Last active
June 28, 2022 18:27
-
-
Save LordVeovis/967bd83c36026f10847997d08cadd764 to your computer and use it in GitHub Desktop.
Generate-ServerCertificate.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# ex: New-WorkstationCertificate -ComputerName WKS-LINUX | |
function Get-RandomPwd { | |
param([int]$Length = 20) | |
# digits + lowercase + uppercase | |
$res = -join ((48..57) + (65..90) + (97..122) | Get-Random -Count $Length | % {[char]$_}) | |
return $res | |
} | |
function New-WorkstationCertificateRequestConfiguration { | |
param( | |
[Parameter(Mandatory=$true)] | |
[string]$ComputerName | |
) | |
# static parameters | |
$templateName = 'LinuxWorkstationAuthentication2018' | |
$keyAlgorithm = 'RSA' | |
$keySize = '2048' | |
$hashAlgorithm = 'sha256' | |
# fetch SID and then generate extension 1.3.6.1.4.1.311.25.2 | |
$c = Get-ADComputer $ComputerName -ErrorAction Stop | |
$bin_sid = [System.Text.Encoding]::ASCII.GetBytes($c.SID.Value) | |
$prefix_oid = @(0x30,0x3f,0xa0,0x3d,0x06,0x0a,0x2b,0x06, | |
0x01,0x04,0x01,0x82,0x37,0x19,0x02,0x01, | |
0xa0,0x2f,0x04) | |
$bin_oid = $prefix_oid + $bin_sid.Count + $bin_sid | |
$bin_oid[17] = $bin_sid.Count + 2 | |
$bin_oid[3] = $bin_sid.Count + 16 | |
$bin_oid[1] = $bin_oid[3] + 2 | |
$b64_oid = [System.Convert]::ToBase64String($bin_oid) | |
$template = @' | |
[NewRequest] | |
Subject = "CN=_DOMAIN_NAME_" | |
MachineKeySet = TRUE | |
KeyLength = _KEY_SIZE_ | |
KeySpec=1 | |
Exportable = TRUE | |
RequestType = PKCS10 | |
HashAlgorithm = _HASH_ALGORITHM_ | |
KeyAlgorithm = _KEY_ALGORITHM_ | |
SMIME = FALSE | |
EncryptionAlgorithm = AES | |
EncryptionLength = 128 | |
ProviderName = "Microsoft Software Key Storage Provider" | |
[RequestAttributes] | |
CertificateTemplate = "_TEMPLATE_" | |
[Extensions] | |
; If your client operating system is Windows Server 2008, Windows Server 2008 R2, Windows Vista, or Windows 7 | |
; SANs can be included in the Extensions section by using the following text format. Note 2.5.29.17 is the OID for a SAN extension. | |
2.5.29.17 = "{text}" | |
_continue_ = "DNS=_DOMAIN_NAME_" | |
_SID_OID_ | |
'@ | |
$template = $template -replace '_DOMAIN_NAME_',$c.DNSHostName | |
$template = $template -replace '_TEMPLATE_',$templateName | |
$template = $template -replace '_KEY_ALGORITHM_',$keyAlgorithm | |
$template = $template -replace '_KEY_SIZE_',$keySize | |
$template = $template -replace '_HASH_ALGORITHM_',$hashAlgorithm | |
$template = $template -replace '_SID_OID_',"1.3.6.1.4.1.311.25.2 = ${b64_oid}" | |
return $template | |
} | |
<# | |
.SYNOPSIS | |
A cmdlet to request a Linux or Web server certificate from our ADCS. | |
#> | |
function New-WorkstationCertificate { | |
param( | |
[Parameter(Mandatory=$true)] | |
[string]$ComputerName, | |
[string]$AuthorityCertificatesServer = 'ADCS1\YOUR-CA' | |
) | |
# create cert template | |
New-WorkstationCertificateRequetConfiguration -ComputerName $ComputerName -ErrorAction Stop > $env:TEMP\certreq.inf | |
# create request | |
certreq -f -new $env:TEMP\certreq.inf $env:TEMP\certreq.req | |
# submit request | |
certreq -submit -f -config $AuthorityCertificatesServer $env:TEMP\certreq.req $env:TEMP\certreq.crt | |
# cleanup because of the Import-Certificate broken filter | |
Get-ChildItem Cert:\LocalMachine\REQUEST\ | Remove-Item | |
Import-Certificate $env:TEMP\certreq.crt -CertStoreLocation Cert:\LocalMachine\REQUEST\ | |
$thumbprint = Get-ChildItem Cert:\LocalMachine\REQUEST\ | Where-Object { $_.Issuer -ne $_.Subject } | ForEach-Object { $_.Thumbprint } | |
# associate the private key with the public certificate | |
certutil -repairstore REQUEST $thumbprint | |
$exportPwd = Get-RandomPwd | |
Export-PfxCertificate Cert:\LocalMachine\REQUEST\$thumbprint $env:TEMP\certreq.pfx -ChainOption BuildChain -CryptoAlgorithmOption AES256_SHA256 -Password (ConvertTo-SecureString -AsPlainText $exportPwd -Force) | |
# security cleanup | |
Get-ChildItem Cert:\LocalMachine\REQUEST\ | Remove-Item | |
Write-Host "Temporary password: $exportPwd" | |
Write-Host "Your requested certificate is available on $env:TEMP\certreq.pfx. Don't forget to remove it when the certificate is installed." | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment