Skip to content

Instantly share code, notes, and snippets.

@xsolon
Last active October 23, 2017 10:15
Show Gist options
  • Select an option

  • Save xsolon/c8d52642e30d783b46e2e2316e0367a4 to your computer and use it in GitHub Desktop.

Select an option

Save xsolon/c8d52642e30d783b46e2e2316e0367a4 to your computer and use it in GitHub Desktop.
Create CA cert and certificates using PowerShell
# based on https://technet.microsoft.com/en-us/library/dn949332.aspx
# This command needs to run on a modern powershell (win 10/server 2016, PSVersion >= 5.1)
#local certificate authority
$caFriendlyName = "myCA";
$caSubjectName = "myCA";
#server to server cert
$encrptCertFriendlyName = "EncryptCert";
$location = 'Cert:\LocalMachine\my';
$rootlocation = 'Cert:\LocalMachine\Root';
$tempCaPath = 'c:\ca.cer';
$spUrl = '*.dev.local'; #url of sp site
function createCA (){
$enforceLevels = $true
$levelOfSubCertsAllowed = 0;
$isCa = $true;
$isCritical = $true;
$caConstraint = New-Object System.Security.Cryptography.X509Certificates.X509BasicConstraintsExtension `
-ArgumentList @($isCa, $enforceLevels, $levelOfSubCertsAllowed, $isCritical)
$caCert = New-SelfSignedCertificate -CertStoreLocation $location `
-Subject $caSubjectName `
-Extension @($caConstraint) `
-NotAfter (Get-Date).AddYears(20) `
-KeyLength 4096 `
-KeyAlgorithm RSA `
-FriendlyName $caFriendlyName `
-Type Custom `
-KeyUsage DigitalSignature, CRLSign, CertSign
}
function getCA(){
$caCert = Get-ChildItem -Path $location | Where { $_.FriendlyName -eq $caFriendlyName};
if ($caCert -eq $null){
Write-Host 'CA not found, creating...';
createCA;
}
$caCert = Get-ChildItem -Path $location | Where { $_.FriendlyName -eq $caFriendlyName};
return $caCert;
}
function createSPCert(){
New-SelfSignedCertificate -DnsName $spUrl -CertStoreLocation cert:\LocalMachine\My -NotAfter (Get-Date).AddYears(20) -Signer $caCert
}
function getEncryptCert(){
$cert = Get-ChildItem -Path $location | Where { $_.FriendlyName -eq $encrptCertFriendlyName};
if ($cert -eq $null){
Write-Host 'creating Encryption cert';
$cert = New-SelfSignedCertificate -CertStoreLocation $location -Subject $encrptCertFriendlyName -KeySpec KeyExchange -NotAfter (Get-Date).AddYears(20) -FriendlyName $encrptCertFriendlyName -Type Custom -Signer $caCert
}
return $cert;
}
#create ca cert
$caCert = getCa;
# install in trusted roots store
$caCert | Export-Certificate -FilePath $tempCaPath #public key
Import-Certificate -FilePath $tempCaPath -CertStoreLocation $rootlocation
#create SP (web) cert
createSPCert;
# create connection cert
$encCert = getEncryptCert;
#we export the pfx even if already installed to pass to Crm script
$mypwd = ConvertTo-SecureString -String "1234" -Force -AsPlainText
Export-pfxCertificate -FilePath 'c:\enc.pfx' -Cert $encCert -Password $mypwd
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment