Wednesday, May 13, 2020

Full circle

Following up from my last post about generating a CSR, I went through the motions of testing the full cycle for said CSR. I'd sign it with a bogus (but locally trusted) authority certificate, install the signed cert locally, export the PFX, install it on a Web server, select the cert for TLS on an IIS website, and hit it with a bunch of desktop browsers. The certificate works as expected.


That said, the part where I've signed the CSR with another cert (technically with its private key) was somewhat involved. Initially I thought I'd do it in PowerShell, but it turned out some of the requisite logic is native only. It's present in CryptoAPI, but .NET doesn't surface it. There is a .NET method for signing a CSR object with another certificate, the way a certificate authority would, but there's no method for loading a CSR from a file, short of either P/Invoke or writing your own ASN.1 parser. Similarly, serializing the Authority Key Identifier extension, which is rather relevant for establishing the certificate chain, is supported by CryptoAPI but not by .NET.

In general, the job is doable in PowerShell, but only if one is willing to either write a bunch of ugly P/Invoke and marshaling code, or reinvent a good piece of CryptoAPI logic. The minimal workable "sign a CSR with a cert" piece was ~130 lines of C++ (would be more with proper error handling and careful memory management), and probably twice as many in PowerShell.

No comments:

Post a Comment