Skip to content

magnuswatn/pkcs7csr

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits

tests

tests

 
 

.gitignore

.gitignore

 
 

.isort.cfg

.isort.cfg

 
 

.travis.yml

.travis.yml

 
 

LICENCE

LICENCE

 
 

Pipfile

Pipfile

 
 

README.rst

README.rst

 
 

pkcs7csr.py

pkcs7csr.py

 
 

setup.py

setup.py

 
 

tox.ini

tox.ini

 
 

Repository files navigation

pkcs7csr

image

image

image

image

Python module for creating Microsoft style "PKCS #7 renewal request" for use with Active Directory Certificate Services.

This allows non-IIS web servers to automatically renew their certificates from an ADCS server.

About PKCS #7 renewal requests

The point of a PKCS#7 renewal request is that you prove that you possess an existing valid certificate, and therefore is authorized to get a new one with the same subject.

They consist of a normal PKCS #10 CSR with a special RENEWAL_CERTIFICATE extension containing the original certificate. This in then placed in a PKCS #7 structure and signed with the private key beloinging to the original certificate, and thus proving you are the rightful owner of the original certificate. You are then allowed a certificate with the same subject (and extensions) as the original.

ADCS configuration

For this to work smoothly your template should have the option to require "CA certificate manager approval" enabled, but allow reenrollment with "valid existing certificate". The service account used for reenrollment must have permission to enroll.

The first certificate then needs to be approved by a CA manager, but renewals can go automatically. It is obviously important to verify the first certificate thorough as it can be used, in practice, forever. Also, it is important to revoke all unexpired certificate if the relevant key is ever compromised.

Installation

$ pipenv install pkcs7csr

Example usage

Renew a certificate, using pkcs7csr and certsrv:

import pkcs7csr
from certsrv import Certsrv
from cryptography import x509
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization

# Read the certificate and key from file
with open('/etc/pki/tls/certs/my_adcs_cert.pem', 'rb') as open_file:
    cert = x509.load_pem_x509_certificate(open_file.read(), default_backend())

with open('/etc/pki/tls/private/my_adcs_key.pem', 'rb') as open_file:
    key = serialization.load_pem_private_key(
        open_file.read(),
        password=None,
        backend=default_backend()
    )

# Create a PKCS #7 renewal request
csr = pkcs7csr.create_pkcs7csr(cert, key)

# Submit to the CA server using certsrv
certsrv = Certsrv('my-adcs-server.example.net', 'myUser', 'myPassword')
pem_cert = certsrv.get_cert(csr, 'myTemplate')

# Write the new cert to the file
with open('/etc/pki/tls/certs/my_adcs_cert.pem', 'wb') as open_file:
    open_file.write(pem_cert)

# Reload apache or whatever here

About

For creating Microsoft style "PKCS #7 renewal request"

Resources

Readme

License

MIT license
Activity

Stars

3 stars

Watchers

4 watching

Forks

1 fork
Report repository

Releases 2

Updated example Latest
Aug 28, 2018
+ 1 release

Packages

No packages published

Contributors 2

  •  
  •  

Languages