From 243b0d0b1b817ff5e1a1c89ffd40a615fdc08999 Mon Sep 17 00:00:00 2001 From: jgaunt Date: Fri, 6 Sep 2024 19:14:12 +0000 Subject: [PATCH] Updated to better code --- csr.ps1 | 160 +++++++++++++++++++++++++++----------------------------- 1 file changed, 76 insertions(+), 84 deletions(-) diff --git a/csr.ps1 b/csr.ps1 index 99505fc..adb81b1 100644 --- a/csr.ps1 +++ b/csr.ps1 @@ -1,22 +1,19 @@ +[cmdletbinding()] param( - $rsa, - $hostnames + [Parameter( + Mandatory = $true, + ValueFromPipeline = $true, + Position = 0 + )] + [string[]]$hostnames + [string]$domain = "home.johnhgaunt.com", + [System.IO.FileInfo]$Path = [Environment]::GetFolderPath("Desktop"), + [ValidateSet("RSA2048", "RSA4096","ECC-256", "ECC-384")] + [string]$algorithm = "RSA2048" ) -if (-not $PSBoundParameters.ContainsKey('rsa')) { - $test = read-host "Do you want a RSA (r) or EEC (e) cert? (e/r)" - - if ($test -eq "r") { - $rsa = $True - } -} - -if ($hostnames -eq $null) { - $hostnames = read-host "Please enter Hostnames, no domain, to generate CSRs for" -} - -$domain = "home.johnhgaunt.com" -$subCA = "-----BEGIN CERTIFICATE----- +begin { + $subCA = "-----BEGIN CERTIFICATE----- MIIDITCCAqegAwIBAgITZwAAAAPeVCG43Kcf6QAAAAAAAzAKBggqhkjOPQQDBDAc MRowGAYDVQQDExFHQVVOVE9GRkxJTkVDQS1DQTAgFw0yMDA4MTMxMzAyNTdaGA8y MDUwMDgxMzAzMDEyNlowYjETMBEGCgmSJomT8ixkARkWA2NvbTEaMBgGCgmSJomT @@ -35,79 +32,74 @@ RkZMSU5FQ0EtQ0EuY3J0MAoGCCqGSM49BAMEA2gAMGUCMHrFpzJOXUCIFTmCbRmX OQe7S4iVA0ISHMVk7LNqhSSmQNTbBS7cTcRUoH/jl+E5FwIxALrncv03Fi80zwn9 Rxff+wjtt7jg9/7wWEpdgIPFGDAaLKbVxhRZqO28YZqCTzQBgw== -----END CERTIFICATE-----" +} -foreach ($hostname in $hostnames) { +process { - # create a working directory in the temp folder - $workingDirectory = "$env:TEMP\csr" - $outDirectory = "$env:USERPROFILE\Desktop" - $configFile = "$workingDirectory\csr.conf" - $ecParamsFile = "$workingDirectory\ec.params" - $keyFile = "$outDirectory\$hostname.$domain.key" - $csrFile = "$workingDirectory\$hostname.$domain.csr" - $crtFile = "$outDirectory\$hostname.$domain.crt" + foreach ($hostname in $hostnames) { - $config = "[ req ] - prompt = no - default_md = sha512 - req_extensions = req_ext - distinguished_name = dn - - [ dn ] - C=US - ST=PA - L=Pittsburgh - O=Gaunt - OU=Gaunt - emailAddress=admin@johnhgaunt.com - CN=$hostname.$domain - - [ req_ext ] - subjectAltName = @alt_names - - [ alt_names ] - DNS.1 = $hostname.$domain - DNS.2 = $hostname" + # create a working directory in the temp folder + $configFile = "$env:TEMP\$hostname.$domain.csr.conf" + $csrFile = "$path\$hostname.$domain.csr" + $keyFile = "$path\$hostname.$domain.key" + $crtFile = "$path\$hostname.$domain.crt" - # create the temp directory - if (-not (test-path $workingDirectory)) { - New-Item -ItemType directory -Path $workingDirectory | Out-Null + $config = "[ req ] +prompt = no +default_md = sha512 +req_extensions = req_ext +distinguished_name = req_distinguished_name + +[ req_distinguished_name ] +C=US +ST=PA +L=Pittsburgh +O=Gaunt +OU=Gaunt +CN=$hostname.$domain + +[ req_ext ] +subjectAltName = @alt_names + +[ alt_names ] +DNS.1 = $hostname.$domain +DNS.2 = $hostname" + + # convert to unix file + # https://stackoverflow.com/questions/5102115/unix-format-files-with-powershell + Set-Content "$configFile" ([byte[]][char[]] "$config") -Encoding Byte -Force + + switch ($algorithm) { + "RSA2048" { $privateKeyGenerateArguments = "genrsa -out `"$keyFile`" 2048" } + "RSA4096" { $privateKeyGenerateArguments = "genrsa -out `"$keyFile`" 4096" } + "ECC-256" { $privateKeyGenerateArguments = "ecparam -name prime256v1 -genkey -noout -out `"$keyFile`"" } + "ECC-384" { $privateKeyGenerateArguments = "ecparam -name secp384r1 -genkey -noout -out `"$keyFile`"" } + } + switch -regex ($algorithm) { + "RSA.*" { $certReqAttrib = "CertificateTemplate:ServerandClient(RSA)" } + "ECC.*" { $certReqAttrib = "CertificateTemplate:ServerandClient(ECC)" } + } + + Start-Process openssl.exe ` + -ArgumentList $privateKeyGenerateArguments ` + -Wait + + Start-Process openssl.exe ` + -ArgumentList "req -new -key `"$keyFile`" -nodes -out `"$csrFile`" -config `"$configFile`"" ` + -Wait + + Start-Process certreq.exe ` + -ArgumentList "-submit -config `"gauntonlineca.home.johnhgaunt.com\GauntOnlineCA-CA`" -attrib `"$certReqAttrib`" `"$csrFile`" `"$crtFile`"" ` + -Wait + + # add the sub CA to the end of the cert + add-content $crtFile $subCA + + Remove-Item -Path "$path\$hostname.$domain.rsp" + Remove-Item -Path "$csrFile" } +} - # convert to unix file - # https://stackoverflow.com/questions/5102115/unix-format-files-with-powershell - sc $configFile ([byte[]][char[]] "$config") -Encoding Byte - - if ($rsa) { - # create key fil - openssl genrsa -out $keyFile 4096 +end { - # generate csr file - openssl req -new -key $keyFile -nodes -out $csrFile -config $configFile - - # submit the created CSR - certreq -submit -config "gauntonlineca.home.johnhgaunt.com\GauntOnlineCA-CA" -attrib "CertificateTemplate:ServerandClient(RSA)" $csrFile $crtFile - - } else { - # create the ec params - openssl ecparam -name secp384r1 -out $ecParamsFile - - # create the ecc private key - openssl ecparam -in $ecParamsFile -genkey -noout -out $keyFile - - # generate csr file - openssl req -new -key $keyFile -nodes -out $csrFile -config $configFile - - # submit the created CSR - certreq -submit -config "gauntonlineca.home.johnhgaunt.com\GauntOnlineCA-CA" -attrib "CertificateTemplate:ServerandClient(ECC)" $csrFile $crtFile - } - - # add the sub CA to the end of the cert - add-content $crtFile $subCA - - - # remove temp files and dir - Remove-Item -Path $workingDirectory -Force -Recurse - Remove-Item -Path $outDirectory\$hostname.$domain.rsp - Remove-Item -Path $csrFile } \ No newline at end of file