Skip to content

Instantly share code, notes, and snippets.

@mockmyberet

mockmyberet/CreateAPSCredential.ps1

Last active October 31, 2017 00:09
Show Gist options
  • Save mockmyberet/7dd93fa7bfeac98ef6dea96a9a5f44a5 to your computer and use it in GitHub Desktop.
Save mockmyberet/7dd93fa7bfeac98ef6dea96a9a5f44a5 to your computer and use it in GitHub Desktop.
Download ZIP
Files for CMS post
Raw
CreateAPSCredential.ps1
Write-Verbose -Message 'Pull the encrypted password from our stored file' -Verbose
Unprotect-CmsMessage -Path .\password.cms
Write-Verbose -Message 'Do the same thing, but store it in a variable' -Verbose
$Password = Unprotect-CmsMessage -Path .\password.cms | ConvertTo-SecureString -AsPlainText -Force
Write-Verbose -Message 'Create a pscredential' -Verbose
$cred = [pscredential]::new('admin', $Password)
Write-Verbose -Message 'Let''s look at that credential' -Verbose
$cred | ConvertTo-Json
Write-Verbose -Message 'Finally, let''s pull that password out' -Verbose
$cred.GetNetworkCredential().Password
Raw
DocumentEncryption.cer
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIDSTCCAjGgAwIBAgIQWVQknTE7kZVNWhjuvsvnJDANBgkqhkiG9w0BAQUFADAX
MRUwEwYDVQQDDAxUaGlzX01hY2hpbmUwIBcNMTcxMDMwMjEwNDQ4WhgPMzAxNzEw
MzAyMTE0NDhaMBcxFTATBgNVBAMMDFRoaXNfTWFjaGluZTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBALYsBB9UjTJBrHFb5ukc8TSumd6Gt40w6f5UHzvB
67e1AxQMWjdAEBGhkKc4FGrQCo3PNpau9yCPOaievBccII8u3gCQPK1ZbrwOQ7JU
cvF8pIwtJR7dvy9qbmwRF7VOxAlG8kDTMEXy0Tm8JfsIvWxuavShBWoTJXA/sSLt
WrRPMFSuvNxN+exE3tz806tDT56zUhvriNU9HGUFYQH/g4+L1FrQrCQqb0x3uNkx
BZSt/Zbh6+CkSn8fw73G99qQqi5NXdKo0ZSeBKWrgs2DUVFshLF3AARMdR4tFVYb
fyTT9xZkUAW/4RvgBcerWbWP1HQukjwvaXS2F9RtmiYcuikCAwEAAaOBjjCBizAO
BgNVHQ8BAf8EBAMCBDAwFAYDVR0lBA0wCwYJKwYBBAGCN1ABMEQGCSqGSIb3DQEJ
DwQ3MDUwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDAHBgUrDgMCBzAK
BggqhkiG9w0DBzAdBgNVHQ4EFgQUDvtM6OxjHr8EBX+YGOcr66orbOQwDQYJKoZI
hvcNAQEFBQADggEBAG0Bl2+6cMac6teLrWEedM02/XQDUsfwn7NsMRvYP/iWPNYg
UIdHy/0+ZIlYD5x7rOQBkPP5xniQBFDmCJgjNr2ma9jBgtYk2A0td14aU804/r7o
wiGj/4HwLW9i1isKNeD7v6SFWqsfOeZwQbvWqmC77youmAZ+jNcLtePAKP81yGfu
PK1QR3f5+McnS9MVVCM2qLRhaLGuGDM+YgsQYCV9a5yAu7bbgZuHndFAzd0eq3Um
Tbxle7IcUg67AxXNh4zIjYxvYCy/ZrI0hL033RRV84oREoiTFFnYMzBOSJ0Iiazs
AIdz4WEaWsirzOyTYTWMiIg4SJgzm5OLg5cz0c8=
-----END NEW CERTIFICATE REQUEST-----
Raw
DocumentEncryption.inf
[Version]
Signature = "$Windows NT$"
[Strings]
szOID_ENHANCED_KEY_USAGE = "2.5.29.37"
szOID_DOCUMENT_ENCRYPTION = "1.3.6.1.4.1.311.80.1"
[NewRequest]
Subject = "CN=This_Machine"
MachineKeySet = false
KeyLength = 2048
KeySpec = AT_KEYEXCHANGE
HashAlgorithm = Sha1
Exportable = true
RequestType = Cert
KeyUsage = "CERT_KEY_ENCIPHERMENT_KEY_USAGE | CERT_DATA_ENCIPHERMENT_KEY_USAGE"
ValidityPeriod = "Years"
ValidityPeriodUnits = "1000"
[Extensions]
%szOID_ENHANCED_KEY_USAGE% = "{text}%szOID_DOCUMENT_ENCRYPTION%"
Raw
EncryptSomeStuff.ps1
Write-Verbose -Message 'First, let''s show the certificate in the cert store...' -Verbose
Get-ChildItem -Path Cert:\CurrentUser\My -DocumentEncryptionCert
Write-Verbose -Message 'Setting password...' -Verbose
$Password = 'The$uperSecr3tP@ssw0rd'
Write-Verbose -Message 'Encrypting password...' -Verbose
Protect-CmsMessage -To 'CN=This_Machine' -Content $Password
Write-Verbose -Message 'Encrypting and writing out to a file.' -Verbose
Protect-CmsMessage -To 'CN=This_Machine' -Content $Password -OutFile password.cms
Raw
Generate.cmd
certreq -new DocumentEncryption.inf DocumentEncryption.cer
Raw
output1.txt
get-command -Module Microsoft.PowerShell.Security
CommandType Name Version Source
----------- ---- ------- ------
Cmdlet ConvertFrom-SecureString 3.0.0.0 Microsoft.PowerShell.Security
Cmdlet ConvertTo-SecureString 3.0.0.0 Microsoft.PowerShell.Security
Cmdlet Get-Acl 3.0.0.0 Microsoft.PowerShell.Security
Cmdlet Get-AuthenticodeSignature 3.0.0.0 Microsoft.PowerShell.Security
Cmdlet Get-CmsMessage 3.0.0.0 Microsoft.PowerShell.Security
Cmdlet Get-Credential 3.0.0.0 Microsoft.PowerShell.Security
Cmdlet Get-ExecutionPolicy 3.0.0.0 Microsoft.PowerShell.Security
Cmdlet Get-PfxCertificate 3.0.0.0 Microsoft.PowerShell.Security
Cmdlet New-FileCatalog 3.0.0.0 Microsoft.PowerShell.Security
Cmdlet Protect-CmsMessage 3.0.0.0 Microsoft.PowerShell.Security
Cmdlet Set-Acl 3.0.0.0 Microsoft.PowerShell.Security
Cmdlet Set-AuthenticodeSignature 3.0.0.0 Microsoft.PowerShell.Security
Cmdlet Set-ExecutionPolicy 3.0.0.0 Microsoft.PowerShell.Security
Cmdlet Test-FileCatalog 3.0.0.0 Microsoft.PowerShell.Security
Cmdlet Unprotect-CmsMessage 3.0.0.0 Microsoft.PowerShell.Security
Raw
output2.txt
VERBOSE: First, let's show the certificate in the cert store...
PSParentPath: Microsoft.PowerShell.Security\Certificate::CurrentUser\My
Thumbprint Subject
---------- -------
F4B359E65BB3AB8044287F07168FF0E3C6F4FB02 CN=This_Machine
3BF16A24459EB34BDC8BFBA95548FB03EE5314CB [email protected]
VERBOSE: Setting password...
VERBOSE: Encrypting password...
-----BEGIN CMS-----
MIIBrwYJKoZIhvcNAQcDoIIBoDCCAZwCAQAxggFHMIIBQwIBADArMBcxFTATBgNVBAMMDFRoaXNf
TWFjaGluZQIQWVQknTE7kZVNWhjuvsvnJDANBgkqhkiG9w0BAQcwAASCAQCPHZtGPLelJRyR0Cp6
GV1wGDgIdDTyU75XNln6WVQaqMa3J3jAa65Ytajn/rvu1C0j3JvqK7aygx1ZEfudaaXCA35WGhuu
PQFYnjsBKoI1qpk8h+ODm/tLHJg0uzHOT58nIfTyxSUuYcblvssCxG73Zpb9VD1Eb260qIqhkEL1
7Hf7MWbQS4fTPA0CZFJZWL+CHi5J4NDq1YFv/Wo9DYs4jJ84rbwABUFRcrjW5mdXPogQABbKWrU/
LmNDhZ0a/ZRgypaX9acLRMAKZ6ZUjSCn5Fk7BVZm9waNtqOnRW2fMRpYx76J8e81WZHi7WMLb3aV
xFuQ2FCzGbFYN/h/yJ+SMEwGCSqGSIb3DQEHATAdBglghkgBZQMEASoEENh+dTY5alDba9MKZErV
4ImAIJoQOWHntR4UN4sP/fSHZXGzyKFbgNxoSTa8dpq5tRZ4
-----END CMS-----
VERBOSE: Encrypting and writing out to a file.
Raw
output3.txt
VERBOSE: Pull the encrypted password from our stored file
The$uperSecr3tP@ssw0rd
VERBOSE: Do the same thing, but store it in a variable
VERBOSE: Create a pscredential
VERBOSE: Let's look at that credential
{
"UserName": "admin",
"Password": {
"Length": 22
}
}
VERBOSE: Finally, let's pull that password out
The$uperSecr3tP@ssw0rd
Raw
output4.txt
VERBOSE: We can use Get-CMSMessage to show the envelope data from the CMS
Recipients : {CN=This_Machine}
Content : -----BEGIN CMS-----
MIIBrwYJKoZIhvcNAQcDoIIBoDCCAZwCAQAxggFHMIIBQwIBADArMBcxFTATBgNVBAMMDFRoaXNf
TWFjaGluZQIQWVQknTE7kZVNWhjuvsvnJDANBgkqhkiG9w0BAQcwAASCAQBxZK7BtepTXVaxYoZi
Pil10ZjRxLglwuc467Uck/SGJa/ZU6gVPau41UKkcKusOT45nVk98jevzA48WwQT6Js+Q1A4OZU/
GRNVCd57nc4niCMHjeKblbmwvp/bKRGLHDvRQle5SBU2V0BRrLW2QgiwOl/fway9UdG6lSsK6O9o
5gXUFkIhZTMy3hKRcLQUuQ1hQJ9M1g1jiDmPh8eYf6LtsZTKQ2hT1LJ1oe4ffsQcMrzQICSYrRLJ
sKgm++1prYIIYmnzOVJS5ld1LQCbl53uiJJHQVza236p0g3rdDTMznOQ5sgd2L9xfVkN/ZYYNQiU
6QE+r0CPvnvoLtpLP721MEwGCSqGSIb3DQEHATAdBglghkgBZQMEASoEEKt5ZWeZg4Np5/ok7L6s
IGKAIPorNRK0Y5EHdM951QRWNwbYQwAyN4Ijc6nWmp9YZwxH
-----END CMS-----
Version : 0
ContentInfo : System.Security.Cryptography.Pkcs.ContentInfo
ContentEncryptionAlgorithm : System.Security.Cryptography.Pkcs.AlgorithmIdentifier
Certificates : {}
UnprotectedAttributes : {}
RecipientInfos : {113 100 174 193 181 234 83 93 86 177 98 134 98 62 41 117 209 152 209 196 184 37 194 231 56 235 181 28
147 244 134 37 175 217 83 168 21 61 171 184 213 66 164 112 171 172 57 62 57 157 89 61 242 55 175 204 14
60 91 4 19 232 155 62 67 80 56 57 149 63 25 19 85 9 222 123 157 206 39 136 35 7 141 226 155 149 185 176
