Last active
October 23, 2017 10:15
-
-
Save xsolon/c8d52642e30d783b46e2e2316e0367a4 to your computer and use it in GitHub Desktop.
Create CA cert and certificates using PowerShell
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # based on https://technet.microsoft.com/en-us/library/dn949332.aspx | |
| # This command needs to run on a modern powershell (win 10/server 2016, PSVersion >= 5.1) | |
| #local certificate authority | |
| $caFriendlyName = "myCA"; | |
| $caSubjectName = "myCA"; | |
| #server to server cert | |
| $encrptCertFriendlyName = "EncryptCert"; | |
| $location = 'Cert:\LocalMachine\my'; | |
| $rootlocation = 'Cert:\LocalMachine\Root'; | |
| $tempCaPath = 'c:\ca.cer'; | |
| $spUrl = '*.dev.local'; #url of sp site | |
| function createCA (){ | |
| $enforceLevels = $true | |
| $levelOfSubCertsAllowed = 0; | |
| $isCa = $true; | |
| $isCritical = $true; | |
| $caConstraint = New-Object System.Security.Cryptography.X509Certificates.X509BasicConstraintsExtension ` | |
| -ArgumentList @($isCa, $enforceLevels, $levelOfSubCertsAllowed, $isCritical) | |
| $caCert = New-SelfSignedCertificate -CertStoreLocation $location ` | |
| -Subject $caSubjectName ` | |
| -Extension @($caConstraint) ` | |
| -NotAfter (Get-Date).AddYears(20) ` | |
| -KeyLength 4096 ` | |
| -KeyAlgorithm RSA ` | |
| -FriendlyName $caFriendlyName ` | |
| -Type Custom ` | |
| -KeyUsage DigitalSignature, CRLSign, CertSign | |
| } | |
| function getCA(){ | |
| $caCert = Get-ChildItem -Path $location | Where { $_.FriendlyName -eq $caFriendlyName}; | |
| if ($caCert -eq $null){ | |
| Write-Host 'CA not found, creating...'; | |
| createCA; | |
| } | |
| $caCert = Get-ChildItem -Path $location | Where { $_.FriendlyName -eq $caFriendlyName}; | |
| return $caCert; | |
| } | |
| function createSPCert(){ | |
| New-SelfSignedCertificate -DnsName $spUrl -CertStoreLocation cert:\LocalMachine\My -NotAfter (Get-Date).AddYears(20) -Signer $caCert | |
| } | |
| function getEncryptCert(){ | |
| $cert = Get-ChildItem -Path $location | Where { $_.FriendlyName -eq $encrptCertFriendlyName}; | |
| if ($cert -eq $null){ | |
| Write-Host 'creating Encryption cert'; | |
| $cert = New-SelfSignedCertificate -CertStoreLocation $location -Subject $encrptCertFriendlyName -KeySpec KeyExchange -NotAfter (Get-Date).AddYears(20) -FriendlyName $encrptCertFriendlyName -Type Custom -Signer $caCert | |
| } | |
| return $cert; | |
| } | |
| #create ca cert | |
| $caCert = getCa; | |
| # install in trusted roots store | |
| $caCert | Export-Certificate -FilePath $tempCaPath #public key | |
| Import-Certificate -FilePath $tempCaPath -CertStoreLocation $rootlocation | |
| #create SP (web) cert | |
| createSPCert; | |
| # create connection cert | |
| $encCert = getEncryptCert; | |
| #we export the pfx even if already installed to pass to Crm script | |
| $mypwd = ConvertTo-SecureString -String "1234" -Force -AsPlainText | |
| Export-pfxCertificate -FilePath 'c:\enc.pfx' -Cert $encCert -Password $mypwd |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment