-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathautoiisrequest.ps1
323 lines (280 loc) · 13 KB
/
autoiisrequest.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
param (
# Note to CA Administrators, these variables can be pre-initialized in your environment to simplify the execution of the script for your
# IIS Admins
[String]$hostname = "",
[String]$location = "",
[String]$site = "",
[String]$template = "",
[String]$ca_server ="",
[switch]$force,
[switch]$request,
[switch]$install
)
[String[]] $help_text = @"
AutoIISRequest.ps1 [optional parameters] [-request | -install] [-force]
Mandatory Parameters
* request: Create a private key and submit a certificate request to the CA server.
* install: Retrieve and install a certificate after the certificate is issued.
NOTE: either "request" or "install" (but not both) must be specified on the commandline. All other parameters are optional
Optional Parameters
* hostname: The hostname that should be present in the request. If this option is absent, the FQDN will be used.
* location: A directory to save artifacts in (eg. requests inf, csr, crt). If this option is absent, `$HOME will be used.
* site: Specify the site to install the certificate on. If you don't specify a site, and there is only one, the cert will be installed there. If there is more than one, the command will exit with an error.
* template: Specify the certificate template to be used.
* ca_server: The name of the CA Server to use. This only needs to be specified if the template can be issued from more than one CA. If this is the case, the script will provide the CA names.
* force: Overwrite artifact files if they exist.
"@
#
# Function to identify the request ID on the CA from the local request
#
function Get-RequestID {
param (
[X509Certificate]$request,
[String]$ca_config
)
$skid = $request.extensions.SubjectKeyIdentifier
$ca_view = New-Object -ComObject CertificateAuthority.View.1
$ca_view.OpenConnection($ca_config)
$cv_schema=0
$ski_column=$ca_view.GetColumnIndex($cv_schema,'SubjectKeyIdentifier')
$req_column=$ca_view.GetColumnIndex($cv_schema,'Request.RequestID')
# Filter on SKI
$no_sort = 0
$equal_to = 1
$ca_view.SetRestriction($ski_column,$equal_to,$no_sort,$skid)
# Define output table
$ca_view.SetResultColumnCount(1)
$ca_view.SetResultColumn($req_column)
$rows= $ca_view.OpenView()
while ($rows.Next() -ne -1)
{
$cols=$rows.EnumCertViewColumn()
While ($cols.Next() -ne -1) {
return $cols.GetValue(0)
}
}
}
#
# Function to initialize important variables prior to execution of the remainder of the script
#
function Set-Variables {
#Dynamically construct a directory search root from the current environment
$domain = $env:userdnsdomain.split(".") | ForEach-Object { -Join ("DC=", $_, ",") }
$search_root = "LDAP://CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,"
foreach ($rdn in $domain) { $search_root = $search_root + $rdn }
$search_root = $search_root.Substring(0,$search_root.Length-1)
# CA Config string. Update this if the template will be issued from a different CA
if ($ca_server -eq "") {
$template_cas = @()
$search = [ADSIsearcher]"(objectClass=pkienrollmentservice)"
$search.SearchRoot = "$search_root"
$results = $search.FindAll()
foreach ($ca in $results) {
if ($template -in $ca.properties.certificatetemplates) {
$template_cas += $ca
}
}
if ($template_cas.Count -gt 1) {
Write-Output "The chosen template can be issued by more than one CA. Please provide the appropriate name on the command line using the -ca_server switch."
Write-Output "Possible Issuers:"
foreach ($ca in $template_cas) {
Write-Output $ca.properties.displayname
}
Exit
} elseif ($template_cas.Count -lt 1) {
Write-Output "No CAs can issue the specified template"
Exit
} else {
$ca_hostname=$template_cas[0].properties.dnshostname
$ca_server = $template_cas[0].properties.displayname
}
} else {
$search = [ADSIsearcher]"(&(objectclass=pkienrollmentservice)(displayname=$ca_server))"
$search.SearchRoot = "$search_root"
$results = $search.findAll()
$ca_hostname=$results[0].properties.dnshostname
}
[String]$Script:ca_config = "$ca_hostname\$ca_server"
# If the user does not specify a location for the inf file, use $HOME
if ($Script:location -eq "") {
$Script:location = $HOME
}
[String] $Script:file = Join-Path -Path $Script:location -ChildPath "autoiisrequest"
