11 KiB
11 KiB
How to create Certrequests with PowerShell
First we need an installed OpenSSL on the WindowsServer. The CodeSigning Part (Option 5) is not working yet.
### Modules
Import-Module ActiveDirectory
### variables
$openSSLDir = "C:\Program Files\OpenSSL-Win64\bin"
### temporary directory path for the cert files during the creation
$tempDir = "C:\temp"
### directory path for the main location of the finished cert files
$share = "\\mystorage.mydomain.local\certs"
### own list of copy machines that are not part of active direcoty
$kopierer = @("Kopierer-EG","Kopierer-OG")
### dito for accesspoints
$accesspoints = @("AP-EG","AP-OG","AP-DG")
### charackter for awesome checkmark symbol :)
$checkmark = [char]8730
### attributes of your certificate
$cert_U = "IT-Abteilung"
$cert_O = "MyCompanyName"
$cert_L = "Location"
$cert_S = "State"
$cert_C = "DE"
$cert_E = "it@example.com"
### functions
function createCert([string]$Template, [string]$dns1, [string]$dns2) {
$CSRPath = "$($tempDir)\$($CertName).csr"
$INFPath = "$($tempDir)\$($CertName).inf"
$CRTPath = "$($tempDir)\$($CertName)_decrypted.crt"
$CRPPath = "$($tempDir)\$($CertName)_encrypted.crt"
$PFXPath = "$($tempDir)\$($CertName).pfx"
$RSPPath = "$($tempDir)\$($CertName).rsp"
$KEYPath = "$($tempDir)\$($CertName)_decrypted.key"
$KEPPath = "$($tempDir)\$($CertName)_encrypted.key"
$PEMPath = "$($certStorage)\$($CertName).pem"
$INF =
@"
[NewRequest]
Subject = "CN=$CertName, OU=$cert_U, O=$cert_O, L=$cert_L, S=$cert_S, C=$cert_C, E=$cert_E"
FriendlyName = "$CertName"
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
RequestType = PKCS10
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
KeyUsage = 0xa0
"@
if ($CertName -like "wildcard*") {
$INF +=
@"
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
[Extensions]
2.5.29.17 = "{text}"
_continue_ = "dns=$dns1&"
_continue_ = "dns=$dns2&"
"@
}
Write-Host `r`n
Write-Host 'Create Cert for: ' -NoNewline -ForegroundColor White
Write-Host $CertName -ForegroundColor Cyan
Write-Host '==================================================' -ForegroundColor White
$INF | Out-File -filepath $INFPath -Encoding default
certreq -new $INFPath $CSRPath | Out-Null
Write-Host 'CSR: ' -NoNewline -ForegroundColor Gray
Write-Host $checkmark -ForegroundColor Green
certreq -config "myCA.mydomain.local\mydomain-CA" -attrib "CertificateTemplate:$($Template)" -submit $CSRPath $CRPPath | Out-Null
certreq -accept $CRPPath | Out-Null
### old version
#$cerFile = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
#$cerFile.Import($CRPPath)
### new version (https://www.cloudnotes.io/x509certificate-is-immutable-on-this-platform-use-the-equivalent-constructor-instead/)
$cerFile = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Certificate2($CRPPath)
$thumbprint = $cerFile.Thumbprint
Get-ChildItem -Path "Cert:\LocalMachine\my\$thumbprint" | Export-PfxCertificate -FilePath $PFXPath -Password $securePass | Out-Null
Get-ChildItem -Path "Cert:\LocalMachine\my\$thumbprint" | Remove-Item -Confirm:$false
Write-Host 'PFX: ' -NoNewline -ForegroundColor Gray
Write-Host $checkmark -ForegroundColor Green
if ($CertName -like "Kopierer*") {
Move-Item -Path "$PFXPath" -Destination "$($certStorage)\$($CertName).pfx"
} elseif ($CertName -like "AP-*") {
Start-Process .\openssl.exe -Argumentlist "pkcs12 -in $PFXPath -clcerts -nokeys -out $CRPPath -passin pass:$plainPass" -wait
Start-Process .\openssl.exe -Argumentlist "pkcs12 -in $PFXPath -nocerts -out $KEPPath -passout pass:$plainPass -passin pass:$plainPass" -wait
Start-Process .\openssl.exe -Argumentlist "rsa -in $KEPPath -out $KEYPath -passin pass:$plainPass" -wait
Write-Host 'KEY: ' -NoNewline -ForegroundColor Gray
Write-Host $checkmark -ForegroundColor Green
$pem = Get-Content $CRPPath
$pem | Out-File -Encoding UTF8 $PEMPath
Move-Item -Path "$KEYPath" -Destination "$($certStorage)\$($CertName)_key.pem"
Write-Host 'PEM: ' -NoNewline -ForegroundColor Gray
Write-Host $checkmark -ForegroundColor Green
} elseif ($CertName -like "Telefon*") {
Start-Process .\openssl.exe -Argumentlist "pkcs12 -in $PFXPath -clcerts -nokeys -out $CRPPath -passin pass:$plainPass" -wait
Start-Process .\openssl.exe -Argumentlist "pkcs12 -in $PFXPath -nocerts -out $KEPPath -passout pass:$plainPass -passin pass:$plainPass" -wait
Start-Process .\openssl.exe -Argumentlist "rsa -in $KEPPath -out $KEYPath -passin pass:$plainPass" -wait
Write-Host 'KEY: ' -NoNewline -ForegroundColor Gray
Write-Host $checkmark -ForegroundColor Green
$pem = Get-Content $CRPPath
$pem += Get-Content $KEYPath
$pem | Out-File -Encoding UTF8 $PEMPath
Write-Host 'PEM: ' -NoNewline -ForegroundColor Gray
Write-Host $checkmark -ForegroundColor Green
} elseif ($CertName -like "wildcard*") {
Start-Process .\openssl.exe -Argumentlist "pkcs12 -in $PFXPath -clcerts -nokeys -out $CRTPath -passin pass:$plainPass" -wait
Start-Process .\openssl.exe -Argumentlist "pkcs12 -in $PFXPath -nocerts -out $KEPPath -passin pass:$plainPass -passout pass:$plainPass" -wait
Start-Process .\openssl.exe -Argumentlist "rsa -in $KEPPath -out $KEYPath -passin pass:$plainPass" -wait
Move-Item -Path "$PFXPath" -Destination "$($certStorage)\$($CertName).pfx"
Move-Item -Path "$KEPPath" -Destination "$($certStorage)\$($CertName)_encrypted.key"
Move-Item -Path "$KEYPath" -Destination "$($certStorage)\$($CertName)_decrypted.key"
Move-Item -Path "$CRPPath" -Destination "$($certStorage)\$($CertName)_encrypted.crt"
Move-Item -Path "$CRTPath" -Destination "$($certStorage)\$($CertName)_decrypted.crt"
}
Get-ChildItem "$($tempDir)" -recurse -force -include *.csr,*.inf,*.crt,*.rsp,*.key,*.kep,*.pfx | Remove-Item -force
}
function accesspoints([string]$pass) {
$TEMP = "RadiusZertifikat(keyexport)"
$certStorage = "$($share)\$($TEMP)\accesspoints\$(Get-Date -UFormat %Y-%m-%d_%H%M%S)\"
New-Item -Path $certStorage -Type Directory -Force | Out-Null
Import-Module ActiveDirectory
foreach($device in $accesspoints) {
$CertName = "$device.mydomain.local"
createCert $TEMP $pass
}
}
function yealinks([string]$pass) {
$TEMP = "RadiusZertifikat(keyexport)"
$certStorage = "$($share)\$($TEMP)\yealinks\$(Get-Date -UFormat %Y-%m-%d_%H%M%S)\"
New-Item -Path $certStorage -Type Directory -Force | Out-Null
### adjust the SearchBase
$users = Get-ADUser -SearchBase "OU=Users,DC=mydomain,DC=local" -Filter * -Properties *
$ext = @()
foreach($user in $users){
