Skip to content

Instantly share code, notes, and snippets.

@LokiMidgard

LokiMidgard/new-certificate.ps1

Created September 29, 2023 09:52
Show Gist options
  • Save LokiMidgard/66d70c2466add900549e68e5c93e30bd to your computer and use it in GitHub Desktop.
Save LokiMidgard/66d70c2466add900549e68e5c93e30bd to your computer and use it in GitHub Desktop.
Download ZIP
Create Certificat ps script
Raw
new-certificate.ps1
param (
# The name of the server
[Parameter(Position = 0, Mandatory = $true)]
[string]
$commonName,
[Parameter(Mandatory = $true)]
[string]
$country,
[Parameter(Mandatory = $true)]
[string]
$province,
[Parameter(Mandatory = $true)]
[string]
$city,
[Parameter(Mandatory = $true)]
[string]
$organisation,
[Parameter(Mandatory = $false)]
[string]
$rootCommonName,
[Parameter(Mandatory = $false)]
[string]
$CA_EXTFILE = 'ca_cert.cnf',
[Parameter(Mandatory = $false)]
[string]
$SERVER_CONF = 'server_cert.cnf',
[Parameter(Mandatory = $false)]
[string]
$SERVER_EXT = 'server_ext.cnf',
[Parameter(Mandatory = $false)]
[string]
$OPENSSL_CMD = 'openssl',
[Parameter(Mandatory = $false)]
[string]
$ServerCertifikatName = 'server',
[Parameter(Mandatory = $false)]
[string]
$ServerCertifikatChainName = 'server-chain',
[Parameter(Mandatory = $false)]
[string]
$CaCertifikatName = 'ca',
[Parameter(Mandatory = $false)]
[string]
$out = '.'
)
if ($rootCommonName -eq $null -or $rootCommonName.Length -eq 0) {
$rootCommonName = "root-$commonName"
}
Set-Content -Path $CA_EXTFILE -Value @"
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
prompt = no
[req_distinguished_name]
countryName = $country
stateOrProvinceName = $province
localityName = $city
organizationName = $organisation
commonName = $rootCommonName
[ v3_ca ]
basicConstraints=critical,CA:TRUE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
"@
Set-Content -Path $SERVER_CONF -Value @"
default_bit = 4096
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]
countryName = $country
stateOrProvinceName = $province
localityName = $city
organizationName = $organisation
commonName = $commonName
"@
Set-Content -Path $SERVER_EXT -Value @"
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = $commonName
"@
if($ServerCertifikatChainName -eq $null -or $ServerCertifikatChainName.Length -eq 0){
$ServerCertifikatChainName = "$ServerCertifikatName-Chain.crt"
}
$SERVER_KEY = "$out/$ServerCertifikatName.key"
$SERVER_CSR = "$out/$ServerCertifikatName.csr"
$SERVER_CRT = "$out/$ServerCertifikatName.crt"
$SERVER_CRT_CHAIN = "$out/$ServerCertifikatChainName.crt"
$CA_KEY = "$out/$CaCertifikatName.key"
$CA_CRT = "$out/$CaCertifikatName.pem"
function generate_root_ca() {
if ( [System.IO.File]::Exists($CA_CRT) -and [System.IO.File]::Exists($CA_KEY) ) {
Write-Host "$CA_CRT and $CA_KEY seems to be already generated, skipping the generation of RootCA certificate"
return $true
}
## generate rootCA private key
Write-Host "Generating RootCA private key"
if (-not [System.IO.File]::Exists($CA_KEY)) {
& $OPENSSL_CMD genrsa -out $CA_KEY 4096 2>/dev/null
if ($LASTEXITCODE -ne 0) {
Write-Error "Failed to generate $CA_KEY"
return $false
}
}
else {
Write-Host "$CA_KEY seems to be already generated, skipping the generation of RootCA key"
}
## generate rootCA certificate
Write-Host "Generating RootCA certificate"
& $OPENSSL_CMD req -new -x509 -days 3650 -config $CA_EXTFILE -key $CA_KEY -out $CA_CRT 2>/dev/null
if ($LASTEXITCODE -ne 0) {
Write-Error "Failed to generate $CA_CRT"
return $false
}
## read the certificate
Write-Host "Verify RootCA certificate"
& $OPENSSL_CMD x509 -noout -text -in $CA_CRT >/dev/null 2>&1
if ($LASTEXITCODE -ne 0) {
Write-Error "Failed to read $CA_CRT"
return $false
}
return $true
}
function generate_server_certificate() {
if (-not [System.IO.File]::Exists($SERVER_KEY)) {
Write-Host "Generating server private key"
& $OPENSSL_CMD genrsa -out $SERVER_KEY 4096 2>/dev/null
if ($LASTEXITCODE -ne 0) {
Write-Error "Failed to generate $SERVER_KEY"
return $false
}
}
else {
Write-Host "$SERVER_KEY seems to be already generated, skipping the generation of server key"
}
Write-Host "Generating certificate signing request for server"
& $OPENSSL_CMD req -new -key $SERVER_KEY -out $SERVER_CSR -config $SERVER_CONF 2>/dev/null
if ($LASTEXITCODE -ne 0) {
Write-Error "Failed to generate $SERVER_CSR"
return $false
}
Write-Host "Generating RootCA signed server certificate"
& $OPENSSL_CMD x509 -req -in $SERVER_CSR -CA $CA_CRT -CAkey $CA_KEY -out $SERVER_CRT -CAcreateserial -days 365 -sha512 -extfile $SERVER_EXT # 2>/dev/null
if ($LASTEXITCODE -ne 0) {
Write-Error "Failed to generate $SERVER_CRT"
return $false
}
Write-Host "Verifying the server certificate against RootCA"
& $OPENSSL_CMD verify -CAfile $CA_CRT $SERVER_CRT >/dev/null #2>&1
if ($LASTEXITCODE -ne 0) {
Write-Error "Failed to verify $SERVER_CRT against $CA_CRT"
return $false
}
Write-Host "GeneratingChain"
Set-Content -Path $SERVER_CRT_CHAIN -Value $(Get-Content $SERVER_CRT)
Add-Content -Path $SERVER_CRT_CHAIN -Value ''
Add-Content -Path $SERVER_CRT_CHAIN -Value $(Get-Content $CA_CRT)
return $true
}
# MAIN
if ( !(generate_root_ca) ) {
return;
}
if (!( generate_server_certificate) ) {
return;
}
rm $CA_EXTFILE
rm $SERVER_CSR
rm $SERVER_CONF
rm $SERVER_EXT
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment