Skip to content

Instantly share code, notes, and snippets.

@BrandonStiff

BrandonStiff/New-CaCertificate.ps1

Last active May 18, 2021
Star
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
OpenSsl Certificate PowerShell functions
Raw
New-CaCertificate.ps1
function Invoke-OpenSsl
{
<#
.SYNOPSIS
Invokes a call to the openssl.exe program
.PARAMETER OpenSslPath
Specifies the path to the Openssl.exe executable. Default is C:\program files\Git\usr\bin\openssl.exe
.PARAMETER Parameters
Specifies an array of parameters and values to pass into openssl.exe.
.PARAMETER ShowOutput
If specified, then the output from the openssl command is returned from the function.
#>
param
(
[string] $OpenSslPath,
[string[]] $Parameters,
[switch] $ShowOutput
)
if ( !$OpenSslPath )
{
$OpenSslPath = $script:DefaultOpenSslPath
}
if ( !(Test-Path -Path $OpenSslPath ) )
{
throw ("Unable to find openssl.exe at: $OpenSslPath!")
}
$output = & $OpenSslPath $Parameters
if ( $output )
{
if ( $ShowOutput )
{
$output
}
else
{
Write-Verbose ($output | out-string)
}
}
}
function New-OpenSslCertificate
{
<#
.SYNOPSIS
Generates a new certificate object. This can generate CA, SSL and CSRs.
.PARAMETER Type
Specifies the type of cert to generate: CSR, CA, SSL.
CSR - Certificate Signing Request
CA - Certificate Authority
SSL - Host SSL Cert (Signed by a CA)
.PARAMETER Name
Specifies the name of the entity on the certificate.
.PARAMETER Country
Specifies the country locality (default is US).
.PARAMETER State
Specifies the state locality.
.PARAMETER Company
Specifies the company.
.PARAMETER OrganizationalUnit
Specifies the OU locality.
.PARAMETER EmailAddress
Specifies the email address to associate with the cert.
.PARAMETER KeyLength
Specifies the length of the public key in bits (Default 4096).
.PARAMETER KeyPath
Specifies the path to the private key to be generated. Default is the same folder as -Path, with the name specified by -Name with .key extension.
.PARAMETER Path
Specifies the path to export the certificate to. Default is the current directory, with -Name as the name with extension .csr.
.PARAMETER Digest
Specifies the signing digest. sha256 | sha512 | md5 | sha1 | md2 | mdc2 | md4. Default is SHA512
.PARAMETER OpenSslPath
Specifies the path to the Openssl.exe executable. Default is C:\program files\Git\usr\bin\openssl.exe
.PARAMETER PrivateKeyUnencrypted
Specifies the private key should not be encrytped. By default it will, and you will be prompted for a password.
#>
[CmdletBinding(SupportsShouldProcess=$true)]
param
(
[string] $Name,
[ValidateSet("CA","CSR","SSL")]
[string] $Type,
[string] $Country,
[string] $State,
[string] $Company,
[string] $OrganizationalUnit,
[string] $EmailAddress,
[Timespan] $Expiration = "3650.00:00:00",
[ValidateSet("DER","PEM")] [string] $OutputFormat = "PEM",
[int] $KeyLength = 2048,
[string] $Path,
[string] $KeyPath,
[ValidateSet("SHA1","SHA256","SHA512","MD5","MD2","MDC2","MD4")] [string] $Digest = "SHA256",
[switch] $PrivateKeyUnencrypted,
[string] $OpenSslPath
)
# Build the Certificate Subject:
$subject = @()
if ( $Country )
{
$subject += "C=$Country"
}
if ( $State )
{
$subject += "ST=$State"
}
if ( $Company )
{
$subject += "O=$Company"
}
if ( $OrganizationalUnit )
{
$subject += "OU=$OrganizationalUnit"
}
if ( $EmailAddress )
{
$subject += "E=$EmailAddress"
}
$subject += "CN=$Name"
$subjectString = "/" + ($subject -join "/")
# Determine the certificate Output Path:
$basePath = (Get-Location)
if ( $Path )
{
$basePath = Split-Path -Path $Path
}
else
{
$fileName = "$Name.pem"
if ( $Type -ieq "CSR" )
{
$fileName = "$Name.csr"
}
elseif ( $OutputFormat -ieq "DER" )
{
$fileName = "$Name.crt"
}
$Path = Join-Path -Path $basePath -ChildPath $fileName
}
if ( !$KeyPath )
{
$KeyPath = Join-Path -Path $basePath -ChildPath "$Name.key"
}
$params = @(
"req",
"-new",
"-outform",
$OutputFormat,
"-$($Digest.ToLower())",
"-newkey",
"rsa:$KeyLength",
"-subj",
$subjectString,
"-keyout",
"`"$KeyPath`"",
"-out",
"`"$Path`""
)
if ( $Type -ieq "CA")
{
$params += "-extensions"
$params += "v3_ca"
$params += "-days"
$params += $Expiration.TotalDays
$params += "-x509"
}
if ( $PrivateKeyUnencrypted )
{
$params += "-nodes"
}
if ( $PSCmdlet.ShouldProcess("Generate certificate type $Type with subject $subjectString.") )
{
Invoke-OpenSsl -Parameters $params -OpenSslPath $OpenSslPath
Get-Item -Path $Path
Get-Item -Path $KeyPath
}
}
function New-OpenSslCertificateRequest
{
<#
.SYNOPSIS
Generates a new certificate signing request (CSR).
