Created
May 2, 2022 19:29
-
-
Save awakecoding/5d5589af207f7f2b181aae9ef8681edb to your computer and use it in GitHub Desktop.
PowerShell Test Certificate Authority
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Common variables | |
| $CAFullName = "IT Help Ninja" | |
| $CAFilePrefix = "it-help" | |
| $CADnsSuffix = "ad.it-help.ninja" | |
| $CertsPath = "~\Documents\certs" | |
| New-Item -Path $CertsPath -ItemType Directory -ErrorAction SilentlyContinue | Out-Null | |
| # Offline Root CA | |
| $NotBefore = Get-Date | |
| $BasicConstraints = "2.5.29.19={text}ca=true&pathLength=2" | |
| $ExtendedKeyUsage = "2.5.29.37={text}1.3.6.1.5.5.7.3.1" | |
| $NameConstraints = "2.5.29.30={text}subtree=include&dns=.$CADnsSuffix" | |
| $TextExtension = @($BasicConstraints,$ExtendedKeyUsage,$NameConstraints) | |
| $params = @{ | |
| Subject = "CN=$CAFullName Root CA" | |
| CertStoreLocation = 'cert:\CurrentUser\My' | |
| KeyExportPolicy = 'Exportable' | |
| KeyLength = 2048 | |
| KeyUsage = 'CertSign','DigitalSignature' | |
| KeyUsageProperty = 'All' | |
| KeyAlgorithm = 'RSA' | |
| HashAlgorithm = 'SHA256' | |
| TextExtension = $TextExtension | |
| NotBefore = $NotBefore | |
| NotAfter = $NotBefore.AddYears(10) | |
| } | |
| $RootCA = New-SelfSignedCertificate @params | |
| $RootPassword = ConvertTo-SecureString "Root123!" -AsPlainText -Force | |
| $RootCA | Export-Certificate -FilePath "$CertsPath\${CAFilePrefix}-root-ca.crt" | |
| $RootCA | Export-PfxCertificate -FilePath "$CertsPath\${CAFilePrefix}-root-ca.pfx" -Password $RootPassword | |
| # Issuing Intermediate CA | |
| $NotBefore = Get-Date | |
| $BasicConstraints = "2.5.29.19={text}ca=true" | |
| $ExtendedKeyUsage = "2.5.29.37={text}1.3.6.1.5.5.7.3.1" | |
| $TextExtension = @($BasicConstraints,$ExtendedKeyUsage) | |
| $RootCA = @(Get-ChildItem cert:\CurrentUser\My | Where-Object { $_.Subject -eq "CN=$CAFullName Root CA" })[0] | |
| $params = @{ | |
| Signer = $RootCA | |
| Subject = "CN=$CAFullName Issuing CA" | |
| CertStoreLocation = 'cert:\CurrentUser\My' | |
| KeyExportPolicy = 'Exportable' | |
| KeyLength = 2048 | |
| KeyUsage = 'CertSign','DigitalSignature' | |
| KeyAlgorithm = 'RSA' | |
| HashAlgorithm = 'SHA256' | |
| TextExtension = $TextExtension | |
| NotBefore = $NotBefore | |
| NotAfter = $NotBefore.AddYears(5) | |
| } | |
| $IssuingCA = New-SelfSignedCertificate @params | |
| $IssuingPassword = ConvertTo-SecureString "Issuing123!" -AsPlainText -Force | |
| $IssuingCA | Export-Certificate -FilePath "$CertsPath\${CAFilePrefix}-online-ca.crt" | |
| $IssuingCA | Export-PfxCertificate -FilePath "$CertsPath\${CAFilePrefix}-online-ca.pfx" -Password $IssuingPassword | |
| # Test Leaf certificate | |
| $NotBefore = Get-Date | |
| $ExtendedKeyUsage = "2.5.29.37={text}1.3.6.1.5.5.7.3.1" | |
| $TextExtension = @($ExtendedKeyUsage) | |
| $IssuingCA = @(Get-ChildItem cert:\CurrentUser\My | Where-Object { $_.Subject -eq "CN=$CAFullName Issuing CA" })[0] | |
| $params = @{ | |
| Signer = $IssuingCA | |
| DnsName = "leaf.$CADnsSuffix" | |
| CertStoreLocation = 'cert:\CurrentUser\My' | |
| KeyExportPolicy = 'Exportable' | |
| KeyLength = 2048 | |
| KeyUsage = 'DigitalSignature','KeyEncipherment' | |
| KeyAlgorithm = 'RSA' | |
| HashAlgorithm = 'SHA256' | |
| TextExtension = $TextExtension | |
| NotBefore = $NotBefore | |
| NotAfter = $NotBefore.AddYears(1) | |
| } | |
| $LeafCert = New-SelfSignedCertificate @params | |
| $LeafPassword = ConvertTo-SecureString "Leaf123!" -AsPlainText -Force | |
| $LeafCert | Export-Certificate -FilePath "$CertsPath\${CAFilePrefix}-cert.crt" | |
| $LeafCert | Export-PfxCertificate -FilePath "$CertsPath\${CAFilePrefix}-cert.pfx" -Password $LeafPassword | |
| # google.com certificate (invalid due to name constraints) | |
| $NotBefore = Get-Date | |
| $ExtendedKeyUsage = "2.5.29.37={text}1.3.6.1.5.5.7.3.1" | |
| $TextExtension = @($ExtendedKeyUsage) | |
| $IssuingCA = @(Get-ChildItem cert:\CurrentUser\My | Where-Object { $_.Subject -eq "CN=$CAFullName Issuing CA" })[0] | |
| $params = @{ | |
| Signer = $IssuingCA | |
| DnsName = 'google.com' | |
| CertStoreLocation = 'cert:\CurrentUser\My' | |
| KeyExportPolicy = 'Exportable' | |
| KeyLength = 2048 | |
| KeyUsage = 'DigitalSignature','KeyEncipherment' | |
| KeyAlgorithm = 'RSA' | |
| HashAlgorithm = 'SHA256' | |
| TextExtension = $TextExtension | |
| NotBefore = $NotBefore | |
| NotAfter = $NotBefore.AddYears(1) | |
| } | |
| $GoogleCert = New-SelfSignedCertificate @params | |
| $GooglePassword = ConvertTo-SecureString "Google123!" -AsPlainText -Force | |
| $GoogleCert | Export-Certificate -FilePath "$CertsPath\${CAFilePrefix}-google.crt" | |
| $GoogleCert | Export-PfxCertificate -FilePath "$CertsPath\${CAFilePrefix}-google.pfx" -Password $GooglePassword | |
| # Install Root CA in system trusted root CAs (requires admin rights) | |
| Import-Certificate -FilePath "$CertsPath\${CAFilePrefix}-root-ca.crt" -CertStoreLocation "cert:\LocalMachine\Root" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment