From a02a176f7ea9274cbb3c342614382bab7acd5ea7 Mon Sep 17 00:00:00 2001 From: admManuel Date: Tue, 13 Feb 2024 14:59:51 +0000 Subject: [PATCH] Add Windows/CertificateRequests.md --- Windows/CertificateRequests.md | 301 +++++++++++++++++++++++++++++++++ 1 file changed, 301 insertions(+) create mode 100644 Windows/CertificateRequests.md diff --git a/Windows/CertificateRequests.md b/Windows/CertificateRequests.md new file mode 100644 index 0000000..c16988f --- /dev/null +++ b/Windows/CertificateRequests.md @@ -0,0 +1,301 @@ +# How to create Certrequests with PowerShell + +First we need an installed OpenSSL on the WindowsServer. +The CodeSigning Part (Option 5) is not working yet. + +```powershell +### variables +$openSSLDir = "C:\Program Files\OpenSSL-Win64\bin" + +### temporary directory path for the cert files during the creation +$tempDir = "C:\temp" + +### directory path for the main location of the finished cert files +$share = "\\mystorage.mydomain.local\certs" + +### own list of copy machines that are not part of active direcoty +$kopierer = @("Kopierer-EG","Kopierer-OG") + +### dito for accesspoints +$accesspoints = @("AP-EG","AP-OG","AP-DG") + +### charackter for awesome checkmark symbol :) +$checkmark = [char]8730 + +### attributes of your certificate +$cert_U = "IT-Abteilung" +$cert_O = "MyCompanyName" +$cert_L = "Location" +$cert_S = "State" +$cert_C = "DE" +$cert_E = "it@example.com" + +### functions +function createCert([string]$Template, [string]$dns1, [string]$dns2) { + + $CSRPath = "$($tempDir)\$($CertName).csr" + $INFPath = "$($tempDir)\$($CertName).inf" + $CRTPath = "$($tempDir)\$($CertName)_decrypted.crt" + $CRPPath = "$($tempDir)\$($CertName)_encrypted.crt" + $PFXPath = "$($tempDir)\$($CertName).pfx" + $RSPPath = "$($tempDir)\$($CertName).rsp" + $KEYPath = "$($tempDir)\$($CertName)_decrypted.key" + $KEPPath = "$($tempDir)\$($CertName)_encrypted.key" + $PEMPath = "$($certStorage)\$($CertName).pem" + + $INF = +@" +[NewRequest] +Subject = "CN=$CertName, OU=$cert_U, O=$cert_O, L=$cert_L, S=$cert_S, C=$cert_C, E=$cert_E" +FriendlyName = "$CertName" +KeySpec = 1 +KeyLength = 2048 +Exportable = TRUE +RequestType = PKCS10 +MachineKeySet = TRUE +SMIME = False +PrivateKeyArchive = FALSE +UserProtected = FALSE +UseExistingKeySet = FALSE +ProviderName = "Microsoft RSA SChannel Cryptographic Provider" +ProviderType = 12 +KeyUsage = 0xa0 +"@ + + if ($CertName -like "wildcard*") { + $INF += +@" + + +[EnhancedKeyUsageExtension] +OID=1.3.6.1.5.5.7.3.1 + +[Extensions] +2.5.29.17 = "{text}" +_continue_ = "dns=$dns1&" +_continue_ = "dns=$dns2&" +"@ + } + + Write-Host `r`n + Write-Host 'Create Cert for: ' -NoNewline -ForegroundColor White + Write-Host $CertName -ForegroundColor Cyan + Write-Host '==================================================' -ForegroundColor White + + $INF | Out-File -filepath $INFPath -Encoding default + certreq -new $INFPath $CSRPath | Out-Null + + Write-Host 'CSR: ' -NoNewline -ForegroundColor Gray + Write-Host $checkmark -ForegroundColor Green + + certreq -config "myCA.mydomain.local\mydomain-CA" -attrib "CertificateTemplate:$($Template)" -submit $CSRPath $CRPPath | Out-Null + certreq -accept $CRPPath | Out-Null + + ### old version + #$cerFile = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 + #$cerFile.Import($CRPPath) + + ### new version (https://www.cloudnotes.io/x509certificate-is-immutable-on-this-platform-use-the-equivalent-constructor-instead/) + $cerFile = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Certificate2($CRPPath) + + $thumbprint = $cerFile.Thumbprint + Get-ChildItem -Path "Cert:\LocalMachine\my\$thumbprint" | Export-PfxCertificate -FilePath $PFXPath -Password $securePass | Out-Null + Get-ChildItem -Path "Cert:\LocalMachine\my\$thumbprint" | Remove-Item -Confirm:$false + Write-Host 'PFX: ' -NoNewline -ForegroundColor Gray + Write-Host $checkmark -ForegroundColor Green + + if ($CertName -like "Kopierer*") { + Move-Item -Path "$PFXPath" -Destination "$($certStorage)\$($CertName).pfx" + } elseif ($CertName -like "AP-*") { + Start-Process .\openssl.exe -Argumentlist "pkcs12 -in $PFXPath -clcerts -nokeys -out $CRPPath -passin pass:$plainPass" -wait + Start-Process .\openssl.exe -Argumentlist "pkcs12 -in $PFXPath -nocerts -out $KEPPath -passout pass:$plainPass -passin pass:$plainPass" -wait + Start-Process .\openssl.exe -Argumentlist "rsa -in $KEPPath -out $KEYPath -passin pass:$plainPass" -wait + + Write-Host 'KEY: ' -NoNewline -ForegroundColor Gray + Write-Host $checkmark -ForegroundColor Green + + $pem = Get-Content $CRPPath + $pem | Out-File -Encoding UTF8 $PEMPath + + Move-Item -Path "$KEYPath" -Destination "$($certStorage)\$($CertName)_key.pem" + + Write-Host 'PEM: ' -NoNewline -ForegroundColor Gray + Write-Host $checkmark -ForegroundColor Green + } elseif ($CertName -like "Telefon*") { + Start-Process .\openssl.exe -Argumentlist "pkcs12 -in $PFXPath -clcerts -nokeys -out $CRPPath -passin pass:$plainPass" -wait + Start-Process .\openssl.exe -Argumentlist "pkcs12 -in $PFXPath -nocerts -out $KEPPath -passout pass:$plainPass -passin pass:$plainPass" -wait + Start-Process .\openssl.exe -Argumentlist "rsa -in $KEPPath -out $KEYPath -passin pass:$plainPass" -wait + + Write-Host 'KEY: ' -NoNewline -ForegroundColor Gray + Write-Host $checkmark -ForegroundColor Green + + $pem = Get-Content $CRPPath + $pem += Get-Content $KEYPath + $pem | Out-File -Encoding UTF8 $PEMPath + + Write-Host 'PEM: ' -NoNewline -ForegroundColor Gray + Write-Host $checkmark -ForegroundColor Green + } elseif ($CertName -like "wildcard*") { + Start-Process .\openssl.exe -Argumentlist "pkcs12 -in $PFXPath -clcerts -nokeys -out $CRTPath -passin pass:$plainPass" -wait + Start-Process .\openssl.exe -Argumentlist "pkcs12 -in $PFXPath -nocerts -out $KEPPath -passin pass:$plainPass -passout pass:$plainPass" -wait + Start-Process .\openssl.exe -Argumentlist "rsa -in $KEPPath -out $KEYPath -passin pass:$plainPass" -wait + Move-Item -Path "$PFXPath" -Destination "$($certStorage)\$($CertName).pfx" + Move-Item -Path "$KEPPath" -Destination "$($certStorage)\$($CertName)_encrypted.key" + Move-Item -Path "$KEYPath" -Destination "$($certStorage)\$($CertName)_decrypted.key" + Move-Item -Path "$CRPPath" -Destination "$($certStorage)\$($CertName)_encrypted.crt" + Move-Item -Path "$CRTPath" -Destination "$($certStorage)\$($CertName)_decrypted.crt" + } + + Get-ChildItem "$($tempDir)" -recurse -force -include *.csr,*.inf,*.crt,*.rsp,*.key,*.kep,*.pfx | Remove-Item -force +} + +function accesspoints([string]$pass) { + $TEMP = "RadiusZertifikat(keyexport)" + $certStorage = "$($share)\$($TEMP)\accesspoints\$(Get-Date -UFormat %Y-%m-%d_%H%M%S)\" + New-Item -Path $certStorage -Type Directory -Force | Out-Null + Import-Module ActiveDirectory + + foreach($device in $accesspoints) { + $CertName = "$device.mydomain.local" + createCert $TEMP $pass + } +} + +function yealinks([string]$pass) { + $TEMP = "RadiusZertifikat(keyexport)" + $certStorage = "$($share)\$($TEMP)\yealinks\$(Get-Date -UFormat %Y-%m-%d_%H%M%S)\" + New-Item -Path $certStorage -Type Directory -Force | Out-Null + Import-Module ActiveDirectory + ### adjust the SearchBase + $users = Get-ADUser -SearchBase "OU=Users,DC=mydomain,DC=local" -Filter * -Properties * + $ext = @() + foreach($user in $users){ + + ### adjust the format to your environment (stored phone number on user attributs) + if($user.OfficePhone -like "0123 1111-*"){ + ### example for user that got different number in AD than it should have + if ($user.Name -eq "max"){ + $ext += 25 + ### example for skipped user + }elseif ($user.Name -eq "lisa"){ + + }else{ + $ext += ($user.OfficePhone).split("-")[1] + } + } + } + + ### extra number for phones not belonging to an employee + $ext += 949 + + foreach($e in $ext) { + $CertName = "Telefon-$e" + createCert $TEMP $pass + } +} + +function kopierer([string]$pass) { + $TEMP = "RadiusZertifikat(keyexport)" + $certStorage = "$($share)\$($TEMP)\kopierer\$(Get-Date -UFormat %Y-%m-%d_%H%M%S)\" + New-Item -Path $certStorage -Type Directory -Force | Out-Null + foreach($device in $kopierer){ + $CertName = "$device.mydomain.local" + createCert $TEMP $pass + } +} + +function webserver($pw) { + $CertName = "wildcard.mydomain.local" + $dns1 = "mydomain.local" + $dns2 = "*.mydomain.local" + + ### Template on your CA that should be used + $TEMP = "WebServerTemplate" + + $certStorage = "$($share)\$($TEMP)\wildcard\$(Get-Date -UFormat %Y-%m-%d_%H%M%S)\" + New-Item -Path $certStorage -Type Directory -Force | Out-Null + createCert $TEMP $dns1 $dns2 +} + +function menu { + Do + { + ### user interaction + Start-Sleep 1 + clear + Write-Host `r`n + Write-Host 'Certcreation' -NoNewline -ForegroundColor Red + Write-Host ' © ' -NoNewline -ForegroundColor Gray + Write-Host 'Klüber-IT' -NoNewline -ForegroundColor Cyan + Write-Host ' & ' -NoNewline -ForegroundColor Gray + Write-Host 'Gläser-IT' -ForegroundColor Cyan + Write-Host '========================================' + + #[1] - Webserver Wildcard + Write-Host '[' -NoNewline + Write-Host '1' -NoNewline -ForegroundColor Cyan + Write-Host '] - Webserver: ' -NoNewline + Write-Host 'wildcard.mydomain.local' -ForegroundColor Green + + #[2] - Yealink + Write-Host '[' -NoNewline + Write-Host '2' -NoNewline -ForegroundColor Cyan + Write-Host '] - Computer: ' -NoNewline + Write-Host 'Radius Yealink Telefone' -ForegroundColor Green + + #[3] - Kopierer + Write-Host '[' -NoNewline + Write-Host '3' -NoNewline -ForegroundColor Cyan + Write-Host '] - Computer: ' -NoNewline + Write-Host 'Radius Kopierer' -ForegroundColor Green + + #[4] - Accesspoints + Write-Host '[' -NoNewline + Write-Host '4' -NoNewline -ForegroundColor Cyan + Write-Host '] - Computer: ' -NoNewline + Write-Host 'Accesspoints' -ForegroundColor Green + + #[5] - CodeSigning + Write-Host '[' -NoNewline + Write-Host '5' -NoNewline -ForegroundColor Cyan + Write-Host '] - Signing: ' -NoNewline + Write-Host 'Macros/Scripte' -ForegroundColor Green + + #[6] - Beenden + Write-Host '[' -NoNewline + Write-Host '6' -NoNewline -ForegroundColor Cyan + Write-Host '] - Beenden' + + $optionA = Read-Host -Prompt 'Auswahl' + clear + Start-Sleep 1 + + if ($optionA -le 5) { + $securePass = Read-Host -Prompt 'Encryption Password' -AsSecureString + $plainPass = [Net.NetworkCredential]::new('',$securePass).password + } + + if ($optionA -eq 1) { + webserver + }elseif ($optionA -eq 2) { + yealinks + }elseif ($optionA -eq 3) { + kopierer + }elseif ($optionA -eq 4) { + accesspoints + }elseif ($optionA -eq 5) { + signing + }elseif ($optionA -eq 6) { + Break Script + }else{ + Write-Host "Bitte 1-6 wählen" -ForegroundColor Red + Start-Sleep 2 + } + } While ( !($optionA -eq 6) ) +} + +### running commands +Set-Location -Path $openSSLDir + +menu +``` \ No newline at end of file