Tyler/New-SanCertificate
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Initial Commit

Browse source
This commit is contained in:
Tyler Hale 2022-07-15 12:33:42 -06:00
parent 0bf4016a36
commit fa6e6f9116
Signed by: Tyler
GPG key ID: C7CC4B910D88EF96
3 changed files with 141 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
New-SanCertificate.cmd Normal file
View file

@ -0,0 +1,4 @@
@echo OFF
cd "%~dp0"
PowerShell.exe -ExecutionPolicy ByPass -File "%~dp0New-SanCertificate.ps1"
pause

125
New-SanCertificate.ps1 Normal file
View file

@ -0,0 +1,125 @@
<#
.SYNOPSIS
Generates a self-signed certificate to be used by IIS for HTTPS communications
.DESCRIPTION
Generates a SAN self-signed certificate to be used by IIS for HTTPS communications.
The certificate will be automatically trusted by the local machine and assigned to the HTTPS binding of IIS for the default site.
The certificate by default will include the following items in the SAN for the cert:
Hostname
Short hostname limited to 15 characters
localhost
All IPv4 addresses
.PARAMETER IpAddress
IP Addresses to include in the Certificate. If not provided, the script will gather IPv4 addresses
.PARAMETER AdditionalDnsNames
Specifies additional DNS names that should be added to the certificate
.PARAMETER Validity
Defines the validity of the certificate in years. Defaults to 15 years
.NOTES
Version: 1.0
Author: Tyler Hale
Creation Date: 2022.07.15
#>
[CmdletBinding()]
param (
[Parameter(Mandatory = $false)]
[ValidateScript({foreach ($IP in $_) {[ipaddress]$IP}})]
[string[]]
$IpAddress = ((Get-NetIPAddress -AddressFamily IPv4 -Type Unicast -AddressState Preferred).IPAddress),
[Parameter(Mandatory=$false)]
[ValidateNotNullOrEmpty()]
[string[]]
$AdditionalDnsNames,
[Parameter(Mandatory=$false)]
[ValidateNotNullOrEmpty()]
[int]
$Validity = 15
)
############################################### [Script Settings] ################################################
$Hostname = $Env:COMPUTERNAME
$CertParameters = @{
"Subject" = $Hostname
"NotAfter" = (Get-Date).AddYears($Validity)
"KeyExportPolicy" = "NonExportable"
"KeySpec" = "KeyExchange"
"KeyUsage" = "DigitalSignature","KeyEncipherment"
"CertStoreLocation" = "cert:\LocalMachine\My"
}
############################################# [Internal Processing] ##############################################
# Stop if not running as an admin
If (!([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
Write-Error "Not running as an admin. Please relaunch running as an admin."
pause
exit
}
# Account for incompatibility for hostnames longer than 15 characters
if ($Hostname.Length -gt 15) {
Write-Verbose "Applying fixes for hostname length"
$ShortHostname = $Hostname.Substring(0,15)
$HostString = "127.0.0.1 $ShortHostname"
}
# Setup SAN text extension for the cert request
$TextExtension = "2.5.29.17={text}DNS=$Hostname&DNS=localhost"
# Add Compatibility hostname if defined to SAN
if ($null -ne $ShortHostname) {$TextExtension += "&DNS=$ShortHostname"}
# Add custom DNS names to SAN
if ($null -ne $DnsName) {foreach ($Name in $DnsName) {$TextExtension += "&DNS=$Name"}}
# Add IP Addresses to SAN
foreach ($Ip in $IpAddress) {$TextExtension += "&IPAddress=$Ip"}
if ($IpAddress -notcontains "127.0.0.1") {$TextExtension += "&IPAddress=127.0.0.1"}
# Add final text extension to cert request
$CertParameters['TextExtension'] = @($TextExtension)
################################################## [Execution] ###################################################
# Add hosts entry for short hostname if needed
if ($null,'' -ne $ShortHostname) {
if ((Get-Content "C:\Windows\System32\drivers\etc\hosts") -notcontains $HostString) {
Write-Verbose "Adding hosts entry"
Add-Content -Path "C:\Windows\System32\drivers\etc\hosts" -Value $HostString
}
}
# Generate certificate
$GeneratedCert = New-SelfSignedCertificate @CertParameters
# Export certificate
$ExportedCert = $GeneratedCert | Export-Certificate -FilePath "$(Get-Item .\ | Select-Object -ExpandProperty FullName)\$Hostname`_$(Get-Date -Format yyyy-MM-dd_HH.mm.ss).cer"
Write-Host "Certificate exported to $($ExportedCert.FullName)`nYou will need to import the cert to the Local Machine - Trusted Root Certificate Authority on external clients that need to connect to this machine`n"
# Add certificate to trusted root CA
Import-Certificate -CertStoreLocation cert:\LocalMachine\Root -FilePath $ExportedCert.FullName | Out-Null
if (Get-Command -Name "Get-WebBinding" -ErrorAction SilentlyContinue) {
# Setup https binding if it is not configured
if ($null -eq (Get-WebBinding -Name "Default Web Site" -Protocol "https")) {
Write-Verbose "Creating IIS Binding on Default Web Site"
New-WebBinding -Name "Default Web Site" -IPAddress "*" -Port 443 -Protocol "https"
}
# Assign to IIS Binding
(Get-WebBinding -Name "Default Web Site" -Port 443 -Protocol "https").AddSslCertificate($GeneratedCert.Thumbprint, "my")
}
else {
Write-Warning "IIS not installed so the binding was not configured`n"
}

18
README.md
View file

@ -2,19 +2,25 @@
Generates a self-signed certificate to be used by IIS for HTTPS communications
## Requirements
- Must be running as an admin
- IIS must be installed for it to set the binding on the Default site
## Variables
| Variable | Required | Default | Choices | Description |
| -------- | -------- | ------- | ------- | ----------- |
| | | | | |
| Variable | Required | Default | Choices | Description |
| ------------------ | -------- | ---------------------------- | ------- | ---------------------------------------------------------------------- |
| IpAddress | No | IPv4 addresses of the system | | IP Addresses to include in the Certificate |
| AdditionalDnsNames | No | | | Specifies additional DNS names that should be added to the certificate |
| Validity | No | 15 | | Defines the validity of the certificate in years |
## Example
```powershell
.\New-SanCertificate.ps1
```
## License
See LICENSE file for full license information.
## Screenshots