Created
October 29, 2018 11:38
-
-
Save Maahaax/0c1a69ffa7e3478c5992f20ae0a194e0 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #requires -version 4 | |
| <# | |
| .SYNOPSIS | |
| Gets the current Let's Encrypt certificate by domain from the given opnSense-Firewall via SCP. | |
| .DESCRIPTION | |
| Sync-Cert connects to the given opnSense-Router via SCP. It pulls the Let's encrypt certificate and key for the given domain name, based on the common name | |
| into the local working directory. Afterwards it uses OpenSSL to convert the .cer and .key files to create a new .pfx file which can be used in Exchange and IIS. | |
| .PARAMETER Domain | |
| Domain of the certificate to get from the firewall | |
| .PARAMETER Router | |
| Hostname or IP of the opnSense-Firewall | |
| .PARAMETER Port | |
| Port of the opnSense-Firewall (Default: 22) | |
| .PARAMETER Keyfile | |
| Filename of SSH-Keyfile to use for the secure connection to the firewall | |
| .PARAMETER SCPUsername | |
| If not using a keyfile, the username to connect with to the firewall (Default: root) | |
| .PARAMETER SCPPassword | |
| If not using a keyfile, the password to connect with to the firewall | |
| .PARAMETER CertificatePassword | |
| Password used by OpenSSL to protect the created .pfx certificate | |
| .PARAMETER Out | |
| If defined, .pfx file will be named by the content of Out, otherwise it will be named by the given domain name | |
| .PARAMETER Path | |
| If defined, temporary files and final .pfx will be put in this directory, otherwise the working directory is used | |
| .INPUTS | |
| None | |
| .OUTPUTS | |
| Name of .pfx certificate file | |
| .NOTES | |
| Version: 1.1 | |
| Author: Maximilian | |
| Creation Date: 2018-10-26 | |
| Purpose/Change: Initial script development | |
| .EXAMPLE | |
| Sync-Cert -Domain tld.contoso.com -Router 192.168.0.1 -SCPUsername user4scp -SCPPassword password4scp -CertificatePassword password4certificate | |
| #> | |
| #---------------------------------------------------------[Script Parameters]------------------------------------------------------ | |
| [CmdletBinding()] | |
| Param ( | |
| [Parameter(Mandatory = $true)][string]$CertificateDomain, | |
| [Parameter(Mandatory = $true)][string]$Router, | |
| [Parameter(Mandatory = $false)][int]$Port = 22, | |
| [Parameter(Mandatory = $false)][string]$Keyfile, | |
| [Parameter(Mandatory = $false)][string]$SCPUsername = "root", | |
| [Parameter(Mandatory = $false)][string]$SCPPassword, | |
| [Parameter(Mandatory = $false)][string]$CertificatePassword, | |
| [Parameter(Mandatory = $false)][string]$Out, | |
| [Parameter(Mandatory = $false)][string]$Path | |
| ) | |
| #---------------------------------------------------------[Initialisations]-------------------------------------------------------- | |
| #Set Error Action to Silently Continue | |
| #$ErrorActionPreference = "SilentlyContinue" | |
| # Set Error Action to Continue | |
| $ErrorActionPreference = "Continue" | |
| # Remote path of acme-client | |
| $RemoteCertPath = "/var/etc/acme-client/home/$($CertificateDomain)" | |
| # Setting the output directory | |
| if ($Path) { | |
| $Directory = $Path | |
| $FullPath = $Path | |
| } else { | |
| $Directory = "." | |
| $FullPath = Get-Location | |
| } | |
| # Setting the output filename | |
| if ($Out) { | |
| $Outputfile = "$($Directory)\$($Out).pfx" | |
| } else { | |
| $Outputfile = "$($Directory)\$($CertificateDomain).pfx" | |
| } | |
| #Dot Source required Function Libraries | |
| #Import Modules & Snap-ins | |
| Import-Module Posh-SSH | |
| #----------------------------------------------------------[Declarations]---------------------------------------------------------- | |
| #-----------------------------------------------------------[Functions]------------------------------------------------------------ | |
| Function Get-CertificateFromOpnSense { | |
| Param () | |
| Begin { | |
| $SCPPWord = ConvertTo-SecureString -AsPlainText $SCPPassword -Force | |
| $Credentials = New-Object System.Management.Automation.PSCredential ($SCPUsername, $SCPPWord) | |
| } | |
| Process { | |
| try { | |
| # Connect to opnSense | |
| if ($Keyfile) { | |
| # via Keyfile | |
| $opnsense = New-SFTPSession -ComputerName $Router -Port $Port -KeyFile $Keyfile | |
| } else { | |
| # via username and password | |
| $opnsense = New-SFTPSession -ComputerName $Router -Port $Port -Credential $Credentials | |
| } | |
| # Change remote path to /var/etc/acme-client/home/$CertificateDomain | |
| Set-SFTPLocation -SFTPSession $opnsense -Path $RemoteCertPath | |
| # Get both certificate files, fullchain and the key | |
| Get-SFTPFile -SFTPSession $opnsense -LocalPath $Directory -RemoteFile "fullchain.cer" | |
| Get-SFTPFile -SFTPSession $opnsense -LocalPath $Directory -RemoteFile "$($CertificateDomain).key" | |
| # Setting environment variable for OpenSSL, needed for quiet output | |
| $env:RANDFILE=".rnd" | |
| # Convert .cer and .key files to a .pfx file | |
| $SSLOutput = [string] (& openssl.exe pkcs12 -export -inkey "$($Directory)\$($CertificateDomain).key" -in "$($Directory)\fullchain.cer" -out $Outputfile -password pass:$CertificatePassword) | |
| # Remove .cer and .key files | |
| Remove-Item "$($Directory)\fullchain.cer" | |
| Remove-Item "$($Directory)\$($CertificateDomain).key" | |
| # Close SFTP session | |
| Remove-SFTPSession -SFTPSession $opnsense | Out-Null | |
| return $Outputfile | |
| } | |
| catch { | |
| } | |
| } | |
| } | |
| #-----------------------------------------------------------[Execution]------------------------------------------------------------ | |
| Get-CertificateFromOpnSense |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment