Decode CSR (Certificate Sign Request)

michal_masztal1 · ‎12-19-2016

Hi everybody.
I have some issue with decoding csr file content in ServiceNow.

CSR file content is for example

"

-----BEGIN CERTIFICATE REQUEST-----

MIIByjCCATMCAQAwgYkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh

MRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMR8w

HQYDVQQLExZJbmZvcm1hdGlvbiBUZWNobm9sb2d5MRcwFQYDVQQDEw53d3cuZ29v

Z2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApZtYJCHJ4VpVXHfV

IlstQTlO4qC03hjX+ZkPyvdYd1Q4+qbAeTwXmCUKYHThVRd5aXSqlPzyIBwieMZr

WFlRQddZ1IzXAlVRDWwAo60KecqeAXnnUK+5fXoTI/UgWshre8tJ+x/TMHaQKR/J

cIWPhqaQhsJuzZbvAdGA80BLxdMCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4GBAIhl

4PvFq+e7ipARgI5ZM+GZx6mpCz44DTo0JkwfRDf+BtrsaC0q68eTf2XhYOsq4fkH

Q0uA0aVog3f5iJxCa3Hp5gxbJQ6zV6kJ0TEsuaaOhEko9sdpCoPOnRBm2i/XRD2D

6iNh8f8z0ShGsFqjDgFHyF3o+lUyj+UC6H1QW7bn

-----END CERTIFICATE REQUEST-----

".

Is it possible to decode this content using some ServiceNow API to get some information about certificate?

Thanks for response.

Jace Benson · ‎12-19-2016

The only way I'm aware of handling and Certificate Signing Request would be to use something like OpenSSL on a midserver. You could send the data down to the mid and return what you are trying to get out of it.

View solution in original post

Jace Benson · ‎12-19-2016

The only way I'm aware of handling and Certificate Signing Request would be to use something like OpenSSL on a midserver. You could send the data down to the mid and return what you are trying to get out of it.

now_dev · ‎08-22-2017

Hi Michal,

I am also having the same requirements. Did you get any solution for your issue?

Thanks

MathiasRuehn · ‎08-21-2025

This data is generated on a server in the infrastructure. I would always integrate the midserver in the process, like jace would do.

Option 1: Developer/Admins generate the csr and transfer it to a share. Flow/Subflow/Action instruct the midserver to look for new requests. If there is a new request the midserver can do a pre check (key size, no wildcard, etc.) and upload the request with additional information in clear text in a new request form. Then you got the attachment and all information you got.
The midserver is later also used to send the request to the ca, after approval.
Option 2: If a admin creates the request form and upload the attachment manually i would trigger the midserver client script to download the file and send the informational data back to the form.
ui policy should at the beginning hide all the fields and display them after midserver processing. The user should never fill out fields as the typed in data could differ from the real data in the request.
I always use powershell to do this. Dumping can be done via certutil -dump. The important fields like client, username and so on can be excerpt with select-string or something else.
You have to provide parameters all the time for the form sys id in order to find/upload/download the attachment.

Joey Alain1 · 2 weeks ago

To decode a CSR specifically, you can actually do it natively in ServiceNow. I do it for one of our intake forms for certificate requests to validate the embedded fields in the CSR before permitting the user to submit.

1. Remove the header/footer stuff such as "BEGIN CERTIFICATE REQUEST"... leaving just the CSR content.

2. Make a call to the following script include: ("global.CSRDecodeCertificateAjax").

3. Call the function ("getSubjectAttributesFromCSR") and pass it the value of your CSR as a string. You can just open up the script include and examine how it's structured and what it needs as well.

4. What you should get back form the script include is a JSON object with the attributes and values as key pairs. You can take it from there and do as you wish.

This one was a little hidden gem I found that's available. Works wonders. As a side note, I really wish we had access to the scoped server API's which include a few Base64 and Certificate API's you can call to do a few things.