Created
March 19, 2018 17:42
-
-
Save eternalyperplxed/7b23cbec36a5d9d5416b9fc6dc1bb042 to your computer and use it in GitHub Desktop.
Uses PSPKI and HPiLOCmdlets to get, submit, and approve certificate requests. Then installs the certificate on the iLO interface
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#Version 1.2 | |
#Written by Robert Stasiunas | |
#CREDITS: https://gist.github.com/mycloudrevolution/iLOSignCertv2-31.ps1 | |
# | |
#REQUIRED: THE PSPKI MODULE AND HPILOCMDLETS MUST BE INSTALLED | |
# | |
#CHANGE HISTORY | |
#3/13/18 - Initial Build | |
#3/14/18 - Added logic to check for required modules. Force imports modules. | |
#3/14/18 - Added check for iLO 2. If iLO 2 is found, script exits with error. | |
#3/19/18 - Added ErrorActions to stop script if an error is encountered. | |
# | |
#This script performs the following: | |
# - Connect to iLO interface specified and generate a CSR | |
# - Submit CSR to CA | |
# - Approve pending request (provided the user has rights to approve) | |
# - Retrieve the certificate | |
# - Apply the certificate to iLO | |
# | |
#USAGE: ilorequest.ps1 -ipaddress -password | |
Param( | |
[Parameter(Mandatory=$true)] | |
[string]$ipaddress, | |
[Parameter(Mandatory=$true)] | |
[string]$password | |
) | |
#Logic to check for required modules. | |
#If modules are not present the script will exit. | |
if (Get-Module -Name HPiLOCmdlets){ | |
Write-Host "HPiLOCmdlets are installed. Continuing..." | |
} | |
else { | |
Write-Host "HPiLOCmdlets are not installed. Exiting" | |
exit | |
} | |
if (Get-Module -Name PSPKI){ | |
Write-Host "PSPKI Module is installed. Continuing..." | |
} | |
else { | |
Write-Host "PSPKI Module is not installed. Exiting" | |
exit | |
} | |
Import-Module PSPKI | |
Import-Module HPiLOCmdlets | |
#Build initial variables for the request | |
$username='Administrator' | |
$certpath="C:\Certs\iLO" | |
$locality='CITY' | |
$state='STATE' | |
$country='COUNTRY' | |
$org='COMPANY' | |
$org_unit='DEPARTMENT' | |
$ilo=Find-HPiLO -Range $ipaddress -ErrorAction Stop | |
$hostname=$ilo.hostname | |
$certsrv=Get-CertificationAuthority | where {$_.DisplayName -eq 'CA'} | |
#Check if system is running iLO 2. | |
#If so, exit since iLO 2 is unsupported by the modules | |
if ($ilo.PN -like '*iLO 2*'){ | |
Write-Error "Sorry, iLO 2 is not supported" | |
exit | |
} | |
#Requests iLO to begin generating a CSR. | |
#This can take some time. We'll revist later in the script. | |
$request=Get-HPiLOCertificateSigningRequest -Server $ipaddress ` | |
-Username $username -Password $password -State $state ` | |
-Country $country -Locality $locality -Organization $org ` | |
-OrganizationalUnit $org_unit -CommonName $hostname ` | |
-DisableCertificateAuthentication -ErrorAction Stop | |
$gotCSR=$false | |
#Loop to check if CSR is generated. | |
#If not will continue trying until it fails or the CSR is complete. | |
while ($gotCSR -eq $false){ | |
if ($request.STATUS_TYPE -eq "OK"){ | |
if ($request.CERTIFICATE_SIGNING_REQUEST -ne ""){ | |
$request.CERTIFICATE_SIGNING_REQUEST | Out-File $certpath\currentcsr.txt -Encoding ascii -Force | |
Write-Host "CSR copied to $certpath\currentcsr.txt" | |
$gotCSR=$true | |
} | |
else{ | |
Write-Host "CSR failed." | |
continue | |
} | |
} | |
else{ | |
#Generating a CSR can take some time, especially on iLO3. | |
Write-Host "Generating CSR. This may take a few minutes..." | |
Start-Sleep -Seconds 30 | |
$request=Get-HPiLOCertificateSigningRequest -Server $ipaddress ` | |
-Username $username -Password $password -State $state ` | |
-Country $country -Locality $locality -Organization $org ` | |
-OrganizationalUnit $org_unit -CommonName $hostname ` | |
-DisableCertificateAuthentication | |
} | |
} | |
#Removes any previous certificate to keep file structure clean. | |
Write-Host "Signing certificate" | |
if(Test-Path "$certpath\*.cer"){ | |
Remove-Item "$certpath\*.cer" | |
} | |
#Submits the request to the CA using the TEMPLATE template. | |
#Also creates an object for the pending request to use for approval in the next step. | |
Write-Host "Submitting CSR to"$certsrv.DisplayName | |
$submit=Submit-CertificateRequest -Path $certpath\currentcsr.txt ` | |
-CertificationAuthority $certsrv -Attribute 'CertificateTemplate:TEMPLATE' | |
$reqID=$submit.RequestID | |
$pendingreq=Get-PendingRequest -CertificationAuthority $certsrv -RequestID $reqID | |
#Connects to the CA under the context of the user running the script to approve the request | |
#The request must be an object created from the Get-PendingRequest cmdlet. | |
#Passing a simple RequestID is not sufficient. I don't know why... | |
Write-Host "Approving Request $reqID" | |
Approve-CertificateRequest -Request $pendingreq | |
#Gets the issued certificate from the CA | |
Write-Host "Retrieving Certificate" | |
$issuedreq=Get-IssuedRequest -CertificationAuthority $certsrv -RequestID $reqID | |
Receive-Certificate -RequestRow $issuedreq -Path "$certpath" | |
Write-Host "Certificate is located in $certpath\RequestID_$reqID.cer" | |
#Installs certificate to iLO. The '-Raw' option is required in order to retain Base64 encoding. | |
Write-host "Installing Certificate to iLO" | |
$issuedcert= Get-Content "$certpath\RequestID_$reqID.cer" -Raw | |
$install=Import-HPiLOCertificate -Server $ipaddress ` | |
-Username $username -Password $password ` | |
-Certificate $issuedcert -DisableCertificateAuthentication | |
if ($install.STATUS_TYPE -like 'ERROR'){ | |
Write-Host "Certificate Install Failed" | |
Write-Host $install.STATUS_MESSAGE | |
} | |
else{ | |
Write-Host "Certificate installed successfully. iLO will now reset" | |
} | |
#Cleanup CSR files | |
if(Test-Path "$certpath\currentcsr.txt"){ | |
Remove-Item "$certpath\currentcsr.txt" | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment