emilwojcik93 · February 11, 2025 16:26 · emilwojcik93 · Feb 5, 2025
diff --git a/Manage-Certificates.ps1 b/Manage-Certificates.ps1
 <#
 .SYNOPSIS
 This script searches for certificates by thumbprint or issuer, exports them to Base-64 encoded .crt files, and optionally installs them in WSL.

 .DESCRIPTION
 The script searches for certificates with the specified thumbprints or issuers. If found, it exports the certificates to Base-64 encoded .crt files. The script can also install the certificates in WSL if the --install parameter is provided.

 .PARAMETER Thumbprint
 The thumbprints of the certificates to search for. Default is an array of predefined thumbprints.

 .PARAMETER Issuer
 The issuers of the certificates to search for. Default is an array of predefined issuers.

 .PARAMETER ExportPath
 The path where the certificates will be exported. Default is the current working directory.

 .PARAMETER Install
 If provided, the script will install the certificates in WSL. Default is $true.

 .PARAMETER ExportOnly
 If provided, the script will only export the certificates to files and not install them in WSL.

 .PARAMETER Verbose
 Enables verbose output.

 .EXAMPLE
 .\Manage-Certificates.ps1 -Verbose

 .EXAMPLE
 .\Manage-Certificates.ps1 -Thumbprint "DSA1235SAGWE451256121GF113WSA124" -ExportPath "C:\path\to\output.crt" -Verbose

 .EXAMPLE
 .\Manage-Certificates.ps1 -Issuer "CN=Example Root CA" -ExportPath "C:\path\to\output.crt" -Verbose

 .EXAMPLE
 .\Manage-Certificates.ps1 -Install -Verbose

 .EXAMPLE
 .\Manage-Certificates.ps1 -ExportOnly -Verbose
 #>

 param (
    [string[]]$Thumbprint,
    [string[]]$Issuer,
    [string]$ExportPath = "$env:Temp\certs",
    [switch]$Install,
    [switch]$ExportOnly,
    [switch]$Verbose
 )

 if ($Verbose) {
    $VerbosePreference = "Continue"
 }

 function Get-AllCertificates {
    $certificateType = [System.Security.Cryptography.X509Certificates.X509Certificate2]
    $includedStores = @("TrustedPublisher", "Root", "CA", "AuthRoot")

    $certificates = $includedStores.ForEach({
        Get-ChildItem Cert:\CurrentUser\$_ | Where-Object { $_ -is $certificateType }
    })

    return $certificates
 }

 function Get-CertificateByThumbprint {
    param (
        [string]$Thumbprint
    )
    Write-Verbose "Looking for certificate with thumbprint: $Thumbprint"
    $cert = Get-ChildItem -Path Cert:\LocalMachine\Root | Where-Object { $_.Thumbprint -eq $Thumbprint }
    return $cert
 }

 function Get-CertificateByIssuer {
    param (
        [string]$Issuer
    )
    Write-Verbose "Looking for certificate with issuer: $Issuer"
    $cert = Get-ChildItem -Path Cert:\LocalMachine\Root | Where-Object { $_.Issuer -like "*$Issuer*" }
    return $cert
 }

 function Export-CertificateToFile {
    param (
        [System.Security.Cryptography.X509Certificates.X509Certificate2]$Cert,
        [string]$FilePath
    )
    Write-Verbose "Exporting certificate to file: $FilePath"
    $tempCertPath = [System.IO.Path]::GetTempFileName()
    Export-Certificate -Cert $Cert -FilePath $tempCertPath -Type CERT

    # Convert the certificate to Base-64 encoded X.509 format
    $certBytes = [System.IO.File]::ReadAllBytes($tempCertPath)
    $base64CertContent = [System.Convert]::ToBase64String($certBytes)
    
    # Insert line breaks every 64 characters
    $formattedCertContent = ($base64CertContent -split "(.{64})" | Where-Object { $_ -ne "" }) -join "`n"
    
    $base64CertHeader = "-----BEGIN CERTIFICATE-----"
    $base64CertFooter = "-----END CERTIFICATE-----"
    $base64Cert = $base64CertHeader + "`n" + $formattedCertContent + "`n" + $base64CertFooter

