Poslední dobou často vystavujeme základní certifikáty pro doménové řadiče na certifikačních autoritách které jsou v jiných AD forestech. Možná se někomu bude hodit PowerShell skript, který celý proces generování výrazně usnadní. Výsledná žádost neobsahuje GUID, nicméně to ve většině případů ani moc nevadí 🙂
#################################################################################################### ######## This script generates CSR for DC certificate (signed by external CA). ######## Version 1.2 (2016-04-19) ######## Jan Zak (www.jan-zak.cz) #################################################################################################### #Define variables $ComputerName=(Get-WmiObject win32_computersystem).DNSHostName $ComputerDomain=(Get-WmiObject win32_computersystem).Domain $ComputerFQDN=(Get-WmiObject win32_computersystem).DNSHostName+"."+(Get-WmiObject win32_computersystem).Domain $DomainNetBIOSName=(Get-ADDomain).NetBIOSName #$WorkDir=(Get-Location).Path $WorkDir=$Env:USERPROFILE + "\Desktop" $CSRFilePath = $WorkDir + "\" + $ComputerName + ".csr" $DCRequestINFFileName = $WorkDir + "\" + $ComputerName + ".inf" Clear-Host #Verify permissions for access to private keys $myIdentity = [System.Security.Principal.WindowsIdentity]::GetCurrent() $wp = New-Object Security.Principal.WindowsPrincipal($myIdentity) if (-not $wp.IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)) { Write-Host "This script requires administrative privileges, please re-launch with elevated credentials." -ForegroundColor Red -BackgroundColor Yellow Start-Sleep 20 Exit } Write-Host "Collecting data for CSR:" -ForegroundColor Green $CN=if(($result = Read-Host "Press enter to accept $ComputerFQDN as CN or specify a value: ") -eq '') {$ComputerFQDN} else {$result} $SAN1=if(($result = Read-Host "Press enter to accept $CN as SAN1 or specify a value: ") -eq '') {$CN} else {$result} $SAN2=if(($result = Read-Host "Press enter to accept $ComputerDomain as SAN2 or specify a value: ") -eq '') {$ComputerDomain} else {$result} $SAN3=if(($result = Read-Host "Press enter to accept $DomainNetBIOSName as SAN3 or specify a value: ") -eq '') {$DomainNetBIOSName} else {$result} Write-Host Write-Host Values to build CSR: -ForegroundColor Green Write-Host ==================== -ForegroundColor Green Write-Host CN=$CN Write-Host DNS=$SAN1 Write-Host DNS=$SAN2 Write-Host DNS=$SAN3 Write-Host Write-Host Files are going to be stored in $WorkDir\ folder. write-host -nonewline "Continue? (Y/N) " -ForegroundColor Yellow $response = read-host if ( $response -ne "Y" ) { exit } # Build CSR file Write-Host "Preparing Server Certificate Request File (CertReq.inf) for $ComputerName `r " $DCRequestINFFileContent = @" [Version] Signature="$Windows NT$" [NewRequest] Subject = "CN=$CN" ; Remove to use an empty Subject name. ;Because SSL/TLS does not require a Subject name when a SAN extension is included, the certificate Subject name can be empty. ;If you are using another protocol, verify the certificate requirements. ;EncipherOnly = FALSE ; Only for Windows Server 2003 and Windows XP. Remove for all other client operating system versions. Exportable = TRUE ; TRUE = Private key is exportable KeyLength = 2048 ; Valid key sizes: 1024, 2048, 4096, 8192, 16384 KeySpec = 1 ; Key Exchange – Required for encryption KeyUsage = 0xA0 ; Digital Signature, Key Encipherment MachineKeySet = True ProviderName = "Microsoft RSA SChannel Cryptographic Provider" RequestType = PKCS10 ; or CMC. [EnhancedKeyUsageExtension] ; If you are using an enterprise CA the EnhancedKeyUsageExtension section can be omitted OID=1.3.6.1.5.5.7.3.1 ; Server Authentication OID=1.3.6.1.5.5.7.3.2 ; Client Authentication OID=1.3.6.1.5.2.3.5 ; KDC Authentication OID=1.3.6.1.4.1.311.20.2.2 ; Smart Card Logon [Extensions] ; If your client operating system is Windows Server 2008, Windows Server 2008 R2, Windows Vista, or Windows 7 ; SANs can be included in the Extensions section by using the following text format. Note 2.5.29.17 is the OID for a SAN extension. 2.5.29.17 = "{text}" _continue_ = "dns=$SAN1&" _continue_ = "dns=$SAN2&" _continue_ = "dns=$SAN3&" ; If your client operating system is Windows Server 2003, Windows Server 2003 R2, or Windows XP ; SANs can be included in the Extensions section only by adding Base64-encoded text containing the alternative names in ASN.1 format. ; Use the provided script MakeSanExt.vbs to generate a SAN extension in this format. ; RMILNE – the below line is remmed out else we get an error since there are duplicate sections for OID 2.5.29.17 ; 2.5.29.17=MCaCEnd3dzAxLmZhYnJpa2FtLmNvbYIQd3d3LmZhYnJpa2FtLmNvbQ [RequestAttributes] ; If your client operating system is Windows Server 2003, Windows Server 2003 R2, or Windows XP ; and you are using a standalone CA, SANs can be included in the RequestAttributes ; section by using the following text format. ;”SAN="dns=not.server2008r2.com&dns=stillnot.server2008r2.com&dns=meh.2003server.com" ; Multiple alternative names must be separated by an ampersand (&). ;CertificateTemplate = WebServer ; Modify for your environment by using the LDAP common name of the template. ;Required only for enterprise CAs. "@ Write-Host "Generating Certificate Request file... `r " -ForegroundColor DarkYellow $DCRequestINFFileContent | out-file -filepath $DCRequestINFFileName -force certreq -new $DCRequestINFFileName $CSRFilePath Remove-Item $DCRequestINFFileName -Force Write-Host "CSR fle created as $CSRFilePath. Use this file to request the DC's server certificate `r " -ForegroundColor Green Start-Sleep 20 exit