I have used powershell for a long time. I have never sat down and created a script that could actually replace a task we do as systems administrators. At my work we have a lot of internal web systems, all uses internal SSL certificates. In a perfect world, those would auto renew every half year or so. We do this the manual way, creating a CSR on target system, moving that file to the internal CA, and running a certreq command to generate a certificate. I decided to write a script, that does this for me.
Starting point, internet.
Have someone already built one of those? Well, I found my starting point
https://4sysops.com/archives/create-a-certificate-request-with-powershell/
This script teaches me how to get the CSR created. I want to change it around so all variables will be at the top, so its easy to modify when others will use the script.
Outline of my idea
- Script will be running on CA. I will log in as Admin, and run script as Administrator
- Name server where CSR will be generated
- Move CSR files to CA – use foldername from host, so more than one can be created
- Generate SSL from this CSR file
First challenge was to get global variables to work in the -ScriptBlock parameters. I read up on how I can pass global variable $folder into the Invoke-Command -ScriptBlock with $Using:folder
<#
Peter Larsson, 3/2021
Script to create CSR from named server
move files to CA and request a SSL
Limitations:
I was logged in as a member of domain admins and running script as Administrator, while testing
. Script need to run on CA
Source:
https://4sysops.com/archives/create-a-certificate-request-with-powershell/
#>
# Server name, where to ask for a CSR
$CompName = "hostname"
# Location to store CSR files. a share on your CA (UNC or local)
$destination = "C:\ssl\CSRnSSL\"
# Folder name for stored files
$folder = "$($compName)_certreq"
# Source path for files
$source = "\\$($compName)\c$\temp\$($folder)\"
# Certificate name, default will use internal FQDN and Hostname - additional DNS entries available in script, [Extentions]
$CertName = "$($compName).domain.org"
# -Scriptblock requires $Using:<variable> to use global variables
Write-Host "Creating CertificateRequest(CSR) for $CertName `r "
Invoke-Command -ComputerName $CompName -ScriptBlock {
New-Item -Path "c:\temp\" -Name $Using:folder -ItemType "directory"
$CSRPath = "c:\temp\$using:folder\$($using:CertName)_ps.csr"
$INFPath = "c:\temp\$using:folder\$($using:CertName)_ps.inf"
$Signature = '$Windows NT$'
$INF =
@"
[Version]
Signature= "$Signature"
[NewRequest]
Subject = "CN=$Using:CompName, O=<your organisation>, L=<City>, S=<state>, C=US"
KeySpec = 1
KeyLength = 4096
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
[Extensions]
2.5.29.17 = "{text}"
_continue_ = "dns=$($using:CertName)&"
_continue_ = "dns=$($using:CompName)&"
"@
write-Host "Certificate Request is being generated `r "
$INF | out-file -filepath $INFPath -force
certreq -new $INFPath $CSRPath
}
write-output "Certificate Request has been generated"
Move-Item -Path $source -Destination $destination
write-output "Certificate Request has been moved to $($destination)$($folder)"
write-output "***************************"
write-output "Submitting CSR to CA for processing"
$CSR = "$($destination)\$($folder)\$($CertName)_ps.csr"
$SSL = "$($destination)\$($folder)\$($CertName).cer"
certreq -submit -attrib "CertificateTemplate:WebServer256" $CSR $SSL
write-output "Certificate has been created $($destination)$($folder)"