diff --git a/renew.ps1 b/renew.ps1 index f438c89..9f9d5b7 100644 --- a/renew.ps1 +++ b/renew.ps1 @@ -1,50 +1,83 @@ <# -Powershell script for renewing script using MTLS endpoint using powershell +Powershell script for renewing certificate using MTLS endpoint using powershell -Could probably done using native powershell commands but the logic was already written in bash using OpenSSL +Could possibly (?) be done using native powershell commands but the logic was already written in bash using OpenSSL #> -# Create a CSR -Function RenewCertificateMTLS($Certificate, $Key, $Root, $AppServiceUrl) { +using namespace System.Security.Cryptography.X509Certificates +using namespace System.Security.Authentication +using namespace System.Net.Http +using namespace System.Net.Security + + +Function RenewCertificateMTLS($CertificatePath, $AppServiceUrl) { $TempCSR = New-TemporaryFile - $TempKEY = New-TemporaryFile $TempP7B = New-TemporaryFile - $TempPEM = New-TemporaryFile - $TempWGET = New-TemporaryFile + $TempINF = New-TemporaryFile + $url = "$AppServiceUrl/.well-known/est/simplereenroll" + + # In file configuration + $Inf = + '[Version] + Signature="$Windows NT$" + + [NewRequest] + ;Change to your,country code, company name and common name + Subject = "C=US, O=Example Co, CN=something.example.com" + + KeySpec = 1 + KeyLength = 2048 + Exportable = TRUE + MachineKeySet = TRUE + SMIME = False + PrivateKeyArchive = FALSE + UserProtected = FALSE + UseExistingKeySet = FALSE + ProviderName = "Microsoft RSA SChannel Cryptographic Provider" + ProviderType = 12 + RequestType = PKCS10 + KeyUsage = 0xa0 - if ($Env:Path -split ";" -contains "C:\Program Files\OpenSSL-Win64\bin") { - $env:path = $env:path + ";C:\Program Files\OpenSSL-Win64\bin" - } - # Also probably add wget to the path? + [EnhancedKeyUsageExtension] + OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication / Token Signing' + $Inf | Out-File -FilePath $TempINF + $body = Get-Content $TempCSR # Create new key and CSR - openssl genrsa -out "$TempKEY" 4096 - openssl req -new -key $TempKEY -sha256 -out $TempCSR -subj "/C=US/ST=State/L=Locality/O=Contoso/OU=Unit/CN=Contoso/emailAddress=email@contoso.com" - - # possibly remove aliases? - # e.g. Remove-Item alias:wget + CertReq -new $TempINF $TempCSR # Create renewed version of certificate. - wget.exe --certificate=$Certificate --private-key=$Key, --ca-certificate=$Root --post-file=$TempCSR --header="Content-Type:application/pkcs10" --no-check-certificate --output-document=$TempWGET "$AppServiceUrl/.well-known/est/simplereenroll" + # Invoke-WebRequest would be easiest option - but doesn't work due to nature of cmd + # Invoke-WebRequest -Certificate certificate-test.pfx -Body $Body -ContentType "application/pkcs10" -Credential "5hEgpuJQI5afsY158Ot5A87u" -Uri "$AppServiceUrl/.well-known/est/simplereenroll" -OutFile outfile.txt + # So use HTTPClient instead + $cert = New-Object X509Certificate2($CertificatePath, "TCR7Mq0Sw3XssyPmmtGIoBlk") + # write-host for debugging + Write-Host "Cert Has Private Key: $($cert.HasPrivateKey)" + + $handler = New-Object HttpClientHandler + $handler.ClientCertificates.Add($cert) + $handler.ClientCertificateOptions = [System.Net.Http.ClientCertificateOption]::Manual + + $client = New-Object HttpClient($handler) + $client.HttpClientHandler + $requestmessage = [System.Net.Http.HttpRequestMessage]::new() + $body = Get-Content $TempCSR + $requestmessage.Content = [System.Net.Http.StringContent]::new( + $body, + [System.Text.Encoding]::UTF8,"application/pkcs10" + ) + $requestmessage.Content.Headers.ContentType = "application/pkcs10" + $requestmessage.Method = 'POST' + $requestmessage.RequestUri = $url + $httpResponseMessage = $client.Send($requestmessage) + $responseContent = $httpResponseMessage.Content.ReadAsStringAsync().Result + Write-Output "-----BEGIN PKCS7-----" > "$TempP7B" - Get-Content $TempWGET >> "$TempP7B" + Write-Output $responseContent >> "$TempP7B" Write-Output "-----END PKCS7-----" >> "$TempP7B" - # Convert to UTF8? For some reason OpenSSL can't read the text format that PowerShell creates by default. - $MyRawString = Get-Content -Raw "$TempP7B" - $Utf8NoBomEncoding = New-Object System.Text.UTF8Encoding $False - [System.IO.File]::WriteAllLines("$TempP7B", $MyRawString, $Utf8NoBomEncoding) # Convert PKCS7 to PEM - openssl pkcs7 -print_certs -in "$TempP7B" -out "$TempPEM" - - # If certificates created successfuly, overwrite old certificates - if (-Not ([String]::IsNullOrWhiteSpace((Get-content $TempPEM)))) { - Copy-Item -Path $TempKEY -Destination $Key - Copy-Item -Path $TempPEM -Destination $Certificate - } else { - Write-Host "Renewal endpoint returned an error" - exit 1 - } + CertReq -accept $TempP7B } -RenewCertificateMTLS -Certificate "coolcert.pem" -Key "coolcert.key" -Root "scepman-root.pem" -AppServiceUrl "https://app-scepman-csz5hqanxf6cs.azurewebsites.net/" \ No newline at end of file +RenewCertificateMTLS -Certificate "C:\Users\BenGodwin\OneDrive - glueckkanja-gab\Desktop\scepclient\certificate-test.pfx" -AppServiceUrl "https://app-scepman-csz5hqanxf6cs.azurewebsites.net/" \ No newline at end of file