A .NET SCEP client
Can be used to extend SCEPman to easily distribute Kerberos Authentication certificates to AD Domain Controllers instead of only certificates for end-user devices.
The .NET Core version requires the .NET Core 6 Runtime. You need only the simple runtime, Desktop or ASP.NET may be used, but are not required.
There is also a version for .NET Framework 4.6.2 available that runs directly on Windows Server 2012 R2 and newer.
See the SCEPman documentation for a detailed description of how to request Kerberos Authentication certificates for Domain Controllers.
You can submit customized CSRs with the gennewext command. This allows you to define any number of DNS entries in the Subject Alternative Name (SAN) extension and any Extended Key Usages.
You can add any Extended Key Usage by its OID value. The following Extended Key Usage values can be added as text:
- AnyExtendedKeyUsage
- ServerAut
- ClientAuth
- CodeSigning
- EmailProtection
- IpsecEndSystem
- IpsecTunnel
- IpsecUser
- TimeStamping
- OcspSigning
- SmartCardLogon
- MacAddress
Create a file dnslist.txt with the following content:
servername1.example
servername2.example
servername3.example
Create a file keyUsages.txt with the following content:
ServerAuth
ClientAuth
Execute the following command:
ScepClient.exe gennewext http://scepman.server/static SeCrEtPaSSwOrD dnslist.txt keyUsages.txt "Great Server" greatserver.pfx greatserver.cer
The sub commands gennew and submit can be used to debug a SCEP service. Just execute scepclient.exe without any parameters to see usage information (and do not get irritated by the exception, it does no harm).
SCEPClient is available under the GPL.
SCEPClient contains code from Stephen Roughley (see https://stephenroughley.com/2015/09/22/a-c-net-scep-client/), which is available under the Unlicense.
You may write documentation and source code, pull requests are welcome! You need to provide your contributions under some GPL-compatible license.