userCertificate | usersmimecertificate

  • Last Post 8 hours ago
Anthony.Vandenbossche posted this 4 days ago

Hi All, I need some help concerning certificate exchange in terms of email encryption (S/MIME). I need to generate a CSV file with an export of the userSMIMECertificate attribute, for consumption at another company. However, I noticed that the format that is spewed out by, for example, the Get-ADUser command is Hexadecimal. I have been struggling to convert this to a simple Base64 format that is required by the other company. Any ideas? Many thanks in advance! Regards,

Order By: Standard | Newest | Votes
joe posted this 10 hours ago

Hi Anthony,
Did you ever make any progress with this? AD does store that data in raw binary. If you need to convert it to Base64, you need to first get it into a Byte array somehow and then convert to Base64. This is pretty easy in .NET but I'm not sure how to do this in PS as I'm not a PS programmer. In .NET, you use Convert.ToBase64String and pass in your Byte array.
Note also that userSMIMECertificate is a more complex data structure than userCertificate. The latter is just a DER-encoded X509 cert. The former is a PKCS#7 structure describing SMIME capabilities.
Here is a little .NET console app I wrote many years ago that looks up a single user's userCertificate attribute values and dumps them out to the UI using the built in Windows shell extension for viewing a certificate. Perhaps this will help (although it doesn't show any Base64 manipulation):
using System;using System.Collections.Generic;using System.DirectoryServices;using System.DirectoryServices.ActiveDirectory;using System.Security.Cryptography.X509Certificates;using System.Security.Principal;
public class MyClass{ public static void RunSnippet() { string name = null; string[] args = Environment.GetCommandLineArgs(); if (args.Length == 1) { string tempName = WindowsIdentity.GetCurrent().Name; name = tempName.Substring(tempName.IndexOf("\") + 1); } else { name = args[1]; } Domain dm = null; DirectoryEntry de = null; DirectorySearcher ds = null; try { dm = Domain.GetCurrentDomain(); de = dm.GetDirectoryEntry(); ds = new DirectorySearcher(de, "sAMAccountName=" + name, new String[] {"userCertificate"}); SearchResult res = ds.FindOne(); if (res != null) { if (res.Properties.Contains("userCertificate")) { X509Certificate2Collection certColl = new X509Certificate2Collection(); foreach (object obj in res.Properties["userCertificate"]) { byte[] data = (byte[]) obj; X509Certificate2 cert = new X509Certificate2(data); certColl.Add(cert); } X509Certificate2UI.SelectFromCollection(certColl, "User certificates for " + name, "", X509SelectionFlag.SingleSelection); } else { Console.WriteLine("Could not find {0} in the current AD domain.", name); } } } finally { if (dm != null) dm.Dispose(); if (de != null) de.Dispose(); if (ds != null) ds.Dispose(); } } #region Helper methods public static void Main() { try { RunSnippet(); } catch (Exception e) { string error = string.Format("---\nThe following error occurred while executing the snippet:\n{0}\n---", e.ToString()); Console.WriteLine(error); } finally { Console.Write("Press any key to continue..."); Console.ReadKey(); } }
private static void WL(object text, params object[] args) { Console.WriteLine(text.ToString(), args); } private static void RL() { Console.ReadLine(); } private static void Break()  { System.Diagnostics.Debugger.Break(); }
Joe K.


Anthony.Vandenbossche posted this 9 hours ago

Hi Joe, I am still stuck on this J. I will try to reverse engineer your conversion code. You are right concerning the userSMIMECertificate, I am focusing on userCertificate now as this is indeed a “simple” DER instead of a PKCS#7 format. Thanks for the heads-up. I’ll keep you posted!  
Technical Consultant
Hybrid Cloud
You can mail me anthony.vandenbossche@xxxxxxxxxxxxxxxx
Call me at my UC number +32 2 801 54 59
RD Portal
This e-mail message and any attachment are intended for the sole use of the recipient(s) named above and may contain information which is confidential and/or protected by intellectual property rights. Any use of the information contained herein (including, but not limited to, total or partial reproduction, communication or distribution in any form) by other persons than the designated recipient(s) is prohibited. If you have received this e-mail in error, please notify the sender either by telephone (+32 2 801 55 55) or by e-mail and delete the material from any computer. Please note that neither Realdolmen nor the sender accept any responsibility for viruses and it is your responsibility to scan or otherwise check this e-mail and any attachments.  Realdolmen is responsible neither for the correct and complete transfer of the contents of the sent e-mail, nor for the receipt on due time.


kurtbuff posted this 8 hours ago

Using openssl to convert cert formats:
This might help with a conversion of a file from binary to Base64 encoding