leechristensen/CES.py

## CES.py
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography import x509
from cryptography.x509.extensions import ExtensionType
from cryptography.x509.oid import NameOID
from cryptography.hazmat.primitives import hashes
from cryptography.x509.general_name import GeneralName, IPAddress, OtherName
import base64
import pyasn1
import pyasn1.codec.der.encoder
import  pyasn1.type.univ
import uuid
from pyasn1.type.char import BMPString


def new_private_key():
    key = rsa.generate_private_key(
        public_exponent=65537,
        key_size=2048,
        backend=default_backend()
    )
    return key

def new_ces_csr(cesUrl, templateName):
    csr_private_key = new_private_key()

    # Microsoft-specific CSR OID extension used during cert enrollment
    # More info: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wcce/3aec3e50-511a-42f9-a5d5-240af503e470
    szOID_ENROLL_CERTTYPE = '1.3.6.1.4.1.311.20.2'
    certTemplateExt=x509.UnrecognizedExtension(
        x509.oid.ObjectIdentifier(szOID_ENROLL_CERTTYPE),
        pyasn1.codec.der.encoder.encode(BMPString(templateName))
    )

    csr = x509.CertificateSigningRequestBuilder().subject_name(x509.Name([
        x509.NameAttribute(NameOID.COMMON_NAME, u"CSR"), # Dummy subject - the CA will just ignore it and use the authenticating user
    ])).add_extension(
        certTemplateExt, critical=False
    ).sign(csr_private_key, hashes.SHA256(), default_backend())

    return csr

def new_ces_request(cesUrl, csr):
    # Use MS-WSTEP to request a certificate from the certificate enrollment web service (CES). It's a SOAP based protocol.
    # You can get the WSDL from https://<CA server>/<CA Name>_CES_Kerberos/service.svc?wsdl on the CA server (public metadata
    # publishing is disabled by default, so you can only access from the WSDL from that URL while on the CA server). You can
    # see the WSDL from my test domain at the end of this file.I "cheated" and got the XML below by using Windows to request
    # a cert from the Certificate Enrollment Web Service and monitoring the HTTP requests.
    #
    # More info about MS-WSTEP: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wstep/4766a85d-0d18-4fa1-a51f-e5cb98b752ea
    #  - Section 4 has examples: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wstep/d87e93bc-2d8c-4cb5-bbeb-30549bd4f789
    der_csr = csr.public_bytes(serialization.Encoding.DER)
    der_csr_base64 = str(base64.b64encode(der_csr), "utf-8")
    messageId = str(uuid.uuid4())

    requestBody = f"""<s:Envelope xmlns:a="http://www.w3.org/2005/08/addressing"
    xmlns:s="http://www.w3.org/2003/05/soap-envelope">
    <s:Header>
        <a:Action s:mustUnderstand="1">http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RST/wstep</a:Action>
        <a:MessageID>urn:uuid:{messageId}</a:MessageID>
        <a:To s:mustUnderstand="1">{cesUrl}</a:To>
    </s:Header>
    <s:Body>
        <RequestSecurityToken PreferredLanguage="en-US"
            xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
            <TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3</TokenType>
            <RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</RequestType>
            <BinarySecurityToken ValueType="http://schemas.microsoft.com/windows/pki/2009/01/enrollment#PKCS10" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary" a:Id=""
                xmlns:a="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
                xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                {der_csr_base64}
            </BinarySecurityToken>
        </RequestSecurityToken>
    </s:Body>
</s:Envelope>
"""
    return requestBody

# Generate the CSR
cesUrl = 'https://corpdc01.corp.local/CORP-CORPDC01-CA_CES_Kerberos/service.svc/CES'
templateName = 'User'

csr = new_ces_csr(cesUrl, templateName)
request_body = new_ces_request(cesUrl, csr)

# Write the HTTP body to a file
file = open("C:\\temp\\body.txt", "wb")
file.write(str.encode(request_body))
file.close()

# Now make the request. Things to note:
#  - Content-Type needs to be 'application/soap+xml'
#  - Authentication may vary depending on the AD CS server. Most installations support Negotiate auth (so NTLM/Kerberos), but CES can be setup to support cert-based auth and basic user/password auth (separate from AD).
# Examples:
#   PowerShell: Invoke-WebRequest https://192.168.230.200/CORP-CORPDC01-CA_CES_Kerberos/service.svc/CES -Credential $cred -Method Post -Body (gc C:\temp\body.txt) -ContentType 'application/soap+xml').Content
#   Curl: curl https://192.168.230.200/CORP-CORPDC01-CA_CES_Kerberos/service.svc/CES  -H "Content-Type: application/soap+xml" --data @C:\temp\body.txt -k --negotiate -u "CORP\lowpriv:Qwerty12345"
#     Note: Negotiate auth with curl.exe on Windows might not working depending on your Windows version.  Downloading curl-7.78.0-win64-mingw made it work for me.

