Retired Microsoft Blog disclaimer
This directory is a mirror of retired "Windows PKI Team" TechNet blog and is provided as is. All posting authorship and copyrights belong to respective authors.
Original URL: https://blogs.technet.microsoft.com/pki/2018/12/12/sample-code-end-to-end-certificate-transparency-requests-on-adcs-ca/
Post name: Sample Code: End-to-End Certificate Transparency requests on ADCS CA
Original author: Tochi E
Posting date: 2018-12-12T22:42:54+00:00


Hello all, Tochi Ezebube here again from the Active Directory Certificate Services engineering team.

Sometime back, we released support for the precertificate flow of Certificate Transparency v1 (RFC 6962) in Windows Server 2016 (https://support.microsoft.com/en-us/help/4093260/introduction-of-ad-cs-certificate-transparency). For this to work end-to-end, the component submitting the request to the ADCS CA must submit the returned precertificate to a suitable set of Certificate Transparency Logs using the RFC 6962 protocol, aggregate the results as a SignedCertificateTimestampList, and return it to the ADCS CA for X.509 issuance.

Since release, we’ve received a number of requests for sample code to speak the RFC 6962 protocol between the CA and the CT Logs. Here is an unofficial sample to get you started with precertificate submission. It is released as-is with the usual caveats.

Sample code:  https://msdnshared.blob.core.windows.net/media/2018/12/ADCS-CT-E2E-Sample.zip

Sample.sln code breakdown:

  • SampleLibrary.csproj: library containing a simple ILogClient and implementation, which speaks the RFC 6962 protocol for adding certificates & precertificates, as well as preparing the SignedCertificateTimestampList object.
  • ConsoleApp.csproj: simple console app illustrating an ADCS CA CT enrollment end-to-end, utilizing SampleLibrary.csproj for Certificate Transparency interactions.

To use:

  1. Register your ADCS CA certificate's root with the CT Log to be used.
  2. Enable the Certificate Transparency feature on your ADCS CA and restart the CA service as follows:
    1. certutil.exe -setreg CA\CertificateTransparencyFlags 0x1
    2. net stop certsvc
    3. net start certsvc
  3. Open Sample.sln in Visual Studio.
  4. Verify it builds.
  5. Run ConsoleApp.exe passing in the ADCS CA config string and the CT Log URI, for example:
    1. ConsoleApp.exe {ServerName}\{CAName} https://ct.googleapis.com/testtube

Happy coding…

Tochi


Share this article:

Comments:

Comments are closed.