.PARAMETER Name
Specifies the name of the entity on the certificate.
.PARAMETER Country
Specifies the country locality (default is US).
.PARAMETER State
Specifies the state locality.
.PARAMETER Company
Specifies the company.
.PARAMETER OrganizationalUnit
Specifies the OU locality.
.PARAMETER EmailAddress
Specifies the email address to associate with the cert.
.PARAMETER KeyLength
Specifies the length of the public key in bits (Default 4096).
.PARAMETER KeyPath
Specifies the path to the private key to be generated. Default is the same folder as -Path, with the name specified by -Name with .key extension.
.PARAMETER Path
Specifies the path to export the certificate to. Default is the current directory, with -Name as the name with extension .csr.
.PARAMETER Digest
Specifies the signing digest. sha256 | sha512 | md5 | sha1 | md2 | mdc2 | md4. Default is SHA512
.PARAMETER OpenSslPath
Specifies the path to the Openssl.exe executable. Default is C:\program files\Git\usr\bin\openssl.exe
.PARAMETER PrivateKeyUnencrypted
Specifies the private key should not be encrytped. By default it will, and you will be prompted for a password.
.OUTPUTS
[System.Io.FileInfo[]]
Outputs the key and certificate files produced.
.EXAMPLE
# Generate a new CSR with unencrypted Private Key:
New-OpenSslCertificateRequest -Name dv-hds-rest-p01.plex.com -Country "US" -State MI -Company "Plex Systems Inc"
Generating a 2048 bit RSA private key
............+++
...+++
writing new private key to 'C:\temp\dv-hds-rest-p01.plex.com.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
Directory: C:\temp
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/22/2017 12:25 PM 985 dv-hds-rest-p01.plex.com.csr
-a---- 5/22/2017 12:25 PM 1834 dv-hds-rest-p01.plex.com.key
#>
[CmdletBinding(SupportsShouldProcess=$true)]
param
(
[string] $Name,
[string] $Country,
[string] $State,
[string] $Company,
[string] $OrganizationalUnit,
[string] $EmailAddress,
[int] $KeyLength = 2048,
[string] $Path,
[string] $KeyPath,
[switch] $PrivateKeyUnencrypted,
[ValidateSet("SHA1","SHA256","SHA512","MD5","MD2","MDC2","MD4")] [string] $Digest = "SHA256",
[string] $OpenSslPath
)
New-OpenSslCertificate -Type "CSR" @PSBoundParameters
}
function New-OpenSslCaCertificate
{
<#
.SYNOPSIS
Generates a new self-signed CA Certificate.
.PARAMETER Name
Specifies the name of the entity on the certificate.
.PARAMETER Country
Specifies the country locality (default is US).
.PARAMETER State
Specifies the state locality.
.PARAMETER Company
Specifies the company.
.PARAMETER OrganizationalUnit
Specifies the OU locality.
.PARAMETER EmailAddress
Specifies the email address to associate with the cert.
.PARAMETER Expiration
Specifies how long, as a timespan, the certificate should be good for. Default is 3650.00:00:00 (10 years).
.PARAMETER KeyLength
Specifies the length of the public key in bits (Default 4096).
.PARAMETER OutputFormat
Specify either PEM or DER (Default is PEM).
.PARAMETER KeyPath
Specifies the path to the private key to be generated. Default is the same folder as -Path, with the name specified by -Name with .key extension.
.PARAMETER Path
Specifies the path to export the certificate to. Default is the current directory, with -Name as the name with extension .pem or .cer (depending on the -OutputFormat)
.PARAMETER Digest
Specifies the signing digest. sha256 | sha512 | md5 | sha1 | md2 | mdc2 | md4. Default is SHA512
.PARAMETER OpenSslPath
Specifies the path to the Openssl.exe executable. Default is C:\program files\Git\usr\bin\openssl.exe
.PARAMETER PrivateKeyUnencrypted
Specifies the private key should not be encrytped. By default it will, and you will be prompted for a password.