# Response (below) - Returns both a PKCS7 and X509 formatted certs:

# <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing"><s:Header><a:Action s:mustUnderstand="1">http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RSTRC/wstep</a:Action><a:RelatesTo>urn:uuid:69cea9e1-95d1-4416-a877-d2b5b79fdf6e</a:RelatesTo><ActivityId CorrelationId="c5de5437-7682-4313-8b3c-85f9409b7ec1" xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics">00000000-0000-0000-0000-000000000000</ActivityId></s:Header><s:Body><RequestSecurityTokenResponseCollection xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512"><RequestSecurityTokenResponse><TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3</TokenType><DispositionMessage xml:lang="en-US" xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollment">Issued  0x80094004, The Enrollee (CN=lowpriv,CN=Users,DC=CORP,DC=LOCAL) has no E-Mail name registered in the Active Directory.  The E-Mail name will not be included in the certificate.&#xD;
# </DispositionMessage><BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#PKCS7" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">MIIMfgYJKoZIhvcNAQcCoIIMbzCCDGsCAQMxDzANBglghkgBZQMEAgEFADCCAT0G&#xD;
# CCsGAQUFBwwDoIIBLwSCASswggEnMIIBHzCB2AIBAQYIKwYBBQUHBwExgcgwgcUC&#xD;
# AQAwAwIBAQyBuklzc3VlZCAgMHg4MDA5NDAwNCwgVGhlIEVucm9sbGVlIChDTj1s&#xD;
# b3dwcml2LENOPVVzZXJzLERDPUNPUlAsREM9TE9DQUwpIGhhcyBubyBFLU1haWwg&#xD;
# bmFtZSByZWdpc3RlcmVkIGluIHRoZSBBY3RpdmUgRGlyZWN0b3J5LiAgVGhlIEUt&#xD;
# TWFpbCBuYW1lIHdpbGwgbm90IGJlIGluY2x1ZGVkIGluIHRoZSBjZXJ0aWZpY2F0&#xD;
# ZS4NCjBCAgECBgorBgEEAYI3CgoBMTEwLwIBADADAgEBMSUwIwYJKwYBBAGCNxUR&#xD;
# MRYEFDgL7tJyumvZg0kHIWPs0mhhnmrdMAAwAKCCCTswggNrMIICU6ADAgECAhAw&#xD;
# 9Ext40HzmU/bjnrWJrpoMA0GCSqGSIb3DQEBCwUAMEgxFTATBgoJkiaJk/IsZAEZ&#xD;
# FgVMT0NBTDEUMBIGCgmSJomT8ixkARkWBENPUlAxGTAXBgNVBAMTEENPUlAtQ09S&#xD;
# UERDMDEtQ0EwHhcNMjEwNTA2MjM0MTM4WhcNMjYwNTA2MjM1MTM4WjBIMRUwEwYK&#xD;
# CZImiZPyLGQBGRYFTE9DQUwxFDASBgoJkiaJk/IsZAEZFgRDT1JQMRkwFwYDVQQD&#xD;
# ExBDT1JQLUNPUlBEQzAxLUNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC&#xD;
# AQEAy5nsusQuIouCvwGODBTfgLsaGT0R9tS6DKt7Kwrbfzqw7rzJmX/1gA8RF6ob&#xD;
# 95J97+/7TSroundUezkaEaI2skkSKI3qJWKffjY5easWudMotMDcN/w0NBOMWpE3&#xD;
# zPSj5E9mTsRob+j3D+6jX7MdDb8Rks9iBrpXtMcgYKr8bsEdFoXsLHF4oWUijhoD&#xD;
# A+qGScaQoi6oyzH3AOKiaQiZzSC5YuXwDD6cp6V5Zb4S58e87S3gwtHWz/n6nhAG&#xD;
# pcxr7NTue5vd6xrkZDEWKyfa2QJd4UN2U/Fy9f64n/MOmYhAXHKhpSdylhrrnWGP&#xD;
# i6ndV5XybWLf1KHwCmFbzmGowQIDAQABo1EwTzALBgNVHQ8EBAMCAYYwDwYDVR0T&#xD;
# AQH/BAUwAwEB/zAdBgNVHQ4EFgQUfeqWWzPiKSlHzUfblYVKpUBnVpIwEAYJKwYB&#xD;
# BAGCNxUBBAMCAQAwDQYJKoZIhvcNAQELBQADggEBAFRCQJeiGlaAJGOvsX4lDs2B&#xD;
# yt884lJZxIfL8bf1Y7auiNPnD5dMU95l3m4GekRxeijb9d8Jpu8Eh4pgXNU3sfAf&#xD;
# I8XYb261lWHz8dm15Ocjx1wDfofMBRWu7rRbGcyPKY71NnFsCfKE1X7ci7puiSbM&#xD;
# AbNIRWfi2eKjQM1WoVowFP322XxNSdlz5SLlhou2GcY8MdsGnJ8NTiZEpf02EXP9&#xD;
# 5kZ/o8izVm8ezeafi6l8TaA8LuaeVxPeMMiWY4tJ5l2+jDA25GLE3mOSyOuN7g3Y&#xD;
# aSgpc1VQvgZ17dFlcViqSvZU42GAbJ2qJ30ql88c6KGvdFXxeyFOYi4MTPUjE2Ew&#xD;
# ggXIMIIEsKADAgECAhN9AAiiOgVcqek69EOaAAAACKI6MA0GCSqGSIb3DQEBCwUA&#xD;
# MEgxFTATBgoJkiaJk/IsZAEZFgVMT0NBTDEUMBIGCgmSJomT8ixkARkWBENPUlAx&#xD;
# GTAXBgNVBAMTEENPUlAtQ09SUERDMDEtQ0EwHhcNMjEwOTA5MTUyMDM0WhcNMjIw&#xD;
# OTA5MTUyMDM0WjBPMRUwEwYKCZImiZPyLGQBGRYFTE9DQUwxFDASBgoJkiaJk/Is&#xD;
# ZAEZFgRDT1JQMQ4wDAYDVQQDEwVVc2VyczEQMA4GA1UEAxMHbG93cHJpdjCCASIw&#xD;
# DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMAY1EWAMA3ih+KtbOZAJab+V7cs&#xD;
# aXWgAz0l8PD7hb9WeIqTgpyvkNZ/Q1KNJjlA0xtv5Vaf6ZURiOSuyKSM9t/ZJkGy&#xD;
# DMwneu7Qw96zbuR3+i07IiwRxb/JSYMNYNOPw+P4N5uhZHmBYnfQM4k8OfjTuOQS&#xD;
# G2W7xM81QWbkt6WPm0Em6PWmK0arw2iqJO6QHuwdmrXyTcIVlcn3G1j1u/QzXiVc&#xD;
# Il7UJZBtBcUPT8r7hXF0b0+WXAFSj2LP1ECcSMP9yYaK0DXm5nT8u7tnjKuXzU2Q&#xD;
# DI37gvrH5p5byI2DSPGnaYNbnt9Y3Ub36Xcv2RJ4b0bQaYKt9V+qGgR2ZfUCAwEA&#xD;
# AaOCAqIwggKeMBcGCSsGAQQBgjcUAgQKHggAVQBzAGUAcjAdBgNVHQ4EFgQU9oWv&#xD;
# VfPLjkGMBSu0HWiCX02toGIwHwYDVR0jBBgwFoAUfeqWWzPiKSlHzUfblYVKpUBn&#xD;
# VpIwgc4GA1UdHwSBxjCBwzCBwKCBvaCBuoaBt2xkYXA6Ly8vQ049Q09SUC1DT1JQ&#xD;
# REMwMS1DQSxDTj1DT1JQREMwMSxDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2Vy&#xD;
# dmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1DT1JQLERDPUxP&#xD;
# Q0FMP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1j&#xD;
# UkxEaXN0cmlidXRpb25Qb2ludDCBwQYIKwYBBQUHAQEEgbQwgbEwga4GCCsGAQUF&#xD;
# BzAChoGhbGRhcDovLy9DTj1DT1JQLUNPUlBEQzAxLUNBLENOPUFJQSxDTj1QdWJs&#xD;
# aWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9u&#xD;
# LERDPUNPUlAsREM9TE9DQUw/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNz&#xD;
# PWNlcnRpZmljYXRpb25BdXRob3JpdHkwDgYDVR0PAQH/BAQDAgWgMCkGA1UdJQQi&#xD;
# MCAGCisGAQQBgjcKAwQGCCsGAQUFBwMEBggrBgEFBQcDAjAtBgNVHREEJjAkoCIG&#xD;
# CisGAQQBgjcUAgOgFAwSbG93cHJpdkBDT1JQLkxPQ0FMMEQGCSqGSIb3DQEJDwQ3&#xD;
# MDUwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDAHBgUrDgMCBzAKBggq&#xD;
# hkiG9w0DBzANBgkqhkiG9w0BAQsFAAOCAQEAy39pa6GBu4azZNfz7Fk7i5TAy8Js&#xD;
# F9YiDsoDsEW9UB0/z/nAX6H9zsNCSNGbMMz187yQebR25fb1OdbcwYBx3NGaXxpJ&#xD;
# JdIFAqoZ9S1fC+6j3lOg6mLx8azkuNoGQ5oWmJJyX9dU9DSs4fV5fY2zeDGfnhON&#xD;
# +AXPO5jcpMZpD4l2L2W8975J/qhZqwQMoRciRMJtlRnKr/3BZcwnAn5zvCMH2fI7&#xD;
# U0qA1Qr/J36wvX5CmSGYbyj6E0k9K8TNXt76sIGFzLLleTyzliIalUdhcG7sqtXO&#xD;
# 3cj8+W1yjI9MENYp/jTCJUfgNj4v/CDr4xJyWXcqZNXHKBstLxF3kIRolzGCAdMw&#xD;
# ggHPAgEBMFwwSDEVMBMGCgmSJomT8ixkARkWBUxPQ0FMMRQwEgYKCZImiZPyLGQB&#xD;
# GRYEQ09SUDEZMBcGA1UEAxMQQ09SUC1DT1JQREMwMS1DQQIQMPRMbeNB85lP2456&#xD;
# 1ia6aDANBglghkgBZQMEAgEFAKBKMBcGCSqGSIb3DQEJAzEKBggrBgEFBQcMAzAv&#xD;
# BgkqhkiG9w0BCQQxIgQg705IczAM9kcEw49YCLteouiTe0/4JCEIKY7BoYTdr+Aw&#xD;
# DQYJKoZIhvcNAQEBBQAEggEAMoTuxWEhL0hCjfrMSuIxEjYVc3Pb4xlwttxxkGYR&#xD;
# n3+WDFpDjskGbtl5dLXfUEAaUd/EXc999CjR+lwhUDaf9rLiqB0SvQAPIrnKsQge&#xD;
# s2ycuRjRz+T8MEcvtKiLbFhXNDmCyB8MfiqtkXgbbbavOJ90cMBNHkApYJl4DpR4&#xD;
# llhjlotDMFYf6jwoXs3KAVdiBX2/6T6IFE7BSkq6lTWU/pBD6iJ9n6qCIO4vf9WW&#xD;
# 8NoIByIGaksgW8D0YB1hvuXlBMRALdXVAzgQTLrTcFboN/pN6Q3TCtOm2J414vX5&#xD;
# J3M9MxtE28YFwQLSVJsuTiVKTSY8HYEe4vIdFEpyY0aXmA==&#xD;
# </BinarySecurityToken><RequestedSecurityToken><BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">MIIFyDCCBLCgAwIBAgITfQAIojoFXKnpOvRDmgAAAAiiOjANBgkqhkiG9w0BAQsF&#xD;
# ADBIMRUwEwYKCZImiZPyLGQBGRYFTE9DQUwxFDASBgoJkiaJk/IsZAEZFgRDT1JQ&#xD;
# MRkwFwYDVQQDExBDT1JQLUNPUlBEQzAxLUNBMB4XDTIxMDkwOTE1MjAzNFoXDTIy&#xD;
# MDkwOTE1MjAzNFowTzEVMBMGCgmSJomT8ixkARkWBUxPQ0FMMRQwEgYKCZImiZPy&#xD;
# LGQBGRYEQ09SUDEOMAwGA1UEAxMFVXNlcnMxEDAOBgNVBAMTB2xvd3ByaXYwggEi&#xD;
# MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDAGNRFgDAN4ofirWzmQCWm/le3&#xD;
# LGl1oAM9JfDw+4W/VniKk4Kcr5DWf0NSjSY5QNMbb+VWn+mVEYjkrsikjPbf2SZB&#xD;
# sgzMJ3ru0MPes27kd/otOyIsEcW/yUmDDWDTj8Pj+DeboWR5gWJ30DOJPDn407jk&#xD;
# Ehtlu8TPNUFm5Lelj5tBJuj1pitGq8NoqiTukB7sHZq18k3CFZXJ9xtY9bv0M14l&#xD;
# XCJe1CWQbQXFD0/K+4VxdG9PllwBUo9iz9RAnEjD/cmGitA15uZ0/Lu7Z4yrl81N&#xD;
# kAyN+4L6x+aeW8iNg0jxp2mDW57fWN1G9+l3L9kSeG9G0GmCrfVfqhoEdmX1AgMB&#xD;
# AAGjggKiMIICnjAXBgkrBgEEAYI3FAIECh4IAFUAcwBlAHIwHQYDVR0OBBYEFPaF&#xD;
# r1Xzy45BjAUrtB1ogl9NraBiMB8GA1UdIwQYMBaAFH3qllsz4ikpR81H25WFSqVA&#xD;
# Z1aSMIHOBgNVHR8EgcYwgcMwgcCggb2ggbqGgbdsZGFwOi8vL0NOPUNPUlAtQ09S&#xD;
# UERDMDEtQ0EsQ049Q09SUERDMDEsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNl&#xD;
# cnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Q09SUCxEQz1M&#xD;
# T0NBTD9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9&#xD;
# Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgcEGCCsGAQUFBwEBBIG0MIGxMIGuBggrBgEF&#xD;
# BQcwAoaBoWxkYXA6Ly8vQ049Q09SUC1DT1JQREMwMS1DQSxDTj1BSUEsQ049UHVi&#xD;
# bGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlv&#xD;
# bixEQz1DT1JQLERDPUxPQ0FMP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFz&#xD;
# cz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MA4GA1UdDwEB/wQEAwIFoDApBgNVHSUE&#xD;
# IjAgBgorBgEEAYI3CgMEBggrBgEFBQcDBAYIKwYBBQUHAwIwLQYDVR0RBCYwJKAi&#xD;
# BgorBgEEAYI3FAIDoBQMEmxvd3ByaXZAQ09SUC5MT0NBTDBEBgkqhkiG9w0BCQ8E&#xD;
# NzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYFKw4DAgcwCgYI&#xD;
# KoZIhvcNAwcwDQYJKoZIhvcNAQELBQADggEBAMt/aWuhgbuGs2TX8+xZO4uUwMvC&#xD;
# bBfWIg7KA7BFvVAdP8/5wF+h/c7DQkjRmzDM9fO8kHm0duX29TnW3MGAcdzRml8a&#xD;
# SSXSBQKqGfUtXwvuo95ToOpi8fGs5LjaBkOaFpiScl/XVPQ0rOH1eX2Ns3gxn54T&#xD;
# jfgFzzuY3KTGaQ+Jdi9lvPe+Sf6oWasEDKEXIkTCbZUZyq/9wWXMJwJ+c7wjB9ny&#xD;
# O1NKgNUK/yd+sL1+QpkhmG8o+hNJPSvEzV7e+rCBhcyy5Xk8s5YiGpVHYXBu7KrV&#xD;
# zt3I/PltcoyPTBDWKf40wiVH4DY+L/wg6+MScll3KmTVxygbLS8Rd5CEaJc=&#xD;
# </BinarySecurityToken></RequestedSecurityToken><RequestID xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollment">565818</RequestID></RequestSecurityTokenResponse></RequestSecurityTokenResponseCollection></s:Body></s:Envelope>

