Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
#requires -version 4
<#
.SYNOPSIS
Gets the current Let's Encrypt certificate by domain from the given opnSense-Firewall via SCP.
.DESCRIPTION
Sync-Cert connects to the given opnSense-Router via SCP. It pulls the Let's encrypt certificate and key for the given domain name, based on the common name
into the local working directory. Afterwards it uses OpenSSL to convert the .cer and .key files to create a new .pfx file which can be used in Exchange and IIS.
.PARAMETER Domain
Domain of the certificate to get from the firewall
.PARAMETER Router
Hostname or IP of the opnSense-Firewall
.PARAMETER Port
Port of the opnSense-Firewall (Default: 22)
.PARAMETER Keyfile
Filename of SSH-Keyfile to use for the secure connection to the firewall
.PARAMETER SCPUsername
If not using a keyfile, the username to connect with to the firewall (Default: root)
.PARAMETER SCPPassword
If not using a keyfile, the password to connect with to the firewall
.PARAMETER CertificatePassword
Password used by OpenSSL to protect the created .pfx certificate
.PARAMETER Out
If defined, .pfx file will be named by the content of Out, otherwise it will be named by the given domain name
.PARAMETER Path
If defined, temporary files and final .pfx will be put in this directory, otherwise the working directory is used
.INPUTS
None
.OUTPUTS
Name of .pfx certificate file
.NOTES
Version: 1.1
Author: Maximilian
Creation Date: 2018-10-26
Purpose/Change: Initial script development
.EXAMPLE
Sync-Cert -Domain tld.contoso.com -Router 192.168.0.1 -SCPUsername user4scp -SCPPassword password4scp -CertificatePassword password4certificate
#>
#---------------------------------------------------------[Script Parameters]------------------------------------------------------
[CmdletBinding()]
Param (
[Parameter(Mandatory = $true)][string]$CertificateDomain,
[Parameter(Mandatory = $true)][string]$Router,
[Parameter(Mandatory = $false)][int]$Port = 22,
[Parameter(Mandatory = $false)][string]$Keyfile,
[Parameter(Mandatory = $false)][string]$SCPUsername = "root",
[Parameter(Mandatory = $false)][string]$SCPPassword,
[Parameter(Mandatory = $false)][string]$CertificatePassword,
[Parameter(Mandatory = $false)][string]$Out,
[Parameter(Mandatory = $false)][string]$Path
)
#---------------------------------------------------------[Initialisations]--------------------------------------------------------
#Set Error Action to Silently Continue
#$ErrorActionPreference = "SilentlyContinue"
# Set Error Action to Continue
$ErrorActionPreference = "Continue"
# Remote path of acme-client
$RemoteCertPath = "/var/etc/acme-client/home/$($CertificateDomain)"
# Setting the output directory
if ($Path) {
$Directory = $Path
$FullPath = $Path
} else {
$Directory = "."
$FullPath = Get-Location
}
# Setting the output filename
if ($Out) {
$Outputfile = "$($Directory)\$($Out).pfx"
} else {
$Outputfile = "$($Directory)\$($CertificateDomain).pfx"
}
#Dot Source required Function Libraries
#Import Modules & Snap-ins
Import-Module Posh-SSH
#----------------------------------------------------------[Declarations]----------------------------------------------------------
#-----------------------------------------------------------[Functions]------------------------------------------------------------
Function Get-CertificateFromOpnSense {
Param ()
Begin {
$SCPPWord = ConvertTo-SecureString -AsPlainText $SCPPassword -Force
$Credentials = New-Object System.Management.Automation.PSCredential ($SCPUsername, $SCPPWord)
}
Process {
try {
# Connect to opnSense
if ($Keyfile) {
# via Keyfile
$opnsense = New-SFTPSession -ComputerName $Router -Port $Port -KeyFile $Keyfile
} else {
# via username and password
$opnsense = New-SFTPSession -ComputerName $Router -Port $Port -Credential $Credentials
}
# Change remote path to /var/etc/acme-client/home/$CertificateDomain
Set-SFTPLocation -SFTPSession $opnsense -Path $RemoteCertPath
# Get both certificate files, fullchain and the key
Get-SFTPFile -SFTPSession $opnsense -LocalPath $Directory -RemoteFile "fullchain.cer"
Get-SFTPFile -SFTPSession $opnsense -LocalPath $Directory -RemoteFile "$($CertificateDomain).key"
# Setting environment variable for OpenSSL, needed for quiet output
$env:RANDFILE=".rnd"
# Convert .cer and .key files to a .pfx file
$SSLOutput = [string] (& openssl.exe pkcs12 -export -inkey "$($Directory)\$($CertificateDomain).key" -in "$($Directory)\fullchain.cer" -out $Outputfile -password pass:$CertificatePassword)
# Remove .cer and .key files
Remove-Item "$($Directory)\fullchain.cer"
Remove-Item "$($Directory)\$($CertificateDomain).key"
# Close SFTP session
Remove-SFTPSession -SFTPSession $opnsense | Out-Null
return $Outputfile
}
catch {
}
}
}
#-----------------------------------------------------------[Execution]------------------------------------------------------------
Get-CertificateFromOpnSense
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.