.OUTPUTS
[System.Io.FileInfo[]]
Outputs the key and certificate files produced.
.EXAMPLE
# Generate a new PEM CA Certificate using 4096 bits SHA512 encryption:
New-CaCertificate -Name "HdsRESTCa.plex.com" -Country US -State MI -Company "Plex Systems Inc" -OutputFormat der -KeyLength 4096 -Path c:\temp\hdsrestca.pem -Digest sha512
Generating a 4096 bit RSA private key
...........................................++
.................................................................................................................................++
writing new private key to 'c:\temp\HdsRESTCa.plex.com.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
Directory: C:\temp
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/22/2017 9:18 AM 1403 hdsrestca.pem
-a---- 5/22/2017 9:18 AM 3406 HdsRESTCa.plex.com.key
#>
[CmdletBinding(SupportsShouldProcess=$true)]
param
(
[string] $Name,
[string] $Country,
[string] $State,
[string] $Company,
[string] $OrganizationalUnit,
[string] $EmailAddress,
[Timespan] $Expiration = "3650.00:00:00",
[ValidateSet("DER","PEM")] [string] $OutputFormat = "PEM",
[int] $KeyLength = 2048,
[string] $Path,
[string] $KeyPath,
[ValidateSet("SHA1","SHA256","SHA512","MD5","MD2","MDC2","MD4")] [string] $Digest = "SHA256",
[switch] $PrivateKeyUnencrypted,
[string] $OpenSslPath
)
New-OpenSslCertificate -Type "CA" @PSBoundParameters
}
function Invoke-OpenSslSignCsr
{
<#
.SYNOPSIS
This function signs the given CSR by the given CA certificate.
.PARAMETER Csr
Specifies the path to the CSR to sign.
.PARAMETER CaCertificate
Specifies the CA Certificate to use to sign the request.
.PARAMETER CaPrivateKey
Specifies the CA Private key necessary to sign the request.
.PARAMETER Path
Specifies the path to export the certificate to. Default is the current directory, with -Name as the name with extension .pem or .cer (depending on the -OutputFormat)
.PARAMETER OutputFormat
Specify either PEM or DER (Default is PEM).
.PARAMETER OpenSslPath
Specifies the path to the Openssl.exe executable. Default is C:\program files\Git\usr\bin\openssl.exe
.INPUTS
[System.Io.File] or [string]
You can specify the CSR or the path to the CSR on the pipeline.
.OUTPUTS
[System.Io.File]
Outputs the signed SSL certificate.
.EXAMPLE
# Use a CA Certificate to sign the given CSR:
Invoke-OpenSslSignCsr -Csr C:\temp\dv-hds-rest-p01.plex.com.csr -CaCertificate C:\temp\HdsRESTCa.plex.com.pem -CaCertificatePrivateKey C:\temp\HdsRESTCa.plex.com.key -Path c:\temp\dv-hds-rest-p01.plex.com.crt
Signature ok
subject=/C=US/ST=MI/O=Plex Systems Inc/CN=dv-hds-rest-p01.plex.com
Getting CA Private Key
Enter pass phrase for C:\temp\HdsRESTCa.plex.com.key:
Directory: C:\temp
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/22/2017 1:02 PM 1151 dv-hds-rest-p01.plex.com.pem
#>
[CmdletBinding(SupportsShouldProcess=$true)]
param
(
[Parameter(Mandatory=$true,ValueFromPipeline=$true)]
[string[]] $Csr,
[Parameter(Mandatory=$true)]
[string] $CaCertificate,
[string] $CaCertificatePrivateKey,
[string] $Path,
[ValidateSet("DER","PEM")] [string] $OutputFormat = "PEM",
[string] $OpenSslPath
)
begin
{
# Validate the CA Key and cert:
if ( !(Test-Path -Path $CaCertificate) )
{
throw ("No valid CA certificate exits at $CaCertificate!")
}
if ( $CaCertificatePrivateKey -and !(Test-Path -Path $CaCertificatePrivateKey) )
{
throw ("The CA private key specified at $CaCertificatePrivateKey does not exist!")
