-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathGenerate-LogonCertificate.ps1
64 lines (64 loc) · 2.93 KB
/
Generate-LogonCertificate.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
<#
Disclaimer (By BasW): This script is not created by Bas Wijdenes but by his dear colleague Maurice Lok-hin. The true scripting god ;-)
This script generates a self-signed certificate which we can use to logon to AzureAD
Script takes a certificateName as input and the path where you want to save the pfx and .cer file.
The pfx contains the private key and is used on the "client" (Azure Automation) to authenticate.
The cer file only contains the public key and should be uploaded to the app in AzureAD.
Parameters:
- CertificateName: The name/subject of the certificate
- OutputFOlder: the folder where the pfx and cer files are stored
- ExportPassword: the password set on the pfx file
- ValidityInYears: how long is the certificate valid (defaults to 2 years)
#>
function Generate-LogonCertificate
{
[CmdletBinding()]
param(
[Parameter(Mandatory=$true,Position=0)]
[string]$CertificateName,
[Parameter(Mandatory=$true,Position=1)]
[string]$OutputFolder,
[Parameter(Mandatory=$true,Position=2)]
[string]$ExportPassword,
[Parameter(Mandatory=$false,Position=3)]
[int]$ValidityInYears = 2
)
begin {
# Set the certificate parameters
$CertificateParameters = @{
Subject = "CN=$($CertificateName),C=Netherlands,L=Heerhugowaard" # CertificateSubject
CertStoreLocation = 'Cert:\localmachine\My' # Temporary store location
KeyAlgorithm = 'RSA' # Algorithm
KeyLength = 2048 # Length of private key
KeyExportPolicy = 'Exportable'
KeyProtection = 'None'
Provider = 'Microsoft Enhanced RSA and AES Cryptographic Provider' # use this provider so we can use the private key
NotBefore = [datetime]::Now
NotAfter = [datetime]::Now.AddYears($ValidityInYears)
#NotAfter = [datetime]::Now.AddDays(30)
}
}
process {
# Generate the certificate
$NewCertificate = New-SelfSignedCertificate @CertificateParameters
# Create the export files
$ExportPfxFile = [System.IO.File]::Create("$($OutputFolder)\$($CertificateName).pfx")
$ExportCerFile = [System.IO.File]::Create("$($OutputFolder)\$($CertificateName).cer")
# Generate byte arrays for the pfx and cer files
$PfxBytes = $NewCertificate.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pfx,$ExportPassword)
$CerBytes = $NewCertificate.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert)
# Write the bytes
$ExportPfxFile.Write($PfxBytes,0,$PfxBytes.Length)
$ExportCerFile.Write($CerBytes,0,$CerBytes.Length)
return $NewCertificate
}
end {
# remove the certificate from the certificate store
# Remove-Item $NewCertificate.PSPath
# Close the file handles to the exported files
$ExportPfxFile.Dispose()
$ExportCerFile.Dispose()
$PfxBytes = $null # null the private key bytes
[gc]::Collect() # Garbage Collect so it's removed from memory
}
}