New-CertificateRequest: Custom Extensions

[Viajaz]

It would be useful to be able to add my own extensions (X509Enrollment.CX509Extension ?) to a CSR (X509Enrollment.CX509CertificateRequestPkcs10 ?), perhaps as an array Parameter to the New-CertificateRequest Cmdlet that simply adds each array element as an extension ($CertificateRequestPkcs10.X509Extensions.Add())

My specific use-case is I'm creating a CSR for an OCSP Signing Certificate and need to add the id-pkix-ocsp-nocheck (1.3.6.1.5.5.7.48.1.5) extension as per RFC 6960.

[Viajaz]

@Sleepw4lker Not in the position to fork and do a PR at the moment but an example could be for https://github.com/Sleepw4lker/PSCertificateEnrollment/blob/main/Functions/New-CertificateRequest.ps1 could be:

Parameter

[Parameter(Mandatory=$False)]
[object[]]$CustomExtensions, # COMObject Type Checking is Messy so is skipped here for this example

Process

foreach($CustomExtension in $CustomExtensions) {
    Try {
        $CertificateRequestPkcs10.X509Extensions.Add($CustomExtension)
        # $CustomExtension(s) supplied by user outside of Cmdlet scope, not our responsibility to release it?
    }
    Catch {
        Write-Error -Message "Invalid Custom Extension supplied!"
        return
    }
}

[Viajaz]

Off Topic but for anyone needing to build a X509Enrollment.CX509Extension for id-pkix-ocsp-nocheck this is the code:

$OcspNoCheckExtension = New-Object -ComObject X509Enrollment.CX509Extension
$OcspNoCheckExtensionOid = New-Object -ComObject X509Enrollment.CObjectId
$OcspNoCheckExtensionOid.InitializeFromValue('1.3.6.1.5.5.7.48.1.5') # id-pkix-ocsp-nocheck
$OcspNoCheckExtension.Critical = $False
$OcspNoCheckExtension.Initialize(
    $OcspNoCheckExtensionOid, 
    2, # XCN_CRYPT_STRING_BINARY
    $null # 'SHOULD be null' as per RFC 6960 4.2.2.2.1
)