A Python module for creating Microsoft style "PKCS #7 renewal requests"
Python module for creating Microsoft style “PKCS #7 renewal request” for use with Active Directory Certificate Services.
This allows non-IIS web servers to automatically renew their certificates from an ADCS server.
About PKCS #7 renewal requests
The point of a PKCS#7 renewal request is that you prove that you possess an existing valid certificate, and therefore is authorized to get a new one with the same subject.
They consist of a normal PKCS #10 CSR with a special RENEWAL_CERTIFICATE extension containing the original certificate. This in then placed in a PKCS #7 structure and signed with the private key beloinging to the original certificate, and thus proving you are the rightful owner of the original certificate. You are then allowed a certificate with the same subject (and extensions) as the original.
For this to work smoothly your template should have the option to require “CA certificate manager approval” enabled, but allow reenrollment with “valid existing certificate”. The service account used for reenrollment must have permission to enroll.
The first certificate then needs to be approved by a CA manager, but renewals can go automatically. It is obviously important to verify the first certificate thorough as it can be used, in practice, forever. Also, it is important to revoke all unexpired certificate if the relevant key is ever compromised.
$ pipenv install pkcs7csr
Renew a certificate, using pkcs7csr and certsrv:
import certsrv import pkcs7csr from cryptography import x509 from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives import serialization # Read the certificate and key from file with open('/etc/pki/tls/certs/my_adcs_cert.pem', 'r') as open_file: cert = x509.load_pem_x509_certificate(open_file.read(), default_backend()) with open('/etc/pki/tls/private/my_adcs_key.pem', 'r') as open_file: key = serialization.load_pem_private_key( open_file.read(), password=None, backend=default_backend() ) # Create an PKCS #7 renewal request csr = pkcs7csr.create_pkcs7csr(cert, key) # Submit to the CA server using certsrv pem_cert = certsrv.get_cert('my-adcs-server.example.net', csr, 'myTemplate', 'myUser', 'myPassword') # Write the new cert to the file with open('/etc/pki/tls/certs/my_adcs_cert.pem', 'w') as open_file: open_file.write(pem_cert) # Reload apache or whatever here