CSR pro Domain Controller certifikát (offline request)

Poslední dobou často vystavujeme základní certifikáty pro doménové řadiče na certifikačních autoritách které jsou v jiných AD forestech. Možná se někomu bude hodit PowerShell skript, který celý proces generování výrazně usnadní. Výsledná žádost neobsahuje GUID, nicméně to ve většině případů ani moc nevadí 🙂

####################################################################################################
######## This script generates CSR for DC certificate (signed by external CA).
######## Version 1.2 (2016-04-19)
######## Jan Zak (www.jan-zak.cz)
####################################################################################################

#Define variables

$ComputerName=(Get-WmiObject win32_computersystem).DNSHostName
$ComputerDomain=(Get-WmiObject win32_computersystem).Domain
$ComputerFQDN=(Get-WmiObject win32_computersystem).DNSHostName+"."+(Get-WmiObject win32_computersystem).Domain
$DomainNetBIOSName=(Get-ADDomain).NetBIOSName
#$WorkDir=(Get-Location).Path 
$WorkDir=$Env:USERPROFILE + "\Desktop"
$CSRFilePath = $WorkDir + "\" + $ComputerName + ".csr"
$DCRequestINFFileName = $WorkDir + "\" + $ComputerName + ".inf"

Clear-Host

#Verify permissions for access to private keys
$myIdentity = [System.Security.Principal.WindowsIdentity]::GetCurrent()
$wp = New-Object Security.Principal.WindowsPrincipal($myIdentity)
if (-not $wp.IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)) {
 Write-Host "This script requires administrative privileges, please re-launch with elevated credentials." -ForegroundColor Red -BackgroundColor Yellow
 Start-Sleep 20
 Exit
}


Write-Host "Collecting data for CSR:" -ForegroundColor Green

$CN=if(($result = Read-Host "Press enter to accept $ComputerFQDN as CN or specify a value: ") -eq '') {$ComputerFQDN} else {$result}
$SAN1=if(($result = Read-Host "Press enter to accept $CN as SAN1 or specify a value: ") -eq '') {$CN} else {$result}
$SAN2=if(($result = Read-Host "Press enter to accept $ComputerDomain as SAN2 or specify a value: ") -eq '') {$ComputerDomain} else {$result}
$SAN3=if(($result = Read-Host "Press enter to accept $DomainNetBIOSName as SAN3 or specify a value: ") -eq '') {$DomainNetBIOSName} else {$result}
Write-Host
Write-Host Values to build CSR: -ForegroundColor Green
Write-Host ==================== -ForegroundColor Green
Write-Host CN=$CN
Write-Host DNS=$SAN1
Write-Host DNS=$SAN2
Write-Host DNS=$SAN3
Write-Host
Write-Host Files are going to be stored in $WorkDir\ folder.

write-host -nonewline "Continue? (Y/N) " -ForegroundColor Yellow
$response = read-host
if ( $response -ne "Y" ) { exit }


# Build CSR file

Write-Host "Preparing Server Certificate Request File (CertReq.inf) for $ComputerName `r "

$DCRequestINFFileContent =
@"
[Version]

Signature="$Windows NT$"

[NewRequest]

Subject = "CN=$CN" ; Remove to use an empty Subject name.
;Because SSL/TLS does not require a Subject name when a SAN extension is included, the certificate Subject name can be empty.
;If you are using another protocol, verify the certificate requirements.
;EncipherOnly = FALSE ; Only for Windows Server 2003 and Windows XP. Remove for all other client operating system versions.
Exportable = TRUE ; TRUE = Private key is exportable
KeyLength = 2048 ; Valid key sizes: 1024, 2048, 4096, 8192, 16384
KeySpec = 1 ; Key Exchange – Required for encryption
KeyUsage = 0xA0 ; Digital Signature, Key Encipherment
MachineKeySet = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
RequestType = PKCS10 ; or CMC.

[EnhancedKeyUsageExtension]
; If you are using an enterprise CA the EnhancedKeyUsageExtension section can be omitted
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
OID=1.3.6.1.5.5.7.3.2 ; Client Authentication
OID=1.3.6.1.5.2.3.5 ; KDC Authentication
OID=1.3.6.1.4.1.311.20.2.2 ; Smart Card Logon


[Extensions]
; If your client operating system is Windows Server 2008, Windows Server 2008 R2, Windows Vista, or Windows 7
; SANs can be included in the Extensions section by using the following text format. Note 2.5.29.17 is the OID for a SAN extension.
2.5.29.17 = "{text}"
_continue_ = "dns=$SAN1&"
_continue_ = "dns=$SAN2&"
_continue_ = "dns=$SAN3&"


; If your client operating system is Windows Server 2003, Windows Server 2003 R2, or Windows XP
; SANs can be included in the Extensions section only by adding Base64-encoded text containing the alternative names in ASN.1 format.
; Use the provided script MakeSanExt.vbs to generate a SAN extension in this format.
; RMILNE – the below line is remmed out else we get an error since there are duplicate sections for OID 2.5.29.17
; 2.5.29.17=MCaCEnd3dzAxLmZhYnJpa2FtLmNvbYIQd3d3LmZhYnJpa2FtLmNvbQ

[RequestAttributes]
; If your client operating system is Windows Server 2003, Windows Server 2003 R2, or Windows XP
; and you are using a standalone CA, SANs can be included in the RequestAttributes
; section by using the following text format.
;”SAN="dns=not.server2008r2.com&dns=stillnot.server2008r2.com&dns=meh.2003server.com"
; Multiple alternative names must be separated by an ampersand (&).

;CertificateTemplate = WebServer ; Modify for your environment by using the LDAP common name of the template.

;Required only for enterprise CAs.
"@

Write-Host "Generating Certificate Request file... `r " -ForegroundColor DarkYellow
$DCRequestINFFileContent | out-file -filepath $DCRequestINFFileName -force
certreq -new $DCRequestINFFileName $CSRFilePath
Remove-Item $DCRequestINFFileName -Force

Write-Host "CSR fle created as $CSRFilePath. Use this file to request the DC's server certificate `r " -ForegroundColor Green
Start-Sleep 20
exit