LordVeovis/Generate-ServerCertificate.ps1

## Generate-ServerCertificate.ps1
# ex: New-WorkstationCertificate -ComputerName WKS-LINUX

function Get-RandomPwd {
    param([int]$Length = 20)
    # digits + lowercase + uppercase
    $res = -join ((48..57) + (65..90) + (97..122) | Get-Random -Count $Length | % {[char]$_})

    return $res
}

function New-WorkstationCertificateRequestConfiguration {
    param(
        [Parameter(Mandatory=$true)]
        [string]$ComputerName
    )

    # static parameters
    $templateName = 'LinuxWorkstationAuthentication2018'
    $keyAlgorithm = 'RSA'
    $keySize = '2048'
    $hashAlgorithm = 'sha256'

    # fetch SID and then generate extension 1.3.6.1.4.1.311.25.2
    $c = Get-ADComputer $ComputerName -ErrorAction Stop
    $bin_sid = [System.Text.Encoding]::ASCII.GetBytes($c.SID.Value)
    $prefix_oid = @(0x30,0x3f,0xa0,0x3d,0x06,0x0a,0x2b,0x06,
                    0x01,0x04,0x01,0x82,0x37,0x19,0x02,0x01,
                    0xa0,0x2f,0x04)
    $bin_oid = $prefix_oid + $bin_sid.Count + $bin_sid
    $bin_oid[17] = $bin_sid.Count + 2
    $bin_oid[3] = $bin_sid.Count + 16
    $bin_oid[1] = $bin_oid[3] + 2
    $b64_oid = [System.Convert]::ToBase64String($bin_oid)

    $template = @'
    [NewRequest]
    Subject = "CN=_DOMAIN_NAME_"
    MachineKeySet = TRUE
    KeyLength = _KEY_SIZE_
    KeySpec=1
    Exportable = TRUE
    RequestType = PKCS10
    HashAlgorithm = _HASH_ALGORITHM_
    KeyAlgorithm = _KEY_ALGORITHM_
    SMIME = FALSE
    EncryptionAlgorithm = AES
    EncryptionLength = 128
    ProviderName = "Microsoft Software Key Storage Provider"
    [RequestAttributes]
    CertificateTemplate = "_TEMPLATE_"

    [Extensions]
    ; If your client operating system is Windows Server 2008, Windows Server 2008 R2, Windows Vista, or Windows 7
    ; SANs can be included in the Extensions section by using the following text format. Note 2.5.29.17 is the OID for a SAN extension.

    2.5.29.17 = "{text}"
    _continue_ = "DNS=_DOMAIN_NAME_"
    _SID_OID_
'@

        $template = $template -replace '_DOMAIN_NAME_',$c.DNSHostName
        $template = $template -replace '_TEMPLATE_',$templateName
        $template = $template -replace '_KEY_ALGORITHM_',$keyAlgorithm
        $template = $template -replace '_KEY_SIZE_',$keySize
        $template = $template -replace '_HASH_ALGORITHM_',$hashAlgorithm
        $template = $template -replace '_SID_OID_',"1.3.6.1.4.1.311.25.2 = ${b64_oid}"

        return $template
}

<#
.SYNOPSIS
A cmdlet to request a Linux or Web server certificate from our ADCS.
#>
function New-WorkstationCertificate {
    param(
        [Parameter(Mandatory=$true)]
        [string]$ComputerName,
        [string]$AuthorityCertificatesServer = 'ADCS1\YOUR-CA'
    )

    # create cert template
    New-WorkstationCertificateRequetConfiguration -ComputerName $ComputerName -ErrorAction Stop > $env:TEMP\certreq.inf

    # create request
    certreq -f -new $env:TEMP\certreq.inf $env:TEMP\certreq.req

    # submit request
    certreq -submit -f -config $AuthorityCertificatesServer $env:TEMP\certreq.req $env:TEMP\certreq.crt

    # cleanup because of the Import-Certificate broken filter
    Get-ChildItem Cert:\LocalMachine\REQUEST\ | Remove-Item
    Import-Certificate $env:TEMP\certreq.crt -CertStoreLocation Cert:\LocalMachine\REQUEST\
    $thumbprint = Get-ChildItem Cert:\LocalMachine\REQUEST\ | Where-Object { $_.Issuer -ne $_.Subject } | ForEach-Object { $_.Thumbprint }

    # associate the private key with the public certificate
    certutil -repairstore REQUEST $thumbprint

    $exportPwd = Get-RandomPwd
    Export-PfxCertificate Cert:\LocalMachine\REQUEST\$thumbprint $env:TEMP\certreq.pfx -ChainOption BuildChain -CryptoAlgorithmOption AES256_SHA256 -Password (ConvertTo-SecureString -AsPlainText $exportPwd -Force)
    # security cleanup
    Get-ChildItem Cert:\LocalMachine\REQUEST\ | Remove-Item

    Write-Host "Temporary password: $exportPwd"
    Write-Host "Your requested certificate is available on $env:TEMP\certreq.pfx. Don't forget to remove it when the certificate is installed."
}
	# ex: New-WorkstationCertificate -ComputerName WKS-LINUX

	function Get-RandomPwd {
	param([int]$Length = 20)
	# digits + lowercase + uppercase
	$res = -join ((48..57) + (65..90) + (97..122) \| Get-Random -Count $Length \| % {[char]$_})

	return $res
	}

	function New-WorkstationCertificateRequestConfiguration {
	param(
	[Parameter(Mandatory=$true)]
	[string]$ComputerName
	)

	# static parameters
	$templateName = 'LinuxWorkstationAuthentication2018'
	$keyAlgorithm = 'RSA'
	$keySize = '2048'
	$hashAlgorithm = 'sha256'

	# fetch SID and then generate extension 1.3.6.1.4.1.311.25.2
	$c = Get-ADComputer $ComputerName -ErrorAction Stop
	$bin_sid = [System.Text.Encoding]::ASCII.GetBytes($c.SID.Value)
	$prefix_oid = @(0x30,0x3f,0xa0,0x3d,0x06,0x0a,0x2b,0x06,
	0x01,0x04,0x01,0x82,0x37,0x19,0x02,0x01,
	0xa0,0x2f,0x04)
	$bin_oid = $prefix_oid + $bin_sid.Count + $bin_sid
	$bin_oid[17] = $bin_sid.Count + 2
	$bin_oid[3] = $bin_sid.Count + 16
	$bin_oid[1] = $bin_oid[3] + 2
	$b64_oid = [System.Convert]::ToBase64String($bin_oid)

	$template = @'
	[NewRequest]
	Subject = "CN=_DOMAIN_NAME_"
	MachineKeySet = TRUE
	KeyLength = _KEY_SIZE_
	KeySpec=1
	Exportable = TRUE
	RequestType = PKCS10
	HashAlgorithm = _HASH_ALGORITHM_
	KeyAlgorithm = _KEY_ALGORITHM_
	SMIME = FALSE
	EncryptionAlgorithm = AES
	EncryptionLength = 128
	ProviderName = "Microsoft Software Key Storage Provider"
	[RequestAttributes]
	CertificateTemplate = "_TEMPLATE_"

	[Extensions]
	; If your client operating system is Windows Server 2008, Windows Server 2008 R2, Windows Vista, or Windows 7
	; SANs can be included in the Extensions section by using the following text format. Note 2.5.29.17 is the OID for a SAN extension.

	2.5.29.17 = "{text}"
	_continue_ = "DNS=_DOMAIN_NAME_"
	_SID_OID_
	'@

	$template = $template -replace '_DOMAIN_NAME_',$c.DNSHostName
	$template = $template -replace '_TEMPLATE_',$templateName
	$template = $template -replace '_KEY_ALGORITHM_',$keyAlgorithm
	$template = $template -replace '_KEY_SIZE_',$keySize
	$template = $template -replace '_HASH_ALGORITHM_',$hashAlgorithm
	$template = $template -replace '_SID_OID_',"1.3.6.1.4.1.311.25.2 = ${b64_oid}"

	return $template
	}

	<#
	.SYNOPSIS
	A cmdlet to request a Linux or Web server certificate from our ADCS.
	#>
	function New-WorkstationCertificate {
	param(
	[Parameter(Mandatory=$true)]
	[string]$ComputerName,
	[string]$AuthorityCertificatesServer = 'ADCS1\YOUR-CA'
	)

	# create cert template
	New-WorkstationCertificateRequetConfiguration -ComputerName $ComputerName -ErrorAction Stop > $env:TEMP\certreq.inf

	# create request
	certreq -f -new $env:TEMP\certreq.inf $env:TEMP\certreq.req

	# submit request
	certreq -submit -f -config $AuthorityCertificatesServer $env:TEMP\certreq.req $env:TEMP\certreq.crt

	# cleanup because of the Import-Certificate broken filter
	Get-ChildItem Cert:\LocalMachine\REQUEST\ \| Remove-Item
	Import-Certificate $env:TEMP\certreq.crt -CertStoreLocation Cert:\LocalMachine\REQUEST\
	$thumbprint = Get-ChildItem Cert:\LocalMachine\REQUEST\ \| Where-Object { $_.Issuer -ne $_.Subject } \| ForEach-Object { $_.Thumbprint }

	# associate the private key with the public certificate
	certutil -repairstore REQUEST $thumbprint

	$exportPwd = Get-RandomPwd
	Export-PfxCertificate Cert:\LocalMachine\REQUEST\$thumbprint $env:TEMP\certreq.pfx -ChainOption BuildChain -CryptoAlgorithmOption AES256_SHA256 -Password (ConvertTo-SecureString -AsPlainText $exportPwd -Force)
	# security cleanup
	Get-ChildItem Cert:\LocalMachine\REQUEST\ \| Remove-Item

	Write-Host "Temporary password: $exportPwd"
	Write-Host "Your requested certificate is available on $env:TEMP\certreq.pfx. Don't forget to remove it when the certificate is installed."
	}