## CES.wsdl
<?xml version="1.0" encoding="utf-8"?>
<wsdl:definitions name="SecurityTokenService" targetNamespace="http://tempuri.org/"
    xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
    xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex"
    xmlns:i0="http://schemas.microsoft.com/windows/pki/2009/01/enrollment"
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
    xmlns:wsa10="http://www.w3.org/2005/08/addressing"
    xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
    xmlns:wsap="http://schemas.xmlsoap.org/ws/2004/08/addressing/policy"
    xmlns:msc="http://schemas.microsoft.com/ws/2005/12/wsdl/contract"
    xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/"
    xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
    xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata"
    xmlns:xsd="http://www.w3.org/2001/XMLSchema"
    xmlns:tns="http://tempuri.org/"
    xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
    xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"
    xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">
    <wsp:Policy wsu:Id="WSHttpBinding_ISecurityTokenService_policy">
        <wsp:ExactlyOne>
            <wsp:All>
                <http:NegotiateAuthentication xmlns:http="http://schemas.microsoft.com/ws/06/2004/policy/http"/>
                <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                    <wsp:Policy>
                        <sp:TransportToken>
                            <wsp:Policy>
                                <sp:HttpsToken RequireClientCertificate="false"/>
                            </wsp:Policy>
                        </sp:TransportToken>
                        <sp:AlgorithmSuite>
                            <wsp:Policy>
                                <sp:Basic256/>
                            </wsp:Policy>
                        </sp:AlgorithmSuite>
                        <sp:Layout>
                            <wsp:Policy>
                                <sp:Strict/>
                            </wsp:Policy>
                        </sp:Layout>
                    </wsp:Policy>
                </sp:TransportBinding>
                <wsaw:UsingAddressing/>
            </wsp:All>
        </wsp:ExactlyOne>
    </wsp:Policy>
    <wsdl:import namespace="http://schemas.microsoft.com/windows/pki/2009/01/enrollment" location="https://corpdc01.corp.local/CORP-CORPDC01-CA_CES_Kerberos/service.svc?wsdl=wsdl0"/>
    <wsdl:types/>
    <wsdl:binding name="WSHttpBinding_ISecurityTokenService" type="i0:ISecurityTokenService">
        <wsp:PolicyReference URI="#WSHttpBinding_ISecurityTokenService_policy"/>
        <soap12:binding transport="http://schemas.xmlsoap.org/soap/http"/>
    </wsdl:binding>
    <wsdl:service name="SecurityTokenService">
        <wsdl:port name="WSHttpBinding_ISecurityTokenService" binding="tns:WSHttpBinding_ISecurityTokenService">
            <soap12:address location="https://corpdc01.corp.local/CORP-CORPDC01-CA_CES_Kerberos/service.svc/CES"/>
            <wsa10:EndpointReference>
                <wsa10:Address>https://corpdc01.corp.local/CORP-CORPDC01-CA_CES_Kerberos/service.svc/CES</wsa10:Address>
                <Identity xmlns="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity">
                    <Upn>cesservice@CORP.LOCAL</Upn>
                </Identity>
            </wsa10:EndpointReference>
        </wsdl:port>
    </wsdl:service>
</wsdl:definitions>
	from cryptography.hazmat.backends import default_backend
	from cryptography.hazmat.primitives import serialization
	from cryptography.hazmat.primitives.asymmetric import rsa
	from cryptography import x509
	from cryptography.x509.extensions import ExtensionType
	from cryptography.x509.oid import NameOID
	from cryptography.hazmat.primitives import hashes
	from cryptography.x509.general_name import GeneralName, IPAddress, OtherName
	import base64
	import pyasn1
	import pyasn1.codec.der.encoder
	import pyasn1.type.univ
	import uuid
	from pyasn1.type.char import BMPString