    Set-Content -Path $FilePath -Value $base64Cert -ErrorAction Stop

    Remove-Item -Force $tempCertPath -ErrorAction Stop
 }

 function Check-ExportPath {
    param (
        [string]$FilePath
    )
    $directory = [System.IO.Path]::GetDirectoryName($FilePath)
    if (-not (Test-Path -Path $directory)) {
        try {
            New-Item -ItemType Directory -Path $directory -Force | Out-Null
        } catch {
            throw "The directory '$directory' cannot be created."
        }
    }
    if (-not (Test-Path -Path $FilePath -PathType Leaf)) {
        try {
            New-Item -ItemType File -Path $FilePath -Force | Out-Null
        } catch {
            throw "The file '$FilePath' cannot be created."
        }
    }
    if (-not (Test-Path -Path $FilePath -PathType Leaf)) {
        throw "The file '$FilePath' is not writable."
    }
 }

 function Install-CertificatesInWSL {
    param (
        [string[]]$CertFileNames,
        [string]$ExportPath
    )

    # Get the default WSL distribution from the registry
    $defaultDistroGuid = Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Lxss" | Select-Object -ExpandProperty DefaultDistribution
    $defaultDistroKey = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Lxss\$defaultDistroGuid"
    $defaultDistro = Get-ItemProperty -Path $defaultDistroKey | Select-Object -ExpandProperty DistributionName

    # Output the default distribution
    Write-Output "Default WSL Distribution: $defaultDistro"

    # Define the WSL directory path for custom CA certificates
    $wslCertsPath = "\\wsl$\$defaultDistro\usr\local\share\ca-certificates"

    # Copy the certificates to $wslCertsPath
    foreach ($certFileName in $CertFileNames) {
        $destinationCertPath = Join-Path -Path $wslCertsPath -ChildPath $CertFileName
        Write-Verbose "Copying certificate to WSL path: $destinationCertPath"
        wsl --cd "${ExportPath}" -d $defaultDistro -u root -e bash -c "cp ${certFileName} /usr/local/share/ca-certificates"
        if (Test-Path -Path "$destinationCertPath") {
            Write-Output "Certificate copied to $destinationCertPath"
        } else {
            Write-Output "Failed to copy certificate to $destinationCertPath"
            exit 1
        }
    }

    # Run the WSL command and capture the output
    $output = wsl --cd "$PSScriptRoot" -d $defaultDistro -u root -e bash -c 'if [[ $(command -v update-ca-certificates) ]]; then echo true; else echo false; fi;'

    # Check the output and display the appropriate message
    if ($output -eq "true") {
        Write-Output "Success: update-ca-certificates is available in WSL."
        # Install the CA certificates using update-ca-certificates
        wsl --cd "$PSScriptRoot" -d $defaultDistro -u root -e bash -c "update-ca-certificates"
        Write-Output "CA certificates installed using update-ca-certificates."
    } else {
        Write-Output "Failed: update-ca-certificates is not available in WSL."
        # Append the CA certificates directly to ca-certificates.crt
        foreach ($certFileName in $CertFileNames) {
            wsl --cd "$PSScriptRoot" -d $defaultDistro -u root -e bash -c "cat /usr/local/share/ca-certificates/$certFileName | sudo tee -a /etc/ssl/certs/ca-certificates.crt > /dev/null"
            Write-Output "CA certificate $certFileName appended directly to /etc/ssl/certs/ca-certificates.crt."
        }
    }
 }


 function Main {
    param (
        [string[]]$Thumbprint,
        [string[]]$Issuer,
        [string]$ExportPath = "$env:Temp\certs",
        [switch]$Install,
        [switch]$ExportOnly,
        [switch]$Verbose
    )

    $certificates = @()

    if ($Thumbprint -or $Issuer) {
        foreach ($thumbprint in $Thumbprint) {
            $cert = Get-CertificateByThumbprint -Thumbprint $thumbprint
            if ($cert) {
                $certificates += $cert
            } else {
                Write-Verbose "Certificate with thumbprint $thumbprint not found."
            }
        }

        foreach ($issuer in $Issuer) {
            $cert = Get-CertificateByIssuer -Issuer $issuer
            if ($cert) {
                $certificates += $cert
            } else {
                Write-Verbose "Certificate with issuer $issuer not found."
            }
        }
    } else {
        $certificates = Get-AllCertificates
    }

    $uniqueCertificates = $certificates | Sort-Object Thumbprint -Unique
    $certFileNames = @()

    foreach ($cert in $uniqueCertificates) {
        Write-Verbose "Certificate details: $($cert | Format-List | Out-String)"
        $certName = ($cert.Subject -match 'CN=([^,]+)') | Out-Null; $certName = $matches[1] -replace '[^\w\s]', '' -replace '\s', '_'
        $certFileName = "${certName}.crt"
        Write-Verbose "Extracted certificate name: $certName"
        Write-Verbose "Certificate file name: $certFileName"
        $sourceCertPath = Join-Path -Path $ExportPath -ChildPath $certFileName

        try {
            Check-ExportPath -FilePath $sourceCertPath
        } catch {
            Write-Verbose "The specified path '$sourceCertPath' is not writable. Using default path in the user's home directory."
            $sourceCertPath = "${env:UserProfile}\${certFileName}"
            Check-ExportPath -FilePath $sourceCertPath
        }

        Export-CertificateToFile -Cert $cert -FilePath $sourceCertPath
        Write-Output "Certificate exported to $sourceCertPath"
        $certFileNames += $certFileName
    }

    if (-not $ExportOnly) {
        Install-CertificatesInWSL -CertFileNames $certFileNames -ExportPath $ExportPath
        # Remove the temporary directory for certs
        if (Test-Path -Path $ExportPath) {
            Remove-Item -Recurse -Force -Path $ExportPath
            Write-Output "Temporary directory for certs removed: $ExportPath"
        }
    }
 }

 # Call the main function with parameters
 Main -Thumbprint $Thumbprint -Issuer $Issuer -ExportPath $ExportPath -Install:$Install -ExportOnly:$ExportOnly -Verbose:$Verbose
	<#
	.SYNOPSIS
	This script searches for certificates by thumbprint or issuer, exports them to Base-64 encoded .crt files, and optionally installs them in WSL.

	.DESCRIPTION
	The script searches for certificates with the specified thumbprints or issuers. If found, it exports the certificates to Base-64 encoded .crt files. The script can also install the certificates in WSL if the --install parameter is provided.

	.PARAMETER Thumbprint
	The thumbprints of the certificates to search for. Default is an array of predefined thumbprints.

	.PARAMETER Issuer
	The issuers of the certificates to search for. Default is an array of predefined issuers.

	.PARAMETER ExportPath
	The path where the certificates will be exported. Default is the current working directory.

	.PARAMETER Install
	If provided, the script will install the certificates in WSL. Default is $true.

	.PARAMETER ExportOnly
	If provided, the script will only export the certificates to files and not install them in WSL.

	.PARAMETER Verbose
	Enables verbose output.

	.EXAMPLE
	.\Manage-Certificates.ps1 -Verbose

	.EXAMPLE
	.\Manage-Certificates.ps1 -Thumbprint "DSA1235SAGWE451256121GF113WSA124" -ExportPath "C:\path\to\output.crt" -Verbose

	.EXAMPLE
	.\Manage-Certificates.ps1 -Issuer "CN=Example Root CA" -ExportPath "C:\path\to\output.crt" -Verbose

	.EXAMPLE
	.\Manage-Certificates.ps1 -Install -Verbose

	.EXAMPLE
	.\Manage-Certificates.ps1 -ExportOnly -Verbose
	#>

	param (
	[string[]]$Thumbprint,
	[string[]]$Issuer,
	[string]$ExportPath = "$env:Temp\certs",
	[switch]$Install,
	[switch]$ExportOnly,
	[switch]$Verbose
	)

	if ($Verbose) {
	$VerbosePreference = "Continue"
	}

	function Get-AllCertificates {
	$certificateType = [System.Security.Cryptography.X509Certificates.X509Certificate2]
	$includedStores = @("TrustedPublisher", "Root", "CA", "AuthRoot")

	$certificates = $includedStores.ForEach({
	Get-ChildItem Cert:\CurrentUser\$_ \| Where-Object { $_ -is $certificateType }
	})

	return $certificates
	}

	function Get-CertificateByThumbprint {
	param (
	[string]$Thumbprint
	)
	Write-Verbose "Looking for certificate with thumbprint: $Thumbprint"
	$cert = Get-ChildItem -Path Cert:\LocalMachine\Root \| Where-Object { $_.Thumbprint -eq $Thumbprint }
	return $cert
	}

	function Get-CertificateByIssuer {
	param (
	[string]$Issuer
	)
	Write-Verbose "Looking for certificate with issuer: $Issuer"
	$cert = Get-ChildItem -Path Cert:\LocalMachine\Root \| Where-Object { $_.Issuer -like "$Issuer" }
	return $cert
	}

	function Export-CertificateToFile {
	param (
	[System.Security.Cryptography.X509Certificates.X509Certificate2]$Cert,
	[string]$FilePath
	)
	Write-Verbose "Exporting certificate to file: $FilePath"
	$tempCertPath = [System.IO.Path]::GetTempFileName()
	Export-Certificate -Cert $Cert -FilePath $tempCertPath -Type CERT

	# Convert the certificate to Base-64 encoded X.509 format
	$certBytes = [System.IO.File]::ReadAllBytes($tempCertPath)
	$base64CertContent = [System.Convert]::ToBase64String($certBytes)

	# Insert line breaks every 64 characters
	$formattedCertContent = ($base64CertContent -split "(.{64})" \| Where-Object { $_ -ne "" }) -join "`n"

	$base64CertHeader = "-----BEGIN CERTIFICATE-----"
	$base64CertFooter = "-----END CERTIFICATE-----"
	$base64Cert = $base64CertHeader + "`n" + $formattedCertContent + "`n" + $base64CertFooter

	Set-Content -Path $FilePath -Value $base64Cert -ErrorAction Stop

	Remove-Item -Force $tempCertPath -ErrorAction Stop
	}

	function Check-ExportPath {
	param (
	[string]$FilePath
	)
	$directory = [System.IO.Path]::GetDirectoryName($FilePath)
	if (-not (Test-Path -Path $directory)) {
	try {
	New-Item -ItemType Directory -Path $directory -Force \| Out-Null
	} catch {
	throw "The directory '$directory' cannot be created."
	}
	}
	if (-not (Test-Path -Path $FilePath -PathType Leaf)) {
	try {
	New-Item -ItemType File -Path $FilePath -Force \| Out-Null
	} catch {
	throw "The file '$FilePath' cannot be created."
	}
	}
	if (-not (Test-Path -Path $FilePath -PathType Leaf)) {
	throw "The file '$FilePath' is not writable."
	}
	}

	function Install-CertificatesInWSL {
	param (
	[string[]]$CertFileNames,
	[string]$ExportPath
	)

	# Get the default WSL distribution from the registry
	$defaultDistroGuid = Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Lxss" \| Select-Object -ExpandProperty DefaultDistribution
	$defaultDistroKey = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Lxss\$defaultDistroGuid"
	$defaultDistro = Get-ItemProperty -Path $defaultDistroKey \| Select-Object -ExpandProperty DistributionName

	# Output the default distribution
	Write-Output "Default WSL Distribution: $defaultDistro"

	# Define the WSL directory path for custom CA certificates
	$wslCertsPath = "\\wsl$\$defaultDistro\usr\local\share\ca-certificates"

	# Copy the certificates to $wslCertsPath
	foreach ($certFileName in $CertFileNames) {
	$destinationCertPath = Join-Path -Path $wslCertsPath -ChildPath $CertFileName
	Write-Verbose "Copying certificate to WSL path: $destinationCertPath"
	wsl --cd "${ExportPath}" -d $defaultDistro -u root -e bash -c "cp ${certFileName} /usr/local/share/ca-certificates"
	if (Test-Path -Path "$destinationCertPath") {
	Write-Output "Certificate copied to $destinationCertPath"
	} else {
	Write-Output "Failed to copy certificate to $destinationCertPath"
	exit 1
	}
	}

