Skip to content
/ adcs Public

Active Directory Certificate Services command line utility.

License

Apache-2.0 license
26 stars 5 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

jimmypw/adcs

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

88 Commits

cli/adcscli

cli/adcscli

 
 

tools

tools

 
 

.gitignore

.gitignore

 
 

CHANGELOG

CHANGELOG

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

WebEnrollmentNewRequest.go

WebEnrollmentNewRequest.go

 
 

WebEnrollmentPendingRequest.go

WebEnrollmentPendingRequest.go

 
 

WebEnrollmentRequest.go

WebEnrollmentRequest.go

 
 

WebEnrollmentResponse.go

WebEnrollmentResponse.go

 
 

WebEnrollmentServer.go

WebEnrollmentServer.go

 
 

go.mod

go.mod

 
 

go.sum

go.sum

 
 

version.go

version.go

 
 

Repository files navigation

ADCS

A library and command line interface for scraping Active Directory Certificate Services Web enrollment Service web interface.

While attempting to automate public key infrastrucutre in an enterprise environment it quickly became apparent that the common approaches such as ACME and SCEP are inadequate when dealing with devices that do not support such prototols. An example of this is a Cisco network device I was configuring. All this device is able to do is generate CSR's. SCEP/NDES - specifically the renewal part requires access to the private key in order to renew the certificate, ACME, while cool is unsuitable for use within an enterprise network.

So we are left with either interfacing with ADCS directly through the MMC or the Web Enrolment serivice. When you have a thousand devices to deploy, doing stuff manually isn't very appealing. Here is where adcscli is born. adcscli is a scraper for microsofts web enrollment services. Given a CSR and a few other pieces of information the software will interact with Active Directory Certificate Services Web Enrollment Services and hopefully retrieve a signed certificate.

Here Be Dragons

adcs is a scraper. Because Web Enrollment Services does not have an API it instead relies on regular expressions. The patterns being matched may change and this software may stop working at any time.

Installation

Head to https://github.com/jimmypw/adcs/releases for binaries for your favourite operating system.

Usage

There are two modes of operation, the first is submitting a csr. The second is checking the status of the csr.

To submit a new csr:

adcscli -new -csr csr.csr -out crt.crt -password 'supersecurepassword' -username auser -url http://192.168.252.140/certsrv/ -template webtemplate

The CSR will be submitted to the web enrollment service and will produce one of two responses.

The certificate request requires admin approval

In this case a command will be returned to the user to check the status of the request.

for example adcscli -pend -url http://192.168.252.140/certsrv/ -username 'username' -password 'password' -requestid 3395

The command will emit the exit status of 1 to indicate a pending request.

Notice that this command does not return the username and password. These are required to submit the pending request.

The certificate request was successful

In this case a certificate will be returned to the user. The certficicate can be saved to the filesystem by using the -out command line switch. If -out is not supplied the certificate will be printed to stdout.

To check the status of an existing request

The responses are the same as submitting a new CSR.

About

Active Directory Certificate Services command line utility.

Topics

microsoft cli golang ssl certificate pki certificate-request adcs

Resources

Readme

License

Apache-2.0 license
Activity

Stars

26 stars

Watchers

2 watching

Forks

5 forks
Report repository

Releases 3

v1.2.0 Latest
Dec 1, 2022
+ 2 releases

Contributors 4

  •  
  •  
  •  
  •  

Languages