	def new_private_key():
	key = rsa.generate_private_key(
	public_exponent=65537,
	key_size=2048,
	backend=default_backend()
	)
	return key

	def new_ces_csr(cesUrl, templateName):
	csr_private_key = new_private_key()

	# Microsoft-specific CSR OID extension used during cert enrollment
	# More info: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wcce/3aec3e50-511a-42f9-a5d5-240af503e470
	szOID_ENROLL_CERTTYPE = '1.3.6.1.4.1.311.20.2'
	certTemplateExt=x509.UnrecognizedExtension(
	x509.oid.ObjectIdentifier(szOID_ENROLL_CERTTYPE),
	pyasn1.codec.der.encoder.encode(BMPString(templateName))
	)

	csr = x509.CertificateSigningRequestBuilder().subject_name(x509.Name([
	x509.NameAttribute(NameOID.COMMON_NAME, u"CSR"), # Dummy subject - the CA will just ignore it and use the authenticating user
	])).add_extension(
	certTemplateExt, critical=False
	).sign(csr_private_key, hashes.SHA256(), default_backend())

	return csr

	def new_ces_request(cesUrl, csr):
	# Use MS-WSTEP to request a certificate from the certificate enrollment web service (CES). It's a SOAP based protocol.
	# You can get the WSDL from https://<CA server>/<CA Name>_CES_Kerberos/service.svc?wsdl on the CA server (public metadata
	# publishing is disabled by default, so you can only access from the WSDL from that URL while on the CA server). You can
	# see the WSDL from my test domain at the end of this file.I "cheated" and got the XML below by using Windows to request
	# a cert from the Certificate Enrollment Web Service and monitoring the HTTP requests.
	#
	# More info about MS-WSTEP: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wstep/4766a85d-0d18-4fa1-a51f-e5cb98b752ea
	# - Section 4 has examples: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wstep/d87e93bc-2d8c-4cb5-bbeb-30549bd4f789
	der_csr = csr.public_bytes(serialization.Encoding.DER)
	der_csr_base64 = str(base64.b64encode(der_csr), "utf-8")
	messageId = str(uuid.uuid4())

	requestBody = f"""<s:Envelope xmlns:a="http://www.w3.org/2005/08/addressing"
	xmlns:s="http://www.w3.org/2003/05/soap-envelope">
	<s:Header>
	<a:Action s:mustUnderstand="1">http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RST/wstep</a:Action>
	<a:MessageID>urn:uuid:{messageId}</a:MessageID>
	<a:To s:mustUnderstand="1">{cesUrl}</a:To>
	</s:Header>
	<s:Body>
	<RequestSecurityToken PreferredLanguage="en-US"
	xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
	<TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3</TokenType>
	<RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</RequestType>
	<BinarySecurityToken ValueType="http://schemas.microsoft.com/windows/pki/2009/01/enrollment#PKCS10" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary" a:Id=""
	xmlns:a="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
	xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
	{der_csr_base64}
	</BinarySecurityToken>
	</RequestSecurityToken>
	</s:Body>
	</s:Envelope>
	"""
	return requestBody

	# Generate the CSR
	cesUrl = 'https://corpdc01.corp.local/CORP-CORPDC01-CA_CES_Kerberos/service.svc/CES'
	templateName = 'User'

	csr = new_ces_csr(cesUrl, templateName)
	request_body = new_ces_request(cesUrl, csr)

	# Write the HTTP body to a file
	file = open("C:\\temp\\body.txt", "wb")
	file.write(str.encode(request_body))
	file.close()

	# Now make the request. Things to note:
	# - Content-Type needs to be 'application/soap+xml'
	# - Authentication may vary depending on the AD CS server. Most installations support Negotiate auth (so NTLM/Kerberos), but CES can be setup to support cert-based auth and basic user/password auth (separate from AD).
	# Examples:
	# PowerShell: Invoke-WebRequest https://192.168.230.200/CORP-CORPDC01-CA_CES_Kerberos/service.svc/CES -Credential $cred -Method Post -Body (gc C:\temp\body.txt) -ContentType 'application/soap+xml').Content
	# Curl: curl https://192.168.230.200/CORP-CORPDC01-CA_CES_Kerberos/service.svc/CES -H "Content-Type: application/soap+xml" --data @C:\temp\body.txt -k --negotiate -u "CORP\lowpriv:Qwerty12345"
	# Note: Negotiate auth with curl.exe on Windows might not working depending on your Windows version. Downloading curl-7.78.0-win64-mingw made it work for me.

