Sitecore Trusted Self Signed Certificated Extension

ExtendSelfSignedCertificate.ps1

#Requires -RunAsAdministrator
#Author: Sergejs Kravcenko
#Date: 12/07/2018
#Description: RenewCertificate module, which allows to safely generate and issue new Sitecore Self-Signed certificates both Root and Personal in order to have Sitecore instance function correctly with its xConnect services
#Usage: Import-Module .\RenewCertificate.psm1

Write-Host "Importing RenewCertificateModule"

function New-RootCertificateFn{
    param (
        [string]$name,
        [ValidateScript( {Test-Path $_})]
        [string]$path
    )

    #using SitecoreFundamentals powershell module scripts
    New-RootCertificate -Path $path -Name $name -DnsName $name -Verbose
}

function Install-RootCert {
    [CmdletBinding(SupportsShouldProcess = $true)]
    param(
        [ValidateScript( {Test-Path $_})]
        [string]$path
    )

    $rootCertStorePath = 'LocalMachine\Root'
    $rootCertStoreLocation = "Cert:\$rootCertStorePath"
    $rootCrtInfo = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
    $rootCrtInfo.Import($path)
    $rootCrtThumbprint = $rootCrtInfo.Thumbprint

    # install root cert
    $rootCerts = Get-ChildItem -Path $rootCertStoreLocation -Recurse -Verbose | Where-Object { $_.PSIsContainer -eq $false -and $_.Thumbprint -eq $rootCrtThumbprint }
    $rootCertInstalled = $false
    if ($rootcerts) {
        $rootCerts | Select-Object -Property PSParentPath, Subject, Thumbprint, HasPrivateKey
        $rootCert = $rootCerts | Where-Object { $_.PSParentPath -like "*$rootCertStorePath" }
        if ($rootCert) {
            $rootCertInstalled = $true
        }
    }

    if (!$rootCertInstalled) {
        Import-Certificate -FilePath $Path -CertStoreLocation $rootCertStoreLocation
        Write-Verbose "Installed Root Certificate '$Path' to '$rootCertStorePath'"
    }
    else {
        Write-Verbose "Certificate already installed '$path'"
    }

}

function New-SignedCertificateFn {
    param (
        [string]$name,
        [string]$thumbprint,
        [ValidateScript( {Test-Path $_})]
        [string]$path,
        [securestring]$pfxPassword = (ConvertTo-SecureString -String 'temp1234' -AsPlainText -Force)
    )

    $rootCert = Get-ChildItem -Path 'Cert:\LocalMachine\Root' -Recurse | Where-Object {
        $_.Thumbprint -eq $thumbprint
    }

    $result = @()
        if ($rootCert) {
            $result += $rootCert
        }
        else {
            Write-Host "There are no root certificates with $thumbprint thumbprint in Cert:\LocalMachine\Root path" -ForegroundColor Red
        }

        #using SitecoreFundamentals powershell module scripts
        $certInfo = New-SignedCertificate -Path $path -Signer $rootCert -Name $name -DnsName $name -Verbose
        $signedCert = $certInfo.Certificate
        $pfx = $signedCert | Export-PfxCertificate -FilePath (Join-Path -Path $path -ChildPath "$($name).pfx") -Password $pfxPassword
        $result += $signedCert
        return $result
}

function Install-PfxCert {
    param(
        [ValidateScript( {Test-Path $_})]
        [string]$path,
        [securestring]$password = (ConvertTo-SecureString -String 'temp1234' -AsPlainText -Force)
    )

    $pfxInfo = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
    $KeyStorageFlags = [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable -bxor `
        [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::MachineKeySet -bxor `
        [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::PersistKeySet

    Write-Verbose ('Key storage flags is: {0}' -f $KeyStorageFlags);

    $pfxInfo.Import($path, $password, $KeyStorageFlags)
    $pfxThumbprint = $pfxInfo.Thumbprint
    $myCertStorePath = 'LocalMachine\My'
    $myCertStoreLocation = "Cert:\$myCertStorePath"

