Skip to content

PKISolutions/ADCS-CertMod

Repository files navigation

Active Directory Certificate Services Exit and Policy module framework

This is the first .NET-based framework used to create custom ADCS CA and NDES modules, such as exit and policy.

Exit module is a module that subscribes to desired events generated by CA engine and then notified by CA on event occurence.

Policy module is a module that allows to override or add extra logic on how requests are processed and modify them if needed.

Download

Use NuGet to download the library and attach to your .NET project:

NuGet\Install-Package ADCS.CertMod.Managed

CI/DI Status:

image image image

Online API documentation

Documentation

CA Exit Module guide

Two interfaces must be implemented and exposed to COM world in order to create an exit module:

  • ICertManageModule
  • ICertExit2

ICertManageModule interface

Create a class that inherits from CertManageModule class and define the following attributes:

[ComVisible(true)]
[ClassInterface(ClassInterfaceType.None)]
[ProgId("<ModuleName>.ExitManage")]
[Guid("<00000000-0000-0000-0000-000000000000>")]
public class ExitManage : CertManageModule {
    <...>
    public override Object GetProperty(String strConfig, String strStorageLocation, String strPropertyName, Int32 Flags) {
        // implementation goes here.
    }
    <...>
}
  • <ModuleName> is module simple name. The full ProgID must look like MyCoolExitModule.ExitManage. ProgID and CLR class name are not required to match.
  • <00000000-0000-0000-0000-000000000000> is a randomly generated UUID that identifies your implementation.
  • At a minimum, only CertManageModule.GetProperty method must be overriden.

Note: angle brackets are used for reference only, they are not used.

ICertExit2 interface

Create a class that inherits from CertExitBase class (which already implements ICertExit2 interface) and define the following attributes and method overrides:

[ComVisible(true)]
[ClassInterface(ClassInterfaceType.None)]
[ProgId("<ModuleName>.Exit")]
[Guid("<00000000-0000-0000-0000-000000000000>")]
public class MyExitClass : CertExitBase {
    <...>
    // implement public 'Initialize' method
    public override ExitEvents Initialize(String strConfig) {
        // exit module initialization logic goes here
    }
    // implement protected 'Notify' method with your business logic:
    protected override void Notify(CertServerModule certServer, ExitEvents ExitEvent, Int32 Context) {
        // exit module business logic goes here.
    }
    <...>
}
  • <ModuleName> is module simple name. The full ProgID must look like MyCoolExitModule.Exit, where .Exit suffix is mandatory.
  • <00000000-0000-0000-0000-000000000000> is a randomly generated UUID that identifies your implementation.
  • ICertExit2.GetManageModule returns an instance of ICertManageModule implementation (see above).

CA Policy module guide

Two interfaces must be implemented and exposed to COM world in order to create an exit module:

  • ICertManageModule
  • ICertPolicy2, or inherit from CertPolicyBase class directly which provides some base implementation for you.

ICertManageModule interface

See section above.

ICertPolicy2 interface

Create a class that inherits from CertPolicyBase class (which already implements ICertPolicy2 interface) and define the following attributes and method overrides:

[ComVisible(true)]
[ClassInterface(ClassInterfaceType.None)]
[ProgId("<ModuleName>.Policy")]
[Guid("<00000000-0000-0000-0000-000000000000>")]
public class MyPolicyClass : CertPolicyBase {
    <...>
    // implement protected 'VerifyRequest' method with your business logic:
    protected override PolicyModuleAction VerifyRequest(CertServerModule certServer, PolicyModuleAction nativeResult, Boolean bNewRequest) {
        // policy module business logic goes here
    }
    <...>
}
  • <ModuleName> is module simple name. The full ProgID must look like MyCoolPolicyModule.Policy, where .Policy suffix is mandatory.
  • <00000000-0000-0000-0000-000000000000> is a randomly generated UUID that identifies your implementation.
  • ICertPolicy2.GetManageModule returns an instance of ICertManageModule implementation (see above).

NDES Policy module guide

INDESPolic interface must be implemented and exposed to COM world in order to create NDES policy module.\

INDESPolicy interface

Create a class that inherits from NdesPolicy base (which already implements INDESPolicy interface) and define the following attributes:

[ComVisible(true)]
[ClassInterface(ClassInterfaceType.None)]
[ProgId("<ModuleName>.Policy")]
[Guid("<00000000-0000-0000-0000-000000000000>")]
public class MyNdesPolicyModule : NdesPolicyBase {
    public MyNdesPolicyModule() : base(
        new LogWriter("MyModule"),
        new DefaultSCEPChallengeStore(new DefaultSCEPChallengeGenerator())) {
        // my other implementation-specific code if needed
    }
// <...> the rest of implementation is omitted for brevity
}
  • <ModuleName> is module simple name. The full ProgID must look like MyNdesModule.ProgID, where .Policy suffix is mandatory.
  • <00000000-0000-0000-0000-000000000000> is a randomly generated UUID that identifies your implementation.

See this PR for more details on NDES policy module.

About

Represents a base ADCS Exit and Policy module developement framework.

Topics

Resources

License

Stars

Watchers

Forks

Contributors 2

  •  
  •  

Languages