Submit-CsrAsNew function

Implementing logic for this function is mandatory. It must submit a certificate request to a certificate authority (CA) and return an identifier by which the CA uniquely identifies the request and/or the certificate that was issued from it. 

The Submit-CsrAsNew function is called at Processing Stage 500 (when a new certificate object is enrolled for the first time) and, with rare exceptions, should submit the PKCS#10 passed to it by the driver to the CA including additional (optional) request options and/or metadata that are needed by the CA. 

In cases where a CA returns the certificate immediately in response to a request, this function may return the certificate instead of having to do so using Retrieve-Certificate.

Specific hash table variables

Variable Name

Data Type

Description

CertId

String

Text used by the CA to uniquely identify the certificate being renewed.

CertPem

String

Raw X.509 Certificate being renewed in base64-encoded PEM forma

CustomExtensions

Hashtable

Custom certificate extensions being requested; Hashtable keys are 1.3.6.1.4.1.311.25.2 (SID extension). Values are strings.

KeySize

String

The integer key size to be used if the CA creates the key pair.

Pkcs10

String

Certificate Signing Request to be enrolled in base64-encoded PKCS#10 format.

SubjectDN

Hashtable

Subject Distinguished Name being requested; Hashtable keys are CN (Common Name), OU (Organizational Units), O (Organization), L (City/Locality), ST (State/Province), and C (Country).  Values are strings or string arrays (only when there are multiple OUs).

SubjAltNames

Hashtable

Subject Alternative Names being requested; Hashtable keys are DNS, Email, IP, URI, and UPN.  Values are strings (if a single value) or string arrays (if multi-valued).

General hash table variables

Variable Name

Data Type

Description

AuxPass

String

The password portion of the Secondary Credential when a user name or a password credential is assigned, or the PKCS#12 password when a certificate credential is assigned

AuxPfxData

Byte Array

A PKCS#12 byte array that contains a client certificate and private key when a certificate credential is assigned as the Secondary Credential

AuxUser

String

The user name portion of the Secondary Credential when a user name credential is assigned

CertObjDN

String

Venafi distinguished name (DN) of the certificate object in the policy tree

CustomFields

Hashtable

Hash table keys are Custom Field labels and the values are strings (single-valued) or string arrays (multi-valued).

OAuthAccessToken

String

OAuth token passed to the PowerShell script. Tokens are passed only after you've provided the required information in the WebSDK OAuth Token Configuration settings of the Adaptable object. See Configuring the Adaptable CA object.

How it works

When used, each time your script is called, Trust Protection Platform requests a new token automatically. Each new token is associated with both the specified user and with the referenced application ID. After the script finishes running, Trust Protection Platform revokes the token automatically. To get started, see Adaptable CA prerequisites.

PfxData

Byte Array

PKCS#12 keystore containing client certificate and private key for authenticating with the CA; this and the PfxPass are used together to instantiate an X509Certificate2 object for client certificate authentication.

PfxPass

SecureString

Password for access to the private key of the PfxData PKCS#12

UserName

String

User name for authenticating with the CA

UserPass

String

Password for authenticating with the CA

WebSdkUrl

String

String representing the fully-qualified domain name to the WebSDK of your Trust Protection Platform server. For information on where this variable data is set, see Trust Protection Platform server configuration.

Returns

Return

Data Type

Description

EncryptPass

String

The password used to encrypt the private key or PKCS#12.

Pkcs7

String

A collection that includes the issued certificate and (optionally) includes all of the CA certificates in the chain.

Pkcs12

String

A collection that includes the issued certificate, its private key, and (optionally) all of the CA certificates in the chain.

When PKCS#12 is returned, EncryptPass must also be returned and Pkcs7 and PrivKeyPem are ignored.

PrivKeyPem

String

An OpenSSL or PKCS#8 private key in PEM format.

When PrivKeyPem is returned, PKCS7 must also be returned.

Also, if the PrivKeyPem data is a password-encrypted private key, EncryptPass must be returned.

Result

String

Shows "Success" or "NotUsed" to indicate the non-error completion state.

TransID

String

The identifier used to subsequently approve and/or retrieve the certificate from the CA.

IMPORTANT  If Pkcs12 or PrivKeyPem are returned, the private key and CSR currently stored for the certificate object are discarded. This is because they won't match the certificate issued by the CA.

For information about processing stages, see About certificate lifecycle management.