PowerShell PKI Module (PSPKI) Submit-CertificateRequest without storing CSR in file

Question

I am using the PowerShell PKI Module to manage my certificates on Enterprise ADCS. I have created a simple tool that is using PS scripts for better convenience and to save some time.

When issuing certificates, I am using the Submit-CertificateRequest command, which takes as an input CSR stored in the file through -Path parameter:

Submit-CertificateRequest -Path $csrFileName -CertificationAuthority $cca -Attribute "CertificateTemplate:$certificateTemplate"

This means that whenever I provide the CSR in the script, I need to store it first in the file, than use the command to issue certificate, and after that delete the file with the CSR. This is a complexity I would like to remove.

Is there any way how I can provide the CSR as input to the command without storing it in the file? The -Path parameter is required and I need somehow reference file that will be used as CSR to issue certificate. Can I avoid that? Is there a better way how I can submit requests without storing them in the file?

My primary interface is PowerShell, if this would be feasible with the current PSPKI commands, it would be great.

Answer 1

You could emulate what Submit-CertificateRequest does, but it's probably longer than wrapping it in a function:

$req = "
-----BEGIN NEW CERTIFICATE REQUEST-----
MIICZzCCAdACAQAwETEPMA0GA1UEAwwGVGVzdFBTMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQCoSlRfphyVgWrwEPipstSe1pr4+mDOhBDP2ZJPsAevoTTQqt9x
iOnJnfPMLBWEiqYmPklf9WKBkzLKeC2RfE3a8FGNhRBZb3Vzj8PvBoCMc63hvy+i
q5hwVWDnWm96mpk+F3ykB60JWAAzL9vY+w2U6kAUQYo8/RPMZ1bLLCV0XQIDAQAB
oIIBFDAcBgorBgEEAYI3DQIDMQ4WDDEwLjAuMTc3NjMuMjBABgkrBgEEAYI3FRQx
MzAxAgEFDA5jYTIudzJrMTkudGVzdAwTVzJLMTlcYWRtaW5pc3RyYXRvcgwHTU1D
LkVYRTBKBgkqhkiG9w0BCQ4xPTA7MBoGA1UdEQQTMBGCD3d3dy5leGFtcGxlLm9y
ZzAdBgNVHQ4EFgQUsDOyEAUoOyC7dIdbbKZDNiSMXI8wZgYKKwYBBAGCNw0CAjFY
MFYCAQAeTgBNAGkAYwByAG8AcwBvAGYAdAAgAFMAbwBmAHQAdwBhAHIAZQAgAEsA
ZQB5ACAAUwB0AG8AcgBhAGcAZQAgAFAAcgBvAHYAaQBkAGUAcgMBADANBgkqhkiG
9w0BAQsFAAOBgQArPgWJ77GxhDlVLXQT2yB2XZh+SVCewDYjoBuqjnSQWFjpS5uB
ZK1XTNIYCCfb1uPgLxlB17cEd8/gZrLrOr9zwGEsOcqSL9LaaetEbkq5qPhfAvi0
e3DXpZ0BDkneYHGNKR5GPBuKMcKHgMkDPqj/kMgl7LFIfkR4St3ffoeF3Q==
-----END NEW CERTIFICATE REQUEST-----
"

$CertConfig = New-Object -ComObject CertificateAuthority.Config
$ConfigString = $CertConfig.GetConfig(1)
$CertRequest = New-Object -ComObject CertificateAuthority.Request
$Status = $CertRequest.Submit(0,$req,"CertificateTemplate:WebServer",$ConfigString)

Note that the above was blatantly plagiarised from the author of Submit-CertificateRequest's web page (which was offline when I wrote this, so here is a cached version).

The GetConfig() method takes a single argument:

Value	Meaning
CC_DEFAULTCONFIG 0x00000000	Retrieves the default certification authority.
CC_UIPICKCONFIG 0x00000001	Displays a user interface that allows the user to select a certification authority.
CC_FIRSTCONFIG 0x00000002	Returns the first certification authority.
CC_LOCALACTIVECONFIG 0x00000004	Retrieves the local certification authority if it is running.
CC_LOCALCONFIG 0x00000003	Retrieves the local certification authority.
CC_UIPICKCONFIGSKIPLOCALCA 0x00000005	Displays a user interface that allows the user to select a certification authority. The UI excludes any local certification authority. This exclusion is useful during subordinate certification authority certificate renewal when the subordinate certification authority certificate request is submitted to a certification authority other than the current certification authority.

---

If you know your CA Config string beforehand, then you can simplify this into two lines:

$CertRequest = New-Object -ComObject CertificateAuthority.Request
$Status = $CertRequest.Submit(0,$req,"CertificateTemplate:WebServer","ca1.example.org\Example CA1")