# If the user does not specify a site, and no sites are configured, bail with an error.
# If the user does not specify a site, and only one site is defined, use it.
# IF the user does not specify a site, and there are multiple sites, bail with an error, and list the sites.
# If the user specifies a site, confirm that it exists. If they mistyped, bail.
if ($Script:site -eq "") {
if ( (Get-IISSite).Length -lt 1 ) {
Write-Output "No sites defined. At least one site must be defined for this script to execute."
Exit
} elseif ( (Get-IISSite).Length -gt 1 ) {
Write-Output "More than one site defined. You must specify which site you want a certificate for using the -site commmand option"
Write-Output "The following sites were identified:"
(Get-IISSite).Name | Write-Output
Exit
} else {
$Script:site = (Get-IISSite).Name
}
} else {
if ( $Script:site -notin (Get-IISSite).Name ) {
Write-Output "The specified site does not exist on this server. Check for typos."
Write-Output "The following sites were identified:"
(Get-IISSite).Name | Write-Output
Exit
} else {
Write-Output "Site $Script:site exists. Continuing..."
}
}
# If the administrator does not specify a hostname for the request, get the hostname from the web configuration if it exists.
if ($Script:hostname -eq "") {
$Script:hostname = ((Get-IISSiteBinding -Name $site -protocol "http").bindingInformation | Select-String -Pattern "(.+):\d+:(.*)").Matches.Groups[2].Value
}
# If the hostname is still empty, the IIS Site binding may not specify a hostname. We can assume the FQDN is okay.
if ($Script:hostname -eq "") {
[String] $Script:hostname = [System.Net.Dns]::GetHostByName($env:COMPUTERNAME).HostName
}
}
#
#Function to clean up files created during issuance. Intended to be run if everything is successful.
#
function Remove-Tempfiles {
param (
[String]$file_location
)
Get-ChildItem $file_location autoiisrequest.* | Remove-Item
}
#
#Function to verify we are running on a machine with IIS installed
#
function Test-IIS {
if ( (Get-WindowsFeature Web-Server).InstallState -ne "Installed" ) {
Write-Output "IIS Not installed. IIS is required for this script to function."
return $false
} else {
Write-Output "IIS is installed. Continuing..."
return $true
}
}
#
# If neither request nor install are specified, or if both request and installe are specified, bail.
#
if ( ($request -and $install) -or (!$request -and !$install) ) {
Write-Output $help_text
Exit
#
#Handle request process
#
} elseif ($request) {
# Confirm we're running on an IIS Server. If not, Exit.
if ( -not (Test-IIS) ) { Exit }
# Call the "Set-Variables" function to populate all of the required variables
Set-Variables
#Check for existing requests
if (Test-Path "$file.rid") {
if ($force) {
Write-Output "Previous request exists, but -force set. Will overwrite previous request"
} else {
Write-Output "The request ID file exists. Is there an outstanding request?"
Write-Output "Use -install parameter to complete the request, or use the -force parameter to force overwrite."
Exit
}
}
# Generate the private key and request
Write-Output "Generating private key and certificate request and submitting to Certification Authority..."
try {
$enroll_result = Get-Certificate -Template $template -DnsName $hostname -SubjectName "CN=$hostname" -CertStoreLocation cert:\LocalMachine\My
} catch {
Write-Output "Error Requesting Certificate"
Write-Output "$_"
Exit
}
# Capture the request ID to a variable
$request_id = $enroll_result.Request.Thumbprint
if ($request_id -eq "") {
Write-Output "Something went wrong. Request ID unavailable."
Exit
} else {
# Write the request ID to a temporary file. We've already warned the user and exited if it exists and -force is not set.
if (Test-Path "$file.rid") {
if ($force) {
Set-Content -Path "$file.rid" -Value $request_id
} else {
Write-Output "It shouldn't be possible to see this error"
Exit
}
} else {
Set-Content -Path "$file.rid" -Value $request_id
}
}
#
# Handle the Certificate Installation Process
#
} elseif ($install) {
# Confirm we're running on an IIS Server. If not, Exit.
if ( -not (Test-IIS) ) { Exit }
# Call the "Set-Variables" function to populate all of the required variables
Set-Variables
# Obtain the request ID from the file where is was recorded during the request process
if (Test-Path "$file.rid") {
$request_id = Get-Content -Path "$file.rid"
} else {
Write-Output "Request ID file missing. Contact PKI adminstrators for assistance."
Exit
}
# Get the request object corresponding to the request ID
if (Test-Path "Cert:\LocalMachine\REQUEST\$request_id") {
$request_obj = Get-ChildItem -Path "Cert:\LocalMachine\REQUEST\$request_id"
} else {
Write-Output "Certificate Request missing. Contact PKI adminstrators for assistance."
}
# Retrive the Certificate
try {
$retrieve_result = Get-Certificate -Request $request_obj
} catch {
Write-Output "Error Retrieving Certificate"
Write-Output "$_"
Exit
}
if ($retrieve_result.Status -eq "Issued") {
$cert_thumbprint = $retrieve_result.Certificate.Thumbprint
Write-Output "Certificate has been issued by the CA. Thumbprint: $cert_thumbprint"
} elseif ($retrieve_result.Status -eq "Pending") {
$ca_request_id = Get-RequestID -request $request_obj -ca_config $ca_config
Write-Output "Certificate has not yet been issued by the CA. Contact the PKI Administrators for assistance (reference Request ID $ca_request_id)."
Exit
} elseif ($retrieve_result.Status -eq "Denied") {
$ca_request_id = Get-RequestID -request $request_obj -ca_config $ca_config
Write-Output "Certificate request was Denied. Contact the PKI Administrators for assitance (reference Request ID $ca_request_id)."
#Cleanup request files
Write-Output "Removing Temporary Files..."
Remove-Tempfiles -file_location $location
Exit
} else {
Write-Output "Something Else happened"
Write-Output $retrieve_result
Exit
}
# See if an https binding already exists
if ( "https" -notin ((Get-IISSite $site).Bindings.protocol) ) {
#If not, create the https binding for the site, based on the http binding information
Write-Output "Creating https web Binding with new certificate..."
$binding_ip = ((Get-IISSiteBinding -Name $site -protocol "http").bindingInformation | Select-String -Pattern "(.+):\d+:(.*)").Matches.Groups[1].Value
$binding_host = ((Get-IISSiteBinding -Name $site -protocol "http").bindingInformation | Select-String -Pattern "(.+):\d+:(.*)").Matches.Groups[2].Value
$binding_info = $binding_ip + ":443:" + $binding_host
New-IISSiteBinding -Name "$site" -BindingInformation "$binding_info" -Protocol "https" -CertificateThumbPrint "$cert_thumbprint" -CertStoreLocation "Cert:\LocalMachine\My"
} else {
# If the binding exists, remove the binding (preserving the old certificates), and re-add it with the new certificate.
$binding_info = (Get-IISSiteBinding -Name $site -protocol "https").bindingInformation
Remove-IISSiteBinding -Name "$site" -Bindinginformation "$binding_info" -RemoveConfigOnly -protocol "https" -Confirm:$false
Write-Output "Deleting Current Web Binding..."
do {
Start-Sleep -Seconds 1
} until ( "https" -notin ((Get-IISSite $site).Bindings.protocol) )
Write-Output "Creating Web Binding with new Certificate..."
New-IISSiteBinding -Name "$site" -BindingInformation "$binding_info" -Protocol "https" -CertificateThumbPrint "$cert_thumbprint" -CertStoreLocation "Cert:\LocalMachine\My"
}
#Cleanup request files
Write-Output "Removing Temporary Files..."
Remove-Tempfiles -file_location $location
}