	# Run the WSL command and capture the output
	$output = wsl --cd "$PSScriptRoot" -d $defaultDistro -u root -e bash -c 'if [[ $(command -v update-ca-certificates) ]]; then echo true; else echo false; fi;'

	# Check the output and display the appropriate message
	if ($output -eq "true") {
	Write-Output "Success: update-ca-certificates is available in WSL."
	# Install the CA certificates using update-ca-certificates
	wsl --cd "$PSScriptRoot" -d $defaultDistro -u root -e bash -c "update-ca-certificates"
	Write-Output "CA certificates installed using update-ca-certificates."
	} else {
	Write-Output "Failed: update-ca-certificates is not available in WSL."
	# Append the CA certificates directly to ca-certificates.crt
	foreach ($certFileName in $CertFileNames) {
	wsl --cd "$PSScriptRoot" -d $defaultDistro -u root -e bash -c "cat /usr/local/share/ca-certificates/$certFileName \| sudo tee -a /etc/ssl/certs/ca-certificates.crt > /dev/null"
	Write-Output "CA certificate $certFileName appended directly to /etc/ssl/certs/ca-certificates.crt."
	}
	}
	}


	function Main {
	param (
	[string[]]$Thumbprint,
	[string[]]$Issuer,
	[string]$ExportPath = "$env:Temp\certs",
	[switch]$Install,
	[switch]$ExportOnly,
	[switch]$Verbose
	)

	$certificates = @()

	if ($Thumbprint -or $Issuer) {
	foreach ($thumbprint in $Thumbprint) {
	$cert = Get-CertificateByThumbprint -Thumbprint $thumbprint
	if ($cert) {
	$certificates += $cert
	} else {
	Write-Verbose "Certificate with thumbprint $thumbprint not found."
	}
	}

	foreach ($issuer in $Issuer) {
	$cert = Get-CertificateByIssuer -Issuer $issuer
	if ($cert) {
	$certificates += $cert
	} else {
	Write-Verbose "Certificate with issuer $issuer not found."
	}
	}
	} else {
	$certificates = Get-AllCertificates
	}

	$uniqueCertificates = $certificates \| Sort-Object Thumbprint -Unique
	$certFileNames = @()

	foreach ($cert in $uniqueCertificates) {
	Write-Verbose "Certificate details: $($cert \| Format-List \| Out-String)"
	$certName = ($cert.Subject -match 'CN=([^,]+)') \| Out-Null; $certName = $matches[1] -replace '[^\w\s]', '' -replace '\s', '_'
	$certFileName = "${certName}.crt"
	Write-Verbose "Extracted certificate name: $certName"
	Write-Verbose "Certificate file name: $certFileName"
	$sourceCertPath = Join-Path -Path $ExportPath -ChildPath $certFileName

	try {
	Check-ExportPath -FilePath $sourceCertPath
	} catch {
	Write-Verbose "The specified path '$sourceCertPath' is not writable. Using default path in the user's home directory."
	$sourceCertPath = "${env:UserProfile}\${certFileName}"
	Check-ExportPath -FilePath $sourceCertPath
	}

	Export-CertificateToFile -Cert $cert -FilePath $sourceCertPath
	Write-Output "Certificate exported to $sourceCertPath"
	$certFileNames += $certFileName
	}

	if (-not $ExportOnly) {
	Install-CertificatesInWSL -CertFileNames $certFileNames -ExportPath $ExportPath
	# Remove the temporary directory for certs
	if (Test-Path -Path $ExportPath) {
	Remove-Item -Recurse -Force -Path $ExportPath
	Write-Output "Temporary directory for certs removed: $ExportPath"
	}
	}
	}

	# Call the main function with parameters
	Main -Thumbprint $Thumbprint -Issuer $Issuer -ExportPath $ExportPath -Install:$Install -ExportOnly:$ExportOnly -Verbose:$Verbose