-
Notifications
You must be signed in to change notification settings - Fork 0
/
provision-certificates.ps1
177 lines (167 loc) · 5.68 KB
/
provision-certificates.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
choco install -y openssl.light
# update this session environment variables with the changes made by
# the recently installed Chocolatey packages.
Import-Module C:\ProgramData\chocolatey\helpers\chocolateyInstaller.psm1
Update-SessionEnvironment
$caDirectory = "c:\vagrant\shared\tigervnc-example-ca"
$caPathPrefix = "$caDirectory\tigervnc-example-ca"
$caCommonName = 'TigerVNC Example CA'
function openssl {
# openssl uses stderr to write error and progress messages, but
# when $ErrorActionPreference is 'Stop' and something is written
# to stderr PowerShell assumes that the application had a problem
# and aborts the application and this script, so we have to
# temporaly ignore that PowerShell behaviour.
$arguments = $Args
&{
$ErrorActionPreference = 'Continue'
$stderr = $($stdout = &'C:\Program Files\OpenSSL\bin\openssl.exe' @arguments) 2>&1
$ErrorActionPreference = 'Stop'
Write-Output $stdout
if ($LASTEXITCODE) {
throw "$(@('openssl')+$arguments | ConvertTo-Json -Compress) failed with exit code $LASTEXITCODE and stderr $stderr"
}
}
}
function With-TemporaryFile([ScriptBlock]$block) {
$path = [IO.Path]::GetTempFileName()
try {
&$block $path
} finally {
Remove-Item $path
}
}
function New-CertificationAuthority {
if (!(Test-Path $caDirectory)) {
mkdir $caDirectory | Out-Null
}
if (Test-Path $caPathPrefix-crt.pem) {
return
}
openssl genrsa `
-out $caPathPrefix-key.pem `
2048
openssl req -new `
-sha256 `
-subj "/CN=$caCommonName" `
-key $caPathPrefix-key.pem `
-out $caPathPrefix-csr.pem
With-TemporaryFile {
param($extensionsPath)
Set-Content -Encoding Ascii -Path $extensionsPath -Value @'
[a]
basicConstraints=critical,CA:TRUE,pathlen:0
keyUsage=critical,digitalSignature,keyCertSign,cRLSign
'@
openssl x509 -req -sha256 `
-signkey $caPathPrefix-key.pem `
-extensions a `
-extfile $extensionsPath `
-days 365 `
-in $caPathPrefix-csr.pem `
-out $caPathPrefix-crt.pem
}
openssl x509 `
-in $caPathPrefix-crt.pem `
-outform der `
-out $caPathPrefix-crt.der
# dump the certificate contents (for logging purposes).
openssl x509 -noout -text -in $caPathPrefix-crt.pem
}
function New-ClientCertificate($commonName) {
$certificatePrefix = "$caDirectory\$commonName-client"
if (Test-Path $certificatePrefix-crt.pem) {
return
}
openssl genrsa `
-out $certificatePrefix-key.pem `
2048
openssl req -new `
-sha256 `
-subj "/CN=$commonName" `
-key $certificatePrefix-key.pem `
-out $certificatePrefix-csr.pem
With-TemporaryFile {
param($extensionsPath)
Set-Content -Encoding Ascii -Path $extensionsPath -Value @'
[a]
extendedKeyUsage=critical,clientAuth
'@
openssl x509 -req -sha256 `
-CA $caPathPrefix-crt.pem `
-CAkey $caPathPrefix-key.pem `
-CAcreateserial `
-extensions a `
-extfile $extensionsPath `
-days 365 `
-in $certificatePrefix-csr.pem `
-out $certificatePrefix-crt.pem
}
openssl pkcs12 -export `
-keyex `
-inkey $certificatePrefix-key.pem `
-in $certificatePrefix-crt.pem `
-certfile $certificatePrefix-crt.pem `
-passout pass: `
-out $certificatePrefix-key.p12
# dump the certificate contents (for logging purposes).
openssl x509 -noout -text -in $certificatePrefix-crt.pem
#openssl pkcs12 -info -nodes -passin pass: -in $certificatePrefix-key.p12
}
function New-ServerCertificate($domain, $ip=$null) {
$certificatePrefix = "$caDirectory\$domain"
if (Test-Path $certificatePrefix-crt.pem) {
return
}
openssl genrsa `
-out $certificatePrefix-key.pem `
2048
openssl req -new `
-sha256 `
-subj "/CN=$domain" `
-key $certificatePrefix-key.pem `
-out $certificatePrefix-csr.pem
With-TemporaryFile {
param($extensionsPath)
Set-Content -Encoding Ascii -Path $extensionsPath -Value @"
[a]
subjectAltName=DNS:$domain$(if ($ip) {",IP:$ip"})
extendedKeyUsage=critical,serverAuth
"@
openssl x509 -req -sha256 `
-CA $caPathPrefix-crt.pem `
-CAkey $caPathPrefix-key.pem `
-CAcreateserial `
-extensions a `
-extfile $extensionsPath `
-days 365 `
-in $certificatePrefix-csr.pem `
-out $certificatePrefix-crt.pem
}
openssl pkcs12 -export `
-keyex `
-inkey $certificatePrefix-key.pem `
-in $certificatePrefix-crt.pem `
-certfile $certificatePrefix-crt.pem `
-passout pass: `
-out $certificatePrefix-key.p12
# dump the certificate contents (for logging purposes).
openssl x509 -noout -text -in $certificatePrefix-crt.pem
#openssl pkcs12 -info -nodes -passin pass: -in $certificatePrefix-key.p12
}
New-CertificationAuthority
Import-Certificate `
-FilePath $caPathPrefix-crt.pem `
-CertStoreLocation Cert:\LocalMachine\Root `
| Out-Null
# New-ClientCertificate 'windows.example.com'
# # import the client certificate to be able to use a browser to access the
# # exporters endpoints that are behind caddy https.
# Import-PfxCertificate `
# -FilePath "$caDirectory\windows.example.com-client-key.p12" `
# -CertStoreLocation Cert:\CurrentUser\My `
# -Password $null `
# -Exportable `
# | Out-Null
New-ServerCertificate 'windows1.example.com'
New-ServerCertificate 'windows2.example.com'