	# Response (below) - Returns both a PKCS7 and X509 formatted certs:

	# <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing"><s:Header><a:Action s:mustUnderstand="1">http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RSTRC/wstep</a:Action><a:RelatesTo>urn:uuid:69cea9e1-95d1-4416-a877-d2b5b79fdf6e</a:RelatesTo><ActivityId CorrelationId="c5de5437-7682-4313-8b3c-85f9409b7ec1" xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics">00000000-0000-0000-0000-000000000000</ActivityId></s:Header><s:Body><RequestSecurityTokenResponseCollection xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512"><RequestSecurityTokenResponse><TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3</TokenType><DispositionMessage xml:lang="en-US" xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollment">Issued 0x80094004, The Enrollee (CN=lowpriv,CN=Users,DC=CORP,DC=LOCAL) has no E-Mail name registered in the Active Directory. The E-Mail name will not be included in the certificate.
	# </DispositionMessage><BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#PKCS7" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">MIIMfgYJKoZIhvcNAQcCoIIMbzCCDGsCAQMxDzANBglghkgBZQMEAgEFADCCAT0G
	# CCsGAQUFBwwDoIIBLwSCASswggEnMIIBHzCB2AIBAQYIKwYBBQUHBwExgcgwgcUC
	# AQAwAwIBAQyBuklzc3VlZCAgMHg4MDA5NDAwNCwgVGhlIEVucm9sbGVlIChDTj1s
	# b3dwcml2LENOPVVzZXJzLERDPUNPUlAsREM9TE9DQUwpIGhhcyBubyBFLU1haWwg
	# bmFtZSByZWdpc3RlcmVkIGluIHRoZSBBY3RpdmUgRGlyZWN0b3J5LiAgVGhlIEUt
	# TWFpbCBuYW1lIHdpbGwgbm90IGJlIGluY2x1ZGVkIGluIHRoZSBjZXJ0aWZpY2F0
	# ZS4NCjBCAgECBgorBgEEAYI3CgoBMTEwLwIBADADAgEBMSUwIwYJKwYBBAGCNxUR
	# MRYEFDgL7tJyumvZg0kHIWPs0mhhnmrdMAAwAKCCCTswggNrMIICU6ADAgECAhAw
	# 9Ext40HzmU/bjnrWJrpoMA0GCSqGSIb3DQEBCwUAMEgxFTATBgoJkiaJk/IsZAEZ
	# FgVMT0NBTDEUMBIGCgmSJomT8ixkARkWBENPUlAxGTAXBgNVBAMTEENPUlAtQ09S
	# UERDMDEtQ0EwHhcNMjEwNTA2MjM0MTM4WhcNMjYwNTA2MjM1MTM4WjBIMRUwEwYK
	# CZImiZPyLGQBGRYFTE9DQUwxFDASBgoJkiaJk/IsZAEZFgRDT1JQMRkwFwYDVQQD
	# ExBDT1JQLUNPUlBEQzAxLUNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
	# AQEAy5nsusQuIouCvwGODBTfgLsaGT0R9tS6DKt7Kwrbfzqw7rzJmX/1gA8RF6ob
	# 95J97+/7TSroundUezkaEaI2skkSKI3qJWKffjY5easWudMotMDcN/w0NBOMWpE3
	# zPSj5E9mTsRob+j3D+6jX7MdDb8Rks9iBrpXtMcgYKr8bsEdFoXsLHF4oWUijhoD
	# A+qGScaQoi6oyzH3AOKiaQiZzSC5YuXwDD6cp6V5Zb4S58e87S3gwtHWz/n6nhAG
	# pcxr7NTue5vd6xrkZDEWKyfa2QJd4UN2U/Fy9f64n/MOmYhAXHKhpSdylhrrnWGP
	# i6ndV5XybWLf1KHwCmFbzmGowQIDAQABo1EwTzALBgNVHQ8EBAMCAYYwDwYDVR0T
	# AQH/BAUwAwEB/zAdBgNVHQ4EFgQUfeqWWzPiKSlHzUfblYVKpUBnVpIwEAYJKwYB
	# BAGCNxUBBAMCAQAwDQYJKoZIhvcNAQELBQADggEBAFRCQJeiGlaAJGOvsX4lDs2B
	# yt884lJZxIfL8bf1Y7auiNPnD5dMU95l3m4GekRxeijb9d8Jpu8Eh4pgXNU3sfAf
	# I8XYb261lWHz8dm15Ocjx1wDfofMBRWu7rRbGcyPKY71NnFsCfKE1X7ci7puiSbM
	# AbNIRWfi2eKjQM1WoVowFP322XxNSdlz5SLlhou2GcY8MdsGnJ8NTiZEpf02EXP9
	# 5kZ/o8izVm8ezeafi6l8TaA8LuaeVxPeMMiWY4tJ5l2+jDA25GLE3mOSyOuN7g3Y
	# aSgpc1VQvgZ17dFlcViqSvZU42GAbJ2qJ30ql88c6KGvdFXxeyFOYi4MTPUjE2Ew
	# ggXIMIIEsKADAgECAhN9AAiiOgVcqek69EOaAAAACKI6MA0GCSqGSIb3DQEBCwUA
	# MEgxFTATBgoJkiaJk/IsZAEZFgVMT0NBTDEUMBIGCgmSJomT8ixkARkWBENPUlAx
	# GTAXBgNVBAMTEENPUlAtQ09SUERDMDEtQ0EwHhcNMjEwOTA5MTUyMDM0WhcNMjIw
	# OTA5MTUyMDM0WjBPMRUwEwYKCZImiZPyLGQBGRYFTE9DQUwxFDASBgoJkiaJk/Is
	# ZAEZFgRDT1JQMQ4wDAYDVQQDEwVVc2VyczEQMA4GA1UEAxMHbG93cHJpdjCCASIw
	# DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMAY1EWAMA3ih+KtbOZAJab+V7cs
	# aXWgAz0l8PD7hb9WeIqTgpyvkNZ/Q1KNJjlA0xtv5Vaf6ZURiOSuyKSM9t/ZJkGy
	# DMwneu7Qw96zbuR3+i07IiwRxb/JSYMNYNOPw+P4N5uhZHmBYnfQM4k8OfjTuOQS
	# G2W7xM81QWbkt6WPm0Em6PWmK0arw2iqJO6QHuwdmrXyTcIVlcn3G1j1u/QzXiVc
	# Il7UJZBtBcUPT8r7hXF0b0+WXAFSj2LP1ECcSMP9yYaK0DXm5nT8u7tnjKuXzU2Q
	# DI37gvrH5p5byI2DSPGnaYNbnt9Y3Ub36Xcv2RJ4b0bQaYKt9V+qGgR2ZfUCAwEA
	# AaOCAqIwggKeMBcGCSsGAQQBgjcUAgQKHggAVQBzAGUAcjAdBgNVHQ4EFgQU9oWv
	# VfPLjkGMBSu0HWiCX02toGIwHwYDVR0jBBgwFoAUfeqWWzPiKSlHzUfblYVKpUBn
	# VpIwgc4GA1UdHwSBxjCBwzCBwKCBvaCBuoaBt2xkYXA6Ly8vQ049Q09SUC1DT1JQ
	# REMwMS1DQSxDTj1DT1JQREMwMSxDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2Vy
	# dmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1DT1JQLERDPUxP
	# Q0FMP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1j
	# UkxEaXN0cmlidXRpb25Qb2ludDCBwQYIKwYBBQUHAQEEgbQwgbEwga4GCCsGAQUF
	# BzAChoGhbGRhcDovLy9DTj1DT1JQLUNPUlBEQzAxLUNBLENOPUFJQSxDTj1QdWJs
	# aWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9u
	# LERDPUNPUlAsREM9TE9DQUw/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNz
	# PWNlcnRpZmljYXRpb25BdXRob3JpdHkwDgYDVR0PAQH/BAQDAgWgMCkGA1UdJQQi
	# MCAGCisGAQQBgjcKAwQGCCsGAQUFBwMEBggrBgEFBQcDAjAtBgNVHREEJjAkoCIG
	# CisGAQQBgjcUAgOgFAwSbG93cHJpdkBDT1JQLkxPQ0FMMEQGCSqGSIb3DQEJDwQ3
	# MDUwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDAHBgUrDgMCBzAKBggq
	# hkiG9w0DBzANBgkqhkiG9w0BAQsFAAOCAQEAy39pa6GBu4azZNfz7Fk7i5TAy8Js
	# F9YiDsoDsEW9UB0/z/nAX6H9zsNCSNGbMMz187yQebR25fb1OdbcwYBx3NGaXxpJ
	# JdIFAqoZ9S1fC+6j3lOg6mLx8azkuNoGQ5oWmJJyX9dU9DSs4fV5fY2zeDGfnhON
	# +AXPO5jcpMZpD4l2L2W8975J/qhZqwQMoRciRMJtlRnKr/3BZcwnAn5zvCMH2fI7
	# U0qA1Qr/J36wvX5CmSGYbyj6E0k9K8TNXt76sIGFzLLleTyzliIalUdhcG7sqtXO
	# 3cj8+W1yjI9MENYp/jTCJUfgNj4v/CDr4xJyWXcqZNXHKBstLxF3kIRolzGCAdMw
	# ggHPAgEBMFwwSDEVMBMGCgmSJomT8ixkARkWBUxPQ0FMMRQwEgYKCZImiZPyLGQB
	# GRYEQ09SUDEZMBcGA1UEAxMQQ09SUC1DT1JQREMwMS1DQQIQMPRMbeNB85lP2456
	# 1ia6aDANBglghkgBZQMEAgEFAKBKMBcGCSqGSIb3DQEJAzEKBggrBgEFBQcMAzAv
	# BgkqhkiG9w0BCQQxIgQg705IczAM9kcEw49YCLteouiTe0/4JCEIKY7BoYTdr+Aw
	# DQYJKoZIhvcNAQEBBQAEggEAMoTuxWEhL0hCjfrMSuIxEjYVc3Pb4xlwttxxkGYR
	# n3+WDFpDjskGbtl5dLXfUEAaUd/EXc999CjR+lwhUDaf9rLiqB0SvQAPIrnKsQge
	# s2ycuRjRz+T8MEcvtKiLbFhXNDmCyB8MfiqtkXgbbbavOJ90cMBNHkApYJl4DpR4
	# llhjlotDMFYf6jwoXs3KAVdiBX2/6T6IFE7BSkq6lTWU/pBD6iJ9n6qCIO4vf9WW
	# 8NoIByIGaksgW8D0YB1hvuXlBMRALdXVAzgQTLrTcFboN/pN6Q3TCtOm2J414vX5
	# J3M9MxtE28YFwQLSVJsuTiVKTSY8HYEe4vIdFEpyY0aXmA==
	# </BinarySecurityToken><RequestedSecurityToken><BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">MIIFyDCCBLCgAwIBAgITfQAIojoFXKnpOvRDmgAAAAiiOjANBgkqhkiG9w0BAQsF
	# ADBIMRUwEwYKCZImiZPyLGQBGRYFTE9DQUwxFDASBgoJkiaJk/IsZAEZFgRDT1JQ
	# MRkwFwYDVQQDExBDT1JQLUNPUlBEQzAxLUNBMB4XDTIxMDkwOTE1MjAzNFoXDTIy
	# MDkwOTE1MjAzNFowTzEVMBMGCgmSJomT8ixkARkWBUxPQ0FMMRQwEgYKCZImiZPy
	# LGQBGRYEQ09SUDEOMAwGA1UEAxMFVXNlcnMxEDAOBgNVBAMTB2xvd3ByaXYwggEi
	# MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDAGNRFgDAN4ofirWzmQCWm/le3
	# LGl1oAM9JfDw+4W/VniKk4Kcr5DWf0NSjSY5QNMbb+VWn+mVEYjkrsikjPbf2SZB
	# sgzMJ3ru0MPes27kd/otOyIsEcW/yUmDDWDTj8Pj+DeboWR5gWJ30DOJPDn407jk
	# Ehtlu8TPNUFm5Lelj5tBJuj1pitGq8NoqiTukB7sHZq18k3CFZXJ9xtY9bv0M14l
	# XCJe1CWQbQXFD0/K+4VxdG9PllwBUo9iz9RAnEjD/cmGitA15uZ0/Lu7Z4yrl81N
	# kAyN+4L6x+aeW8iNg0jxp2mDW57fWN1G9+l3L9kSeG9G0GmCrfVfqhoEdmX1AgMB
	# AAGjggKiMIICnjAXBgkrBgEEAYI3FAIECh4IAFUAcwBlAHIwHQYDVR0OBBYEFPaF
	# r1Xzy45BjAUrtB1ogl9NraBiMB8GA1UdIwQYMBaAFH3qllsz4ikpR81H25WFSqVA
	# Z1aSMIHOBgNVHR8EgcYwgcMwgcCggb2ggbqGgbdsZGFwOi8vL0NOPUNPUlAtQ09S
	# UERDMDEtQ0EsQ049Q09SUERDMDEsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNl
	# cnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Q09SUCxEQz1M
	# T0NBTD9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9
	# Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgcEGCCsGAQUFBwEBBIG0MIGxMIGuBggrBgEF
	# BQcwAoaBoWxkYXA6Ly8vQ049Q09SUC1DT1JQREMwMS1DQSxDTj1BSUEsQ049UHVi
	# bGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlv
	# bixEQz1DT1JQLERDPUxPQ0FMP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFz
	# cz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MA4GA1UdDwEB/wQEAwIFoDApBgNVHSUE
	# IjAgBgorBgEEAYI3CgMEBggrBgEFBQcDBAYIKwYBBQUHAwIwLQYDVR0RBCYwJKAi
	# BgorBgEEAYI3FAIDoBQMEmxvd3ByaXZAQ09SUC5MT0NBTDBEBgkqhkiG9w0BCQ8E
	# NzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYFKw4DAgcwCgYI
	# KoZIhvcNAwcwDQYJKoZIhvcNAQELBQADggEBAMt/aWuhgbuGs2TX8+xZO4uUwMvC
	# bBfWIg7KA7BFvVAdP8/5wF+h/c7DQkjRmzDM9fO8kHm0duX29TnW3MGAcdzRml8a
	# SSXSBQKqGfUtXwvuo95ToOpi8fGs5LjaBkOaFpiScl/XVPQ0rOH1eX2Ns3gxn54T
	# jfgFzzuY3KTGaQ+Jdi9lvPe+Sf6oWasEDKEXIkTCbZUZyq/9wWXMJwJ+c7wjB9ny
	# O1NKgNUK/yd+sL1+QpkhmG8o+hNJPSvEzV7e+rCBhcyy5Xk8s5YiGpVHYXBu7KrV
	# zt3I/PltcoyPTBDWKf40wiVH4DY+L/wg6+MScll3KmTVxygbLS8Rd5CEaJc=
	# </BinarySecurityToken></RequestedSecurityToken><RequestID xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollment">565818</RequestID></RequestSecurityTokenResponse></RequestSecurityTokenResponseCollection></s:Body></s:Envelope>
	<?xml version="1.0" encoding="utf-8"?>
	<wsdl:definitions name="SecurityTokenService" targetNamespace="http://tempuri.org/"
	xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
	xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex"
	xmlns:i0="http://schemas.microsoft.com/windows/pki/2009/01/enrollment"
	xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
	xmlns:wsa10="http://www.w3.org/2005/08/addressing"
	xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
	xmlns:wsap="http://schemas.xmlsoap.org/ws/2004/08/addressing/policy"
	xmlns:msc="http://schemas.microsoft.com/ws/2005/12/wsdl/contract"
	xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/"
	xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
	xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata"
	xmlns:xsd="http://www.w3.org/2001/XMLSchema"
	xmlns:tns="http://tempuri.org/"
	xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
	xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"
	xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">
	<wsp:Policy wsu:Id="WSHttpBinding_ISecurityTokenService_policy">
	<wsp:ExactlyOne>
	<wsp:All>
	<http:NegotiateAuthentication xmlns:http="http://schemas.microsoft.com/ws/06/2004/policy/http"/>
	<sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
	<wsp:Policy>
	<sp:TransportToken>
	<wsp:Policy>
	<sp:HttpsToken RequireClientCertificate="false"/>
	</wsp:Policy>
	</sp:TransportToken>
	<sp:AlgorithmSuite>
	<wsp:Policy>
	<sp:Basic256/>
	</wsp:Policy>
	</sp:AlgorithmSuite>
	<sp:Layout>
	<wsp:Policy>
	<sp:Strict/>
	</wsp:Policy>
	</sp:Layout>
	</wsp:Policy>
	</sp:TransportBinding>
	<wsaw:UsingAddressing/>
	</wsp:All>
	</wsp:ExactlyOne>
	</wsp:Policy>
	<wsdl:import namespace="http://schemas.microsoft.com/windows/pki/2009/01/enrollment" location="https://corpdc01.corp.local/CORP-CORPDC01-CA_CES_Kerberos/service.svc?wsdl=wsdl0"/>
	<wsdl:types/>
	<wsdl:binding name="WSHttpBinding_ISecurityTokenService" type="i0:ISecurityTokenService">
	<wsp:PolicyReference URI="#WSHttpBinding_ISecurityTokenService_policy"/>
	<soap12:binding transport="http://schemas.xmlsoap.org/soap/http"/>
	</wsdl:binding>
	<wsdl:service name="SecurityTokenService">
	<wsdl:port name="WSHttpBinding_ISecurityTokenService" binding="tns:WSHttpBinding_ISecurityTokenService">
	<soap12:address location="https://corpdc01.corp.local/CORP-CORPDC01-CA_CES_Kerberos/service.svc/CES"/>
	<wsa10:EndpointReference>
	<wsa10:Address>https://corpdc01.corp.local/CORP-CORPDC01-CA_CES_Kerberos/service.svc/CES</wsa10:Address>
	<Identity xmlns="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity">
	<Upn>cesservice@CORP.LOCAL</Upn>
	</Identity>
	</wsa10:EndpointReference>
	</wsdl:port>
	</wsdl:service>
	</wsdl:definitions>