forked from gregtwallace/certificate-scripts
-
Notifications
You must be signed in to change notification settings - Fork 0
/
cw-windows-plain.ps1
97 lines (82 loc) · 3.52 KB
/
cw-windows-plain.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
# Created by Kody Salak (@KodySalak)
# CertWarden Certificate Fetcher/Importer that is somewhat automated
# Grabs certificate and key from CertWarden, converts it to a PKCS12, and imports to the System Personal Certificate Store in Windows.
# Version 2.0
# This script assumes ZERO liability for services that it may affect.
# Please add more error handling if you're using in production.
# Run this in an admin powershell window. It will not add to the correct store/fail if you don't.
#Requires -RunAsAdministrator
# Variables for script
$CertificateAPIKey = "<certificate API key>"
$KeyAPIKey = "<key API key>"
$Server = "<certwardenserver:port>"
$CertWardenCertName = "<display name of certificate in certwarden>"
$KeyName = "<display name of key in certwarden>"
$CertSubject = "<cert subject, e.g. testing.mytld.com>"
# May need/want to edit
$TempCerts = "C:\Windows\temp\tempcerts"
$OpenSSLLocation = "C:\Program Files\OpenSSL-Win64\bin\openssl.exe"
$PKCS12Password = "Password"
# Shouldn't need to edit
$EncryptedPassword = ConvertTo-SecureString -String $PKCS12Password -Force -AsPlainText
$CertificateAPIURL = "certwarden/api/v1/download/certificates/$CertWardenCertName"
$KeyAPIURL = "certwarden/api/v1/download/privatekeys/$KeyName"
$CurrentCertExpireTime = (Get-ChildItem -Path "Cert:\LocalMachine\My" | Where-Object { $_.Subject -Like "*$CertSubject"} | Sort-Object -Property NotAfter -Descending | Select-Object -First 1).NotAfter
$CertPath = "$TempCerts\certchain.crt"
$KeyPath = "$TempCerts\key.key"
$PKCS12Path = "$TempCerts\output.pfx"
###
# Exit Func for errors (also removes temp folder)
function Exit-Failed {
Remove-Item -Recurse -Force $TempCerts
Exit 1
}
# Main
# Make temp folder, if it doesn't exist
If (!(Get-ChildItem $TempCerts -ErrorAction SilentlyContinue)) {
Write-Host "Creating Temp Directory"
Try {
$null = New-Item $TempCerts -ItemType Directory
}
Catch {
Write-Host "Failed to make directory!"
Write-Host "Error: $_"
Exit 1
}
}
Else {
Write-Host "$($TempCerts) exists."
}
# Download current CertWarden certificate
Try {
Invoke-WebRequest -Uri "https://$Server/$CertificateAPIURL" -Method GET -Headers @{"apiKey" = "$CertificateAPIKey" } -OutFile "$TempCerts\certchain.crt"
}
Catch {
Write-Host "ERROR: FAILED TO GET CERTIFICATE: $($_)"
Exit-Failed
}
# cert object for CertWarden cert
$wardenCert = New-Object Security.Cryptography.X509Certificates.X509Certificate2 "$TempCerts\certchain.crt"
# If CertWarden cert has longer validity (or doesn't exist on host yet), update
If ($CurrentCertExpireTime -lt $wardenCert.NotAfter -Or [string]::IsNullOrWhiteSpace($CurrentCertExpireTime)) {
Write-Host "Newer certificate available, updating"
# Get key from CertWarden
Try {
Invoke-WebRequest -Uri "https://$Server/$KeyAPIURL" -Method GET -Headers @{"apiKey" = "$KeyAPIKey" } -OutFile "$TempCerts\key.key"
}
Catch {
Write-Host "ERROR: FAILED TO GET KEY: $($_)"
Exit-Failed
}
# Convert the certificate and private key into a PKCS12 file
& $OpenSSLLocation pkcs12 -export -out $PKCS12Path -inkey $KeyPath -in $CertPath -passout "pass:$PKCS12Password"
# Import the PKCS12 file into the Local Machine Personal certificate store
Import-PfxCertificate -FilePath $PKCS12Path -Password $EncryptedPassword -CertStoreLocation "cert:\LocalMachine\My"
# Success
Write-Host "Certificate updated."
}
Else {
Write-Host "Certificate is still most recent."
}
# Remove temp folder
Remove-Item -Recurse -Force $TempCerts