Using a Client Certificate for CyberArk's Central Credential Provider (CCP) in PowerShell
PowerShell offers a range of functionality for automating tasks, including making REST API calls with Invoke-RestMethod. In certain scenarios, you may need to authenticate your REST calls using client certificates. CyberArk’s Central Credential Provider (CCP), in particular, can benefit from this technique for added security. This blog post details how to use Invoke-RestMethod with a client certificate for making calls to the CyberArk CCP REST API.
Step-by-step Guide:
1. Define the Request Variables:
Before making any calls, it's vital to specify the core details related to your request.
$baseURL = "https://cyberark.joegarcia.dev"
$appID = "Ansible"
$safe = "D-Win-SvcAccts"
$object = "Operating System-WinDomain-joegarcia.dev-Svc_SSIS"
2. Specify the Client Certificate:
To authenticate using a client certificate, you’ll first need its thumbprint.
$thumbprint = "INSERT_CERTIFICATE_THUMBPRINT_HERE"
3. Retrieve the Certificate:
With the thumbprint in hand, fetch the certificate from the Current User's Personal certificate store:
$certificate = Get-ChildItem -Path Cert:\CurrentUser\My\ | Where-Object { $_.Thumbprint -eq $thumbprint }
if (-not $certificate) {
Write-Error "Certificate with thumbprint $thumbprint not found!"
exit
}
Ensure that the correct certificate thumbprint is used. A quick check confirms the certificate's presence in the store.
4. Construct the API Endpoint:
Use the defined request variables to construct the specific endpoint URI:
领英推荐
$uri = "${baseURL}/AIMWebService/api/Accounts?AppID=${appID}&Safe=${safe}&Object=${object}"
5. Execute the REST Call:
With the certificate and URI in hand, make the REST call:
$response = Invoke-RestMethod -Uri $uri -Method Get -Certificate $certificate
Invoke-RestMethod takes in the URI, specifies the method (in this case, Get), and uses the -Certificate parameter to authenticate with the provided certificate.
6. Output the Response:
Lastly, display the received response:
$response
If the API returns JSON data, $response would automatically convert it into a PowerShell object for easier handling. If you need the raw content, access the content property for the password:
$response.content
Wrapping Up:
Authenticating REST API calls using client certificates provides an added layer of security. CyberArk’s Central Credential Provider (CCP), when combined with PowerShell's Invoke-RestMethod, makes tasks like fetching account details not only secure but also automated and efficient. Always remember to handle certificates with care, ensuring they're securely stored and accessible only by authorized users or systems.
Full source code available at: https://gist.github.com/infamousjoeg/8dd99f40b9a52043655363e2c9811d52
Practice Director IAM PAM
1 年Great lesson for RESTAPI beginners Joe. I’m gonna share it Your posts are popping up on my mobile Google feed You are the rock star :-) Cheers
VP, Authentication and Mobile Security @ Citi | Cloud Security, IAM
1 年Clear and concise! Thanks for sharing!
Solutions Architect | IAM | CyberArk Conjur | Helping enterprises to secure non-human identities and machine-to-machine authentication
1 年Nicely explained. I have been using the same authentication method for CCP for quite a while in our environment.
Can this(certificate auth) be done using cURL command, when the endpoints are Linux based?
Will check it out!!!!