Submit-CsrAsReplacement function
The Submit-CsrAsReplacement function is basically the same as the Submit-CsrAsNew function but with one important difference: it is called when a certificate is requested to replace an existing certificate that is not nearing expiration.
Certificate replacement—or reissuance as it is sometimes called—occurs when the expiring certificate is outside of the Renewal Window that has been configured on the CA template. That is, the expiring certificate has more days remaining in its Validity Period than the number of days in the Renewal Window. If the CA does not differentiate between first-time certificate requests and replacement of existing certificates, this function should be written to call Submit-CsrAsNew and pass its response back to the driver.
|
Variable Name |
Data Type |
Description |
|---|---|---|
|
CertId |
String |
Text used by the CA to uniquely identify the certificate being renewed. |
|
CertPem |
String |
Raw X.509 Certificate being renewed in base64-encoded PEM forma |
|
CustomExtensions |
Hashtable |
Custom certificate extensions being requested; Hashtable keys are 1.3.6.1.4.1.311.25.2 (SID extension). Values are strings. |
|
KeySize |
String |
The integer key size to be used if the CA creates the key pair. |
|
Pkcs10 |
String |
Certificate Signing Request to be enrolled in base64-encoded PKCS#10 format. |
|
SubjectDN |
Hashtable |
Subject Distinguished Name being requested; Hashtable keys are CN (Common Name), OU (Organizational Units), O (Organization), L (City/Locality), ST (State/Province), and C (Country). Values are strings or string arrays (only when there are multiple OUs). |
|
SubjAltNames |
Hashtable |
Subject Alternative Names being requested; Hashtable keys are DNS, Email, IP, URI, and UPN. Values are strings (if a single value) or string arrays (if multi-valued). |
|
Variable Name |
Data Type |
Description |
|---|---|---|
|
AuxPass |
String |
The password portion of the Secondary Credential when a user name or a password credential is assigned, or the PKCS#12 password when a certificate credential is assigned |
|
AuxPfxData |
Byte Array |
A PKCS#12 byte array that contains a client certificate and private key when a certificate credential is assigned as the Secondary Credential |
|
AuxUser |
String |
The user name portion of the Secondary Credential when a user name credential is assigned |
|
CertObjDN |
String |
Venafi distinguished name (DN) of the certificate object in the policy tree |
|
CustomFields |
Hashtable |
Hash table keys are Custom Field labels and the values are strings (single-valued) or string arrays (multi-valued). |
|
OAuthAccessToken |
String |
OAuth token passed to the PowerShell script. Tokens are passed only after you've provided the required information in the WebSDK OAuth Token Configuration settings of the Adaptable object. See Configuring the Adaptable CA object. How it worksWhen used, each time your script is called, Trust Protection Platform requests a new token automatically. Each new token is associated with both the specified user and with the referenced application ID. After the script finishes running, Trust Protection Platform revokes the token automatically. To get started, see Adaptable CA prerequisites. |
|
PfxData |
Byte Array |
PKCS#12 keystore containing client certificate and private key for authenticating with the CA; this and the PfxPass are used together to instantiate an X509Certificate2 object for client certificate authentication. |
|
PfxPass |
SecureString |
Password for access to the private key of the PfxData PKCS#12 |
|
UserName |
String |
User name for authenticating with the CA |
|
UserPass |
String |
Password for authenticating with the CA |
|
WebSdkUrl |
String |
String representing the fully-qualified domain name to the WebSDK of your Trust Protection Platform server. For information on where this variable data is set, see Trust Protection Platform server configuration. |
|
Return |
Data Type |
Description |
|---|---|---|
|
EncryptPass |
String |
The password used to encrypt the private key or PKCS#12. |
|
Pkcs7 |
String |
A collection that includes the issued certificate and (optionally) includes all of the CA certificates in the chain. |
|
Pkcs12 |
String |
A collection that includes the issued certificate, its private key, and (optionally) all of the CA certificates in the chain. When PKCS#12 is returned, EncryptPass must also be returned and Pkcs7 and PrivKeyPem are ignored. |
|
PrivKeyPem |
String |
An OpenSSL or PKCS#8 private key in PEM format. When PrivKeyPem is returned, PKCS7 must also be returned. Also, if the PrivKeyPem data is a password-encrypted private key, EncryptPass must be returned. |
|
Result |
String |
Shows "Success" or "NotUsed" to indicate the non-error completion state. |
|
TransID |
String |
The identifier used to subsequently approve and/or retrieve the certificate from the CA. |
IMPORTANT If Pkcs12 or PrivKeyPem are returned, the private key and CSR currently stored for the certificate object are discarded. This is because they won't match the certificate issued by the CA.
For information about processing stages, see About certificate lifecycle management.