'accept-language: en-us,en;q=0.5' \ -h 'connection: keep-alive' \ -h "host: ${msca}" \ -h "referer: https://${msca}/certsrv/certrqxt.asp" \ -h 'user-agent: mozilla/5.0 (windows nt 6.3; wow64; trident/7.0; rv:11.0) gecko' \ -h 'content-type: application/x-www-form-urlencoded' \ --data "mode=newreq&certrequest=${cert}&certattrib=${certattrib}&targetstoreflags=0&savecert=yes&thumbprint=" | grep -a 1 'function handlegetcert() {' | tail -n 1 | cut -d '"' -f 2` certlink="https://${msca}/certsrv/${outputlink}"  echo -e "\e[32m3. retrive cert: $certlink\e[0m" curl -k -u "${username}":${password} --ntlm $certlink \ -h 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \ -h 'accept-encoding: gzip, deflate' \ -h 'accept-language: en-us,en;q=0.5' \ -h 'connection: keep-alive' \ -h "host: ${msca}" \ -h "referer: https://${msca}/certsrv/certrqxt.asp" \ -h 'user-agent: mozilla/5.0 (windows nt 6.3; wow64; trident/7.0; rv:11.0) gecko' \ -h 'content-type: application/x-www-form-urlencoded' > $1.crt  echo -e "\e[32m4. verifying cert $1\e[0m" openssl verify -verbose $1.crt if [ "0" -eq "$?" ] ;             echo -e "\e[32mwell done. have nice day.\e[0m"         exit 0     else         echo -e "\e[31;47merror code: $?. stopping.\e[0m"         exit 1 fi

Comments

Post a Comment

Popular posts from this blog

toolbar - How to add link to user registration inside toobar in admin joomla 3 custom component -

im trying write component admin side , need add user creation. dont want duplicate existing codes add link. know how add task not simple link toolbar. thx help. if wanting button opens new user screen can try in component: $bar = jtoolbar::getinstance('toolbar'); $bar->appendbutton('link', 'users', 'new user','index.php?option=com_users&task=user.add'); you need add view.html.php file wherever you're creating toolbar. is need?
Read more

linux - disk space limitation when creating war file -

i have 1 gb disk space limitation hosting app , have used 700mb of it. however want create war file directory big (around 600mb) using command : jar -cvf root.war folderpath that's why encounter quota limitation , can't following. i'm looking way delete folder content when it's applying archive conserve disk space take note can't install zip tool in ssh shell ~ the code works on test directories, test first anyway, deletes files. it's not efficient. assumptions: 300mb free space, in destructively compress 600mb folderpath directory. none of files big -- if file in folderpath 300mb or larger, fail. notes: if ' $out ' file exists, nothing. first find pipes file list while , if ' $out ' doesn't exist in loop, create it, don't update -- if does exist, update it. each pass adds 1 more file, deletes unless file directory. after loop finishes delete empty directories too. unset u ; in=folderpath ; out=roo...
Read more