Implemented renew certificate using native powershell

renew.ps1

@@ -1,50 +1,83 @@
 <#
-Powershell script for renewing script using MTLS endpoint using powershell
+Powershell script for renewing certificate using MTLS endpoint using powershell
 
-Could probably done using native powershell commands but the logic was already written in bash using OpenSSL
+Could possibly (?) be done using native powershell commands but the logic was already written in bash using OpenSSL
 #>
 
-# Create a CSR
-Function RenewCertificateMTLS($Certificate, $Key, $Root, $AppServiceUrl) {
+using namespace System.Security.Cryptography.X509Certificates
+using namespace System.Security.Authentication
+using namespace System.Net.Http
+using namespace System.Net.Security
+
+
+Function RenewCertificateMTLS($CertificatePath, $AppServiceUrl) {
     $TempCSR = New-TemporaryFile
-    $TempKEY = New-TemporaryFile
     $TempP7B = New-TemporaryFile
-    $TempPEM = New-TemporaryFile
-    $TempWGET = New-TemporaryFile
+    $TempINF = New-TemporaryFile
+    $url = "$AppServiceUrl/.well-known/est/simplereenroll"
+
+    # In file configuration
+    $Inf = 
+    '[Version]
+    Signature="$Windows NT$"
+    
+    [NewRequest]
+    ;Change to your,country code, company name and common name
+    Subject = "C=US, O=Example Co, CN=something.example.com"
+    
+    KeySpec = 1
+    KeyLength = 2048
+    Exportable = TRUE
+    MachineKeySet = TRUE
+    SMIME = False
+    PrivateKeyArchive = FALSE
+    UserProtected = FALSE
+    UseExistingKeySet = FALSE
+    ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
+    ProviderType = 12
+    RequestType = PKCS10
+    KeyUsage = 0xa0
     
-    if ($Env:Path -split ";" -contains "C:\Program Files\OpenSSL-Win64\bin") {
-        $env:path = $env:path + ";C:\Program Files\OpenSSL-Win64\bin"
-    }
-    # Also probably add wget to the path?
+    [EnhancedKeyUsageExtension]
+    OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication / Token Signing'
+    $Inf | Out-File -FilePath $TempINF
 
+    $body = Get-Content $TempCSR
     # Create new key and CSR
-    openssl genrsa -out "$TempKEY" 4096
-    openssl req -new -key $TempKEY -sha256 -out $TempCSR -subj "/C=US/ST=State/L=Locality/O=Contoso/OU=Unit/CN=Contoso/emailAddress=email@contoso.com"
-
-    # possibly remove aliases?
-    # e.g. Remove-Item alias:wget
+    CertReq -new $TempINF $TempCSR
 
     # Create renewed version of certificate.
-    wget.exe --certificate=$Certificate --private-key=$Key, --ca-certificate=$Root --post-file=$TempCSR --header="Content-Type:application/pkcs10" --no-check-certificate --output-document=$TempWGET "$AppServiceUrl/.well-known/est/simplereenroll"
+    # Invoke-WebRequest would be easiest option - but doesn't work due to nature of cmd
+    # Invoke-WebRequest -Certificate certificate-test.pfx -Body $Body -ContentType "application/pkcs10" -Credential "5hEgpuJQI5afsY158Ot5A87u" -Uri "$AppServiceUrl/.well-known/est/simplereenroll" -OutFile outfile.txt
+    # So use HTTPClient instead
+    $cert = New-Object X509Certificate2($CertificatePath, "TCR7Mq0Sw3XssyPmmtGIoBlk")
+    # write-host for debugging
+    Write-Host "Cert Has Private Key: $($cert.HasPrivateKey)"
+
+    $handler = New-Object HttpClientHandler
+    $handler.ClientCertificates.Add($cert)
+    $handler.ClientCertificateOptions = [System.Net.Http.ClientCertificateOption]::Manual
+
+    $client = New-Object HttpClient($handler)
+    $client.HttpClientHandler
+    $requestmessage = [System.Net.Http.HttpRequestMessage]::new()
+    $body = Get-Content $TempCSR
+    $requestmessage.Content = [System.Net.Http.StringContent]::new(
+        $body,  
+        [System.Text.Encoding]::UTF8,"application/pkcs10"
+    )
+    $requestmessage.Content.Headers.ContentType = "application/pkcs10"
+    $requestmessage.Method = 'POST'
+    $requestmessage.RequestUri = $url
+    $httpResponseMessage = $client.Send($requestmessage)
+    $responseContent =  $httpResponseMessage.Content.ReadAsStringAsync().Result
+
     Write-Output "-----BEGIN PKCS7-----" > "$TempP7B"
-    Get-Content $TempWGET >> "$TempP7B"
+    Write-Output $responseContent >> "$TempP7B"
     Write-Output "-----END PKCS7-----" >> "$TempP7B"
-    # Convert to UTF8? For some reason OpenSSL can't read the text format that PowerShell creates by default.
-    $MyRawString = Get-Content -Raw "$TempP7B"
-    $Utf8NoBomEncoding = New-Object System.Text.UTF8Encoding $False
-    [System.IO.File]::WriteAllLines("$TempP7B", $MyRawString, $Utf8NoBomEncoding)
     # Convert PKCS7 to PEM
-    openssl pkcs7 -print_certs -in "$TempP7B" -out "$TempPEM"
-
-    # If certificates created successfuly, overwrite old certificates
-    if (-Not ([String]::IsNullOrWhiteSpace((Get-content $TempPEM)))) {
-        Copy-Item -Path $TempKEY -Destination $Key
-        Copy-Item -Path $TempPEM -Destination $Certificate
-    } else {
-        Write-Host "Renewal endpoint returned an error"
-        exit 1
-    }
+    CertReq -accept $TempP7B
 
 }
 
-RenewCertificateMTLS -Certificate "coolcert.pem" -Key "coolcert.key" -Root "scepman-root.pem" -AppServiceUrl "https://app-scepman-csz5hqanxf6cs.azurewebsites.net/"
+RenewCertificateMTLS -Certificate "C:\Users\BenGodwin\OneDrive - glueckkanja-gab\Desktop\scepclient\certificate-test.pfx" -AppServiceUrl "https://app-scepman-csz5hqanxf6cs.azurewebsites.net/"