}
}
process
{
foreach ( $cs in $csr )
{
if ( Test-Path -Path $cs )
{
# Determine the output path:
$fileName = $Path
if ( !$Path )
{
$fileName = (Get-Item -Path $cs).Name -ireplace (([System.IO.Path]::GetExtension($cs) -ireplace "\.","\."),".pem")
if ( $OutputFormat -ieq "DER" )
{
$fileName = (Get-Item -Path $cs).Name -ireplace (([System.IO.Path]::GetExtension($cs) -ireplace "\.","\."),".crt")
}
$Path = Join-Path -Path (Get-Location) -ChildPath $fileName
}
$params = @(
"x509",
"-req",
"-outform",
$OutputFormat,
"-CA",
"`"$CaCertificate`"",
"-CAkey",
"`"$CaCertificatePrivateKey`"",
"-in",
"`"$cs`"",
"-out",
"`"$Path`"",
"-CAcreateserial"
)
if ( $PSCmdlet.ShouldProcess($cs, "Create SSL certificate from CSR?") )
{
Invoke-OpenSsl -OpenSslPath $OpenSslPath -Parameters $params
Get-Item -Path $Path
}
}
else
{
throw ("There is no CSR at $cs!")
}
}
}
}
function New-OpenSslServerCertificate
{
<#
.SYNOPSIS
Generates a new, signed or self-signed SSL Certificate.
.PARAMETER Name
Specifies the name of the entity on the certificate.
.PARAMETER Country
Specifies the country locality (default is US).
.PARAMETER State
Specifies the state locality.
.PARAMETER Company
Specifies the company.
.PARAMETER OrganizationalUnit
Specifies the OU locality.
.PARAMETER EmailAddress
Specifies the email address to associate with the cert.
.PARAMETER Expiration
Specifies how long, as a timespan, the certificate should be good for. Default is 3650.00:00:00 (10 years).
.PARAMETER KeyLength
Specifies the length of the public key in bits (Default 4096).
.PARAMETER OutputFormat
Specify either PEM or DER (Default is PEM).
.PARAMETER KeyPath
Specifies the path to the private key to be generated. Default is the same folder as -Path, with the name specified by -Name with .key extension.
.PARAMETER Path
Specifies the path to export the certificate to. Default is the current directory, with -Name as the name with extension .pem or .cer (depending on the -OutputFormat)
.PARAMETER Digest
Specifies the signing digest. sha256 | sha512 | md5 | sha1 | md2 | mdc2 | md4. Default is SHA512
.PARAMETER OpenSslPath
Specifies the path to the Openssl.exe executable. Default is C:\program files\Git\usr\bin\openssl.exe
.PARAMETER PrivateKeyUnencrypted
Specifies the private key should not be encrytped. By default it will, and you will be prompted for a password.
.PARAMETER Csr
Specifies the path to the CSR to sign.
.PARAMETER CaCertificate
Specifies the CA Certificate to use to sign the CSR.
.PARAMETER CaCertificateKey
Specifies the CA private key to use to sign the CSR.
.OUTPUTS
[System.Io.FileInfo[]]
Outputs the key and certificate files produced.
.EXAMPLE
# Sign an existing CSR to create a new SSL Certificate:
New-OpenSslServerCertificate -CaCertificate C:\temp\HdsRESTCa.plex.com.pem -CaCertificatePrivateKey C:\temp\HdsRESTCa.plex.com.key
.EXAMPLE
# Create a new CSR and sign in in one step:
New-OpenSslServerCertificate -Name "dv-hds-rest-p01.plex.com" -Country US -State MI -Company "Plex Systems Inc" -CaCertificate C:\temp\HdsRESTCa.plex.com.pem -CaCertificatePrivateKey C:\temp\HdsRESTCa.plex.com.key
Generating a 2048 bit RSA private key
..........+++
....+++
writing new private key to 'C:\temp\dv-hds-rest-p01.plex.com.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
Signature ok
subject=/C=US/ST=MI/O=Plex Systems Inc/CN=dv-hds-rest-p01.plex.com
Getting CA Private Key
Enter pass phrase for C:\temp\HdsRESTCa.plex.com.key:
Directory: C:\temp
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/22/2017 2:02 PM 1151 dv-hds-rest-p01.plex.com.pem
#>
[CmdletBinding(SupportsShouldProcess=$true,DefaultParameterSetName="name")]
param
(
[Parameter(ParameterSetName="name")]
[string] $Name,
[Parameter(ParameterSetName="name")]
[string] $Country,
[Parameter(ParameterSetName="name")]
[string] $State,
[Parameter(ParameterSetName="name")]