### adjust the format to your environment (stored phone number on user attributs)
if($user.OfficePhone -like "0123 1111-*"){
### example for user that got different number in AD than it should have
if ($user.Name -eq "max"){
$ext += 25
### example for skipped user
}elseif ($user.Name -eq "lisa"){
}else{
$ext += ($user.OfficePhone).split("-")[1]
}
}
}
### extra number for phones not belonging to an employee
$ext += 949
foreach($e in $ext) {
$CertName = "Telefon-$e"
createCert $TEMP $pass
}
}
function kopierer([string]$pass) {
$TEMP = "RadiusZertifikat(keyexport)"
$certStorage = "$($share)\$($TEMP)\kopierer\$(Get-Date -UFormat %Y-%m-%d_%H%M%S)\"
New-Item -Path $certStorage -Type Directory -Force | Out-Null
foreach($device in $kopierer){
$CertName = "$device.mydomain.local"
createCert $TEMP $pass
}
}
function webserver($pw) {
$CertName = "wildcard.mydomain.local"
$dns1 = "mydomain.local"
$dns2 = "*.mydomain.local"
### Template on your CA that should be used
$TEMP = "WebServerTemplate"
$certStorage = "$($share)\$($TEMP)\wildcard\$(Get-Date -UFormat %Y-%m-%d_%H%M%S)\"
New-Item -Path $certStorage -Type Directory -Force | Out-Null
createCert $TEMP $dns1 $dns2
}
function menu {
Do
{
### user interaction
Start-Sleep 1
clear
Write-Host `r`n
Write-Host 'Certcreation' -NoNewline -ForegroundColor Red
Write-Host ' © ' -NoNewline -ForegroundColor Gray
Write-Host 'Klüber-IT' -NoNewline -ForegroundColor Cyan
Write-Host ' & ' -NoNewline -ForegroundColor Gray
Write-Host 'Gläser-IT' -ForegroundColor Cyan
Write-Host '========================================'
#[1] - Webserver Wildcard
Write-Host '[' -NoNewline
Write-Host '1' -NoNewline -ForegroundColor Cyan
Write-Host '] - Webserver: ' -NoNewline
Write-Host 'wildcard.mydomain.local' -ForegroundColor Green
#[2] - Yealink
Write-Host '[' -NoNewline
Write-Host '2' -NoNewline -ForegroundColor Cyan
Write-Host '] - Computer: ' -NoNewline
Write-Host 'Radius Yealink Telefone' -ForegroundColor Green
#[3] - Kopierer
Write-Host '[' -NoNewline
Write-Host '3' -NoNewline -ForegroundColor Cyan
Write-Host '] - Computer: ' -NoNewline
Write-Host 'Radius Kopierer' -ForegroundColor Green
#[4] - Accesspoints
Write-Host '[' -NoNewline
Write-Host '4' -NoNewline -ForegroundColor Cyan
Write-Host '] - Computer: ' -NoNewline
Write-Host 'Accesspoints' -ForegroundColor Green
#[5] - CodeSigning
Write-Host '[' -NoNewline
Write-Host '5' -NoNewline -ForegroundColor Cyan
Write-Host '] - Signing: ' -NoNewline
Write-Host 'Macros/Scripte' -ForegroundColor Green
#[6] - Beenden
Write-Host '[' -NoNewline
Write-Host '6' -NoNewline -ForegroundColor Cyan
Write-Host '] - Beenden'
$optionA = Read-Host -Prompt 'Auswahl'
clear
Start-Sleep 1
if ($optionA -le 5) {
$securePass = Read-Host -Prompt 'Encryption Password' -AsSecureString
$plainPass = [Net.NetworkCredential]::new('',$securePass).password
}
if ($optionA -eq 1) {
webserver
}elseif ($optionA -eq 2) {
yealinks
}elseif ($optionA -eq 3) {
kopierer
}elseif ($optionA -eq 4) {
accesspoints
}elseif ($optionA -eq 5) {
signing
}elseif ($optionA -eq 6) {
Break Script
}else{
Write-Host "Bitte 1-6 wählen" -ForegroundColor Red
Start-Sleep 2
}
} While ( !($optionA -eq 6) )
}
### running commands
Set-Location -Path $openSSLDir
menu