    $pfxCerts = Get-ChildItem -Path $myCertStoreLocation -Recurse | Where-Object { $_.PSisContainer -eq $false -and $_.Thumbprint -eq $pfxThumbprint }
    $pfxCertInstalled = $false
    if ($pfxCerts) {
        $pfxCerts | Select-Object -Property PSParentPath, Subject, Thumbprint, HasPrivateKey
        $pfxCert = $pfxCerts | Where-Object { $_.PSParentPath -like "*$myCertStorePath" }
        if ($pfxCert) {
            $pfxCertInstalled = $true
        }
    }

    if (!$pfxCertInstalled) {
        Import-PfxCertificate -FilePath $path -CertStoreLocation $myCertStoreLocation -Exportable -Password $password
        Write-Verbose "Installed Certificate '$path' to '$myCertStoreLocation'"
    }
    else {
        Write-Verbose "Certificate already installed '$path'"
    }
}

function Add-UserToCertificateFn {
    param (
        [string]$userName,
		[string]$permission = "read",
		[string]$certThumbprint,
        [string]$certStoreLocation = "LocalMachine\My"
    )

    # check if certificate is already installed
	$certificateInstalled = Get-ChildItem Cert:\$certStoreLocation | Where thumbprint -eq $certThumbprint

	# download & install only if certificate is not already installed on machine
	if ($certificateInstalled -eq $null)
	{
		$message="Certificate with thumbprint:"+$certThumbprint+" does not exist at cert:"+$certStoreLocation
		Write-Host $message -ForegroundColor Red
		return
	}else
	{
		try
		{
			$rule = new-object security.accesscontrol.filesystemaccessrule $userName, $permission, allow
			$root = "c:\programdata\microsoft\crypto\rsa\machinekeys"
			$l = ls Cert:$certStoreLocation
			$l = $l |? {$_.thumbprint -like $certThumbprint}
			$l |%{
				$keyname = $_.privatekey.cspkeycontainerinfo.uniquekeycontainername
				$p = [io.path]::combine($root, $keyname)
				if ([io.file]::exists($p))
				{
					$acl = get-acl -path $p
					$acl.addaccessrule($rule)
					echo $p
					set-acl $p $acl
				}
			}
		}
		catch 
		{
			Write-Host "Caught an exception:" -ForegroundColor Red
			Write-Host "$($_.Exception)" -ForegroundColor Red
			return
		}    
	}

	Write-Host "Successfully granted $permission permission to $userName user for $certThumbprint certificate" -ForegroundColor Green
}

function Get-CertThumbprint {
    param (
        [ValidateScript( {Test-Path $_})]
        [string]$path,
        [securestring]$password = (ConvertTo-SecureString -String 'temp1234' -AsPlainText -Force)
    )

    $fileExtension = Get-Item -Path $path | Select-Object -Property Extension
    
    $isPfx = $fileExtension.Extension -eq '.pfx'

    $certInfo = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
    $KeyStorageFlags = [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable -bxor `
        [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::MachineKeySet -bxor `
        [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::PersistKeySet

    if ($isPfx) {
        $certInfo.Import($path, $password, $KeyStorageFlags)
    } else {
        $certInfo.Import($path)
    }
    $thumbprint = $certInfo.Thumbprint

    return $thumbprint
}

function Remove-Certificate {
    param (
        [string]$thumbprint,
        [string]$certPath = "LocalMachine\Root"
    )
    If (Test-Path -Path Cert:\$certPath\$thumbprint)
    {
      Remove-Item -Path Cert:\$certPath\$thumbprint
      Write-Host "The certificate $thumbprint was successfully deleted from Cert:\$certPath" -ForegroundColor Green
    }
    else {
        Write-Host "There are no $thumbprint certificate imported under Cert:\$certPath" -ForegroundColor Red
    }
}

Write-Host "Done"