[string] $Company,
[Parameter(ParameterSetName="name")]
[string] $OrganizationalUnit,
[Parameter(ParameterSetName="name")]
[string] $EmailAddress,
[Parameter(ParameterSetName="name")]
[Timespan] $Expiration = "3650.00:00:00",
[Parameter(ParameterSetName="name")]
[int] $KeyLength = 2048,
[Parameter(ParameterSetName="name")]
[ValidateSet("SHA1","SHA256","SHA512","MD5","MD2","MDC2","MD4")] [string] $Digest = "SHA256",
[Parameter(ParameterSetName="name")]
[switch] $PrivateKeyUnencrypted,
[Parameter(ParameterSetName="name")]
[string] $KeyPath,
[Parameter(ParameterSetName="csr",Mandatory=$true)]
[string] $Csr,
[ValidateSet("DER","PEM")] [string] $OutputFormat = "PEM",
[string] $Path,
[string] $OpenSslPath,
[Parameter(Mandatory=$true)]
[string] $CaCertificate,
[string] $CaCertificatePrivateKey
)
$csrPath = ""
if ( $PSCmdlet.ParameterSetName -ieq "name" )
{
# Generate the new SSL certificate by creating a new CSR and sign it:
$paramNames = (Get-Command -Name New-OpenSslServerCertificate).Parameters.GetEnumerator() | Where-Object { $_.Value.ParameterSets.name -or ($_.Key -iin "Path","KeyPath","OpenSslPath") } | Select-Object -ExpandProperty Key
$params = @{}
foreach ( $param in $PSBoundParameters.GetEnumerator() | Where-Object { $_.Key -iin $paramNames } )
{
$params.Add($param.key, $param.value)
}
$csrFiles = New-OpenSslCertificateRequest @params
if ( $csrFiles )
{
$csrPath = $csrFiles[0]
$csrFiles[1]
}
}
else
{
$csrPath = $csr
}
if ( $PSCMdlet.ShouldProcess("Sign SSL Certificate with CA Certificate $CaCertificate") )
{
if ( !(Test-Path -Path $csrpath) )
{
throw ("Unable to find a valid CSR at $csrPath!")
}
# Sign the CSR:
Invoke-OpenSslSignCsr -Csr $csrPath -CaCertificate $CaCertificate -CaCertificatePrivateKey $CaCertificatePrivateKey -Path $Path
}
}
function Test-OpenSslCertificate
{
<#
.SYNOPSIS
This function tests and returns detailed information about the given SSL certificate or CSR.
.PARAMETER Certificate
Specifies the SSL Certificate to verify.
.PARAMETER Csr
Specifies the .csr to verify.
.PARAMETER OpenSslPath
Specifies the path to the Openssl.exe executable. Default is C:\program files\Git\usr\bin\openssl.exe
.EXAMPLE
# Test all of the .pem certificates:
Get-Item *.pem | Test-OpenSslCertificate
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
eb:29:a8:f8:9e:72:b5:77
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=MI, O=Plex Systems Inc, CN=HdsRESTCa.plex.com
Validity
Not Before: May 22 14:28:36 2017 GMT
Not After : May 20 14:28:36 2027 GMT
Subject: C=US, ST=MI, O=Plex Systems Inc, CN=HdsRESTCa.plex.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d6:58:01:aa:a1:58:79:39:7b:bf:ec:fd:e4:39:
...
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
98:0F:7F:E9:6C:78:69:5F:6C:54:77:9E:0B:D9:1E:C3:98:47:BF:8A
X509v3 Authority Key Identifier:
keyid:98:0F:7F:E9:6C:78:69:5F:6C:54:77:9E:0B:D9:1E:C3:98:47:BF:8A
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
5b:5c:42:30:04:91:5f:df:3d:56:89:d8:60:d7:ab:f8:35:f8:
#>
[CmdletBinding(DefaultParameterSetName="certificate")]
param
(
[Parameter(Mandatory=$true,ValueFromPipeline=$true,ParameterSetName="certificate")]
[string[]] $Certificate,
[Parameter(Mandatory=$true,ValueFromPipeline=$true,ParameterSetName="csr")]
[string[]] $Csr,
[string] $OpenSslPath
)
begin
{
$collection = @()
$openSslParams = @()
if ( $PSCmdlet.ParameterSetName -ieq "csr" )
{
$openSslParams = @(
"req",
"-verify"
)
}
else
{
$openSslParams = @(
"x509"
)
}
}
process
{
if ( $PSCmdlet.ParameterSetName -ieq "csr" )
{
$collection += $Csr
}
else
{
$collection += $Certificate
}
$openSslParams += "-text"
$openSslParams += "-noout"
}
end
{
foreach ( $obj in $collection )
{
$finalParams = $openSslParams + @("-in","`"$obj`"")
Invoke-OpenSsl -OpenSslPath $OpenSslPath -Parameters $finalParams -ShowOutput
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment