0

So I have been tasked with automating getting certs for 1000 devices. And have been working though converting a Linux script to windows to match up with other scripts we have for other sections for this automation. To that end I have been able to download the cert with the command below into what I believe is a base64 (if I am reading the Linux script correctly) file but all attempts to decode it have failed.

curl --connect-timeout 30 --max-time 60 -sk <redacted) -X POST -d @cert-retrieve-testtop10.gc.com.json -H "Accept: application/json" -H "Content-Type: application/json" -H "Authorization: Bearer <redacted>" > NAME.b64

The Linux script is using the below command to do this

# extract the combined cert from it base64 file
jq .CertificateData $CERT_NAME.b64 | sed -es/\"//g | base64 --decode > $CERT_NAME.out

I have tried using the windows command

certutil -decode output.txt decoded.txt

but got the following error

DecodeFile returned The data is invalid. 0x8007000d (WIN32: 13 ERROR_INVALID_DATA) CertUtil: -decode command FAILED: 0x8007000d (WIN32: 13 ERROR_INVALID_DATA) CertUtil: The data is invalid.

Compo
  • 36,585
  • 5
  • 27
  • 39
Daniel Pierce
  • 13
  • 4
  • Have you looked at the .b64 file to confirm that it is absolutely 100% a base64 file and not like an error message or something? – SomethingDark Jun 28 '23 at 22:00
  • Can these [ways](https://stackoverflow.com/questions/22233702/) help you to download certificates by powershell? – Daemon-5 Jun 29 '23 at 04:07
  • @SomethingDark here is what is in the file sorry unsure how to just attach the file. It starts with {"CertificateData":" it ends with =","Filename":"labtesttop.wsgc.com.pem","Format":"Base64"} I see nothing that says error or hints at it. Also the same file is decode-able with the Linux jq command above – Daniel Pierce Jun 29 '23 at 21:34
  • @Daemon-5 I would love to do that in PS or BAT. Here is the issue we are having we switched certs getting requested form a CA to a cert issuing program. Which is fine for 1 or 2 devices but we have over 1000 in my department alone. To top that off the devices we have are very limited small kernel OSs not typical server/desktops. So the certs not only have to be in particular formats (CER and KEY) but uploaded in a certian order and other commands issued between uploads as well. We had everything working in batch scripting, but then they changed the CA policies. – Daniel Pierce Jun 29 '23 at 21:43
  • @Daemon-5 Currently we have figured out from using a Linux script (snip-it above) how to request and DL the certs but they are DL'ed into a bas64 format that I can not figure out how to decode to the CRT and KEY files. – Daniel Pierce Jun 29 '23 at 21:46
  • Based on the fact that the data ends with a `=`, it indeed sounds like there's base64 data in the file, but unfortunately, `certutil` expects the entire contents of the file to be the base64 data and nothing else. I can imagine a fairly ugly hack to extract the pure data and then decode that involving using powershell to parse the JSON, though. – SomethingDark Jun 29 '23 at 22:36
  • @SomethingDark Yea I have found that what certutil needs is everything in between the {"CertificateData":" and ","Filename":"labtesttop.wsgc.com.pem","Format":"Base64"} The = is the last character in the encoded file I need. If I can remove the rest then I can use certutil to decode the file – Daniel Pierce Jun 30 '23 at 21:08

0 Answers0