Skip to content

Examples of using the SCEPman REST API to request certificates

License

Notifications You must be signed in to change notification settings

scepman/csr-request

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

64 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

CSR REST Request Sample Code Library

Examples for using the SCEPman REST API to request certificates. All examples should be adapted to your environment before production usage.

Submissions are welcome!

PowerShell and az

The PowerShell script request-certificate-with-az.ps1 uses PowerShell to generate an RSA key, az to submit it to SCEPman's CSR endpoint with AAD authentication, and again .NET Core to merge the issued certificate with the RSA private key to a PFX file.

Therefore, you must install PowerShell Core and Azure CLI on your machine.

You need to call az login before running the script, so az can authenticate to the CSR endpoint.

C# on .NET 7

The C# Console application CsrClient shows how to use the API with C#. It generates an ECC key pair and creates a CSR with the key. A JWT token is acquired using MSAL and that authenticates the request send to SCEPman's CSR REST API. The resulting certificate is combined with the key pair and saved as PFX file.

There are three options for authentication:

1. Default authentication

Usage: CsrClient SCEPMAN_BASE_URL SCEPMAN_API_SCOPE

If you pass only SCEPMAN_BASE_URL and SCEPMAN_API_SCOPE, you must have some "default" authentication at hand that allows you to submit requests to the CSR REST API. For example, if you are authenticated with az, the az credentials are used for the authentication.

2. Certificate-based authentication

Usage: CsrClient SCEPMAN_BASE_URL SCEPMAN_API_SCOPE CLIENT_ID CERTIFICATE_SPECIFICATION TENANT_ID

If you also pass CLIENT_ID andd TENANT_ID, this will authenticate as an Enterprise App. The Enterprise App must have the permission on your scepman-api Enterprise App (it must be added to the Role).

CERTIFICATE_SPECIFICATION can be either cert-file:{path-to-pfx-file} or cert-store:{thumbprint}. In the first case, the certificate is loaded from the specified PFX file. In the second case, the certificate is loaded from the local Personal certificate store of the current user. The certificate must have a private key. The certificate can be mapped from a smard-card to the store.

You may create a self-signed certificate with PowerShell with this command, for example:

New-SelfSignedCertificate -Subject "CN=scepman-client-cert" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy NonExportable -KeySpec Signature -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256 -NotAfter (Get-Date).AddYears(10)

Afterwards, export the public part of the certificate and add it to your app registration as a certificate under the "Certificates & secrets" section.

3. Client secret authentication

Usage: CsrClient SCEPMAN_BASE_URL SCEPMAN_API_SCOPE CLIENT_ID secret:{CLIENT_SECRET} TENANT_ID

This option is similar to the previous one, but uses a client secret instead of a certificate. The client secret must be created in the "Certificates & secrets" section of your app registration.

4. Interactive authentication

Usage: CsrClient SCEPMAN_BASE_URL SCEPMAN_API_SCOPE CLIENT_ID interactive TENANT_ID

This option will open a browser window for interactive Entra ID authentication. Before you can use this, you must do the following preparation:

  • Create a new app registration in Azure portal. In Authentication, add a "Mobile and desktop application" as a platform.
  • Go to the app registration SCEPman-api and visit "Expose an API". Under "Authorized client applications", you must add the client ID of the app registration just created.

For this case, CLIENT_ID refers to the newly created app registration.

License

All code is available under the terms of the MIT License.

About

Examples of using the SCEPman REST API to request certificates

Resources

License

Stars

Watchers

Forks

Packages

No packages published