Share via

programmatically issuing a pending request in MS Certificate Authority Standalone

Manoj Pathak 21 Reputation points
2021-12-03T15:47:06.28+00:00

I have a Microsoft Standalone Certificate Authority (MSCA) set up. I am able to request for a certificate from this MSCA programmatically but the issue is that this request goes to pending requests and needs someone to manually log into the MSCA server to issue/deny.

Is there a API or way to issue/deny it programmatically?

Internet Information Services
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,782 questions
Accepted answer
  1. Limitless Technology 39,516 Reputation points
    2021-12-06T09:38:12.54+00:00

    Hello,

    As per MS documentation, "request pending" means, if the requester has CA manager or CA administrator permissions, we can use another CryptoAPI COM interface to issue the certificate — ICertAdmin::ResubmitRequest method. The method takes two arguments:

    CA configuration string (which is already stored in $ConfigString variable);
    Request ID.
    In order to retrieve request ID, we call ICertRequest3::GetRequestId method:

    https://learn.microsoft.com/en-us/windows/win32/api/certcli/nf-certcli-icertrequest-getrequestid?redirectedfrom=MSDN 

    $RequestID = $CertRequest.GetRequestId()

    and call ICertAdmin::ResubmitRequest method as follows:

    https://learn.microsoft.com/en-us/windows/win32/api/certcli/nf-certcli-icertrequest-getrequestid?redirectedfrom=MSDN 

    # instantiate ICertAdmin COM interface object:  
$CertAdmin = New-Object -ComObject CertificateAuthority.Admin  
# call ResubmitRequest method to issue pending request  
$CertAdmin.ResubmitRequest($ConfigString, $RequestID)

    The method returns disposition code. If the disposition code is 3, then the certificate was successfully issued. In order to retrieve issued certificate, we need to return to ICertRequest interface and call ICertRequest3::RetrievePending method: 

    $CertRequest.RetrievePending($RequestID, $ConfigString)

    The certificate is now retrieved. The next step is to get the issued certificate and save it to a file. To get certificate we call ICertRequest3::GetCertificate method by specifying output encoding. Just to remember, output encoding values are defined in EncodingType enumeration https://learn.microsoft.com/en-us/windows/win32/api/certenroll/ne-certenroll-encodingtype?redirectedfrom=MSDN. Base64 with headers (0) is enough: 

    $Base64 = $CertRequest.GetCertificate(0)  
Set-Content .\issuedcert.cer -Value $Base64

    Now certificate issuance is completed and you can move issued certificate to the original client where we generated the request.

    -----------------------------------------------------------------------------------------------------------------------------------------------------------

    -If this was helpful, please do not forget to upvote the answer!-

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vadims Podāns 9,116 Reputation points MVP
    2021-12-03T16:12:55.667+00:00

    Yes, you can use ICertAdmin::ResubmitRequest method to approve the request programmatically. The caller must have CA Manager permissions.

    0 comments