Hello,
Is there a function available in the PSPKI-Module (or PS-Code available) for extracting the SANs of an existing Certificate Request (which exists as Base64-Encoded String available in Memory/in a File)?
When submitting a CSR to the CA for signing there is the possibility to pass additional SANs via an own Parameter of the Submit-CertificateRequest function. But doing this, SANs which are already in the CSR are irgnored.
So it would be fine to extract SANs from the CSR-String and add additional SANs (collected via a GUI) to them and then Submit them to the CA.
Thank you in advance for your answer
Regards Andreas
Comments: There is no ready API for that, because it is not common case. As a workaround you need to do some CertEnroll stuff. 1) Instantiate [X509CertificateRequest](http://pkix2.sysadmins.lv/library/html/T_System_Security_Cryptography_X509CertificateRequests_X509CertificateRequest.htm) class from request file. Currently only PKCS#10 requests are supported. 2) find extension (in the [Extensions](http://pkix2.sysadmins.lv/library/html/P_System_Security_Cryptography_X509CertificateRequests_X509CertificateRequest_Extensions.htm) property) with OID=2.5.29.17 3) instantiate [IX509ExtensionAlternativeNames](http://msdn.microsoft.com/en-us/library/windows/desktop/aa378081(v=vs.85).aspx) Interface and call [InitializeDecode](http://msdn.microsoft.com/en-us/library/windows/desktop/aa378087(v=vs.85).aspx) method by passing RawData value (from Extension object). 4) use [AlternativeNames](http://msdn.microsoft.com/en-us/library/windows/desktop/aa378085(v=vs.85).aspx) property to retrieve exact names. simple example: ``` $req = new-object Security.Cryptography.X509CertificateRequests.X509CertificateRequest c:\temp\request.csr $e = $req.Extensions | ?{$_.oid.value -eq "2.5.29.17"} $san = new-object -com x509enrollment.cX509ExtensionAlternativeNames $san.initializedecode(1,[convert]::tobase64string($e.rawdata)) ```
Is there a function available in the PSPKI-Module (or PS-Code available) for extracting the SANs of an existing Certificate Request (which exists as Base64-Encoded String available in Memory/in a File)?
When submitting a CSR to the CA for signing there is the possibility to pass additional SANs via an own Parameter of the Submit-CertificateRequest function. But doing this, SANs which are already in the CSR are irgnored.
So it would be fine to extract SANs from the CSR-String and add additional SANs (collected via a GUI) to them and then Submit them to the CA.
Thank you in advance for your answer
Regards Andreas
Comments: There is no ready API for that, because it is not common case. As a workaround you need to do some CertEnroll stuff. 1) Instantiate [X509CertificateRequest](http://pkix2.sysadmins.lv/library/html/T_System_Security_Cryptography_X509CertificateRequests_X509CertificateRequest.htm) class from request file. Currently only PKCS#10 requests are supported. 2) find extension (in the [Extensions](http://pkix2.sysadmins.lv/library/html/P_System_Security_Cryptography_X509CertificateRequests_X509CertificateRequest_Extensions.htm) property) with OID=2.5.29.17 3) instantiate [IX509ExtensionAlternativeNames](http://msdn.microsoft.com/en-us/library/windows/desktop/aa378081(v=vs.85).aspx) Interface and call [InitializeDecode](http://msdn.microsoft.com/en-us/library/windows/desktop/aa378087(v=vs.85).aspx) method by passing RawData value (from Extension object). 4) use [AlternativeNames](http://msdn.microsoft.com/en-us/library/windows/desktop/aa378085(v=vs.85).aspx) property to retrieve exact names. simple example: ``` $req = new-object Security.Cryptography.X509CertificateRequests.X509CertificateRequest c:\temp\request.csr $e = $req.Extensions | ?{$_.oid.value -eq "2.5.29.17"} $san = new-object -com x509enrollment.cX509ExtensionAlternativeNames $san.initializedecode(1,[convert]::tobase64string($e.rawdata)) ```