190 159 219 41 17 139 28 59 209 66 87 185 72 21 54 87 64 81 172 181 182 66 8 176 58 95 223 193 172 189
81 209 186 149 43 10 232 239 104 230 5 212 22 66 33 101 51 50 222 18 145 112 180 20 185 13 97 64 159 76
214 13 99 136 57 143 135 199 152 127 162 237 177 148 202 67 104 83 212 178 117 161 238 31 126 196 28 50
188 208 32 36 152 173 18 201 176 168 38 251 237 105 173 130 8 98 105 243 57 82 82 230 87 117 45 0 155
151 157 238 136 146 71 65 92 218 219 126 169 210 13 235 116 52 204 206 115 144 230 200 29 216 191 113
125 89 13 253 150 24 53 8 148 233 1 62 175 64 143 190 123 232 46 218 75 63 189 181}
Raw
output5.txt
Get-Command -Module pki
CommandType Name Version Source
----------- ---- ------- ------
Cmdlet Add-CertificateEnrollmentPolicyServer 1.0.0.0 pki
Cmdlet Export-Certificate 1.0.0.0 pki
Cmdlet Export-PfxCertificate 1.0.0.0 pki
Cmdlet Get-Certificate 1.0.0.0 pki
Cmdlet Get-CertificateAutoEnrollmentPolicy 1.0.0.0 pki
Cmdlet Get-CertificateEnrollmentPolicyServer 1.0.0.0 pki
Cmdlet Get-CertificateNotificationTask 1.0.0.0 pki
Cmdlet Get-PfxData 1.0.0.0 pki
Cmdlet Import-Certificate 1.0.0.0 pki
Cmdlet Import-PfxCertificate 1.0.0.0 pki
Cmdlet New-CertificateNotificationTask 1.0.0.0 pki
Cmdlet New-SelfSignedCertificate 1.0.0.0 pki
Cmdlet Remove-CertificateEnrollmentPolicyServer 1.0.0.0 pki
Cmdlet Remove-CertificateNotificationTask 1.0.0.0 pki
Cmdlet Set-CertificateAutoEnrollmentPolicy 1.0.0.0 pki
Cmdlet Switch-Certificate 1.0.0.0 pki
Cmdlet Test-Certificate 1.0.0.0 pki
Raw
password.cms
-----BEGIN CMS-----
MIIBrwYJKoZIhvcNAQcDoIIBoDCCAZwCAQAxggFHMIIBQwIBADArMBcxFTATBgNVBAMMDFRoaXNf
TWFjaGluZQIQWVQknTE7kZVNWhjuvsvnJDANBgkqhkiG9w0BAQcwAASCAQBxZK7BtepTXVaxYoZi
Pil10ZjRxLglwuc467Uck/SGJa/ZU6gVPau41UKkcKusOT45nVk98jevzA48WwQT6Js+Q1A4OZU/
GRNVCd57nc4niCMHjeKblbmwvp/bKRGLHDvRQle5SBU2V0BRrLW2QgiwOl/fway9UdG6lSsK6O9o
5gXUFkIhZTMy3hKRcLQUuQ1hQJ9M1g1jiDmPh8eYf6LtsZTKQ2hT1LJ1oe4ffsQcMrzQICSYrRLJ
sKgm++1prYIIYmnzOVJS5ld1LQCbl53uiJJHQVza236p0g3rdDTMznOQ5sgd2L9xfVkN/ZYYNQiU
6QE+r0CPvnvoLtpLP721MEwGCSqGSIb3DQEHATAdBglghkgBZQMEASoEEKt5ZWeZg4Np5/ok7L6s
IGKAIPorNRK0Y5EHdM951QRWNwbYQwAyN4Ijc6nWmp9YZwxH
-----END CMS-----
Raw
ShowTheEnvelope.ps1
Write-Verbose -Message 'We can use Get-CMSMessage to show the envelope data from the CMS' -Verbose
Get-CmsMessage -Path .\password.cms
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment