How can I create and install a domain signed certificate in IIS using PowerShell?
Solution 1:
Try the following:
function New-DomainSignedCertificate {
[CmdletBinding()]
param(
[parameter(Mandatory=$true)]
[string]
$Hostname,
[parameter(Mandatory=$true)]
[string]
$Organization,
[parameter(Mandatory=$true)]
[string]
$OrganizationalUnit,
[parameter(Mandatory=$true)]
[string]
$Locality,
[parameter(Mandatory=$true)]
[string]
$State,
[parameter(Mandatory=$true)]
[string]
$Country,
[parameter(Mandatory=$true)]
[string]
$CertificateAuthority,
[parameter(Mandatory=$false)]
[string]
$Keylength = "2048",
[string]
$workdir = $env:Temp
)
$fileBaseName = $Hostname -replace "\.", "_"
$fileBaseName = $fileBaseName -replace "\*", ""
$infFile = $workdir + "\" + $fileBaseName + ".inf"
$requestFile = $workdir + "\" + $fileBaseName + ".req"
$CertFileOut = $workdir + "\" + $fileBaseName + ".cer"
Try {
Write-Verbose "Creating the certificate request information file ..."
$inf = @"
[Version]
Signature="`$Windows NT`$"
[NewRequest]
Subject = "CN=$Hostname, OU=$OrganizationalUnit, O=$Organization, L=$Locality, S=$State, C=$Country"
KeySpec = 1
KeyLength = $Keylength
Exportable = TRUE
FriendlyName = "$Hostname"
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
[Extensions]
2.5.29.17 = "{text}"
_continue_ = "dns=$Hostname&"
"@
$inf | Set-Content -Path $infFile
Write-Verbose "Creating the certificate request ..."
& certreq.exe -new "$infFile" "$requestFile"
Write-Verbose "Submitting the certificate request to the certificate authority ..."
& certreq.exe -submit -config "$CertificateAuthority" -attrib "CertificateTemplate:WebServer" "$requestFile" "$CertFileOut"
if (Test-Path "$CertFileOut") {
Write-Verbose "Installing the generated certificate ..."
& certreq.exe -accept "$CertFileOut"
}
}
Finally {
Get-ChildItem "$workdir\$fileBaseName.*" | remove-item
}
}
It basically just uses certreg.exe rather than native PowerShell cmdlets, (I'm not sure they exists, and if they do, there are usually not on older OSes).
The request details are in the here string, fix the subject and other settings if you need to. You may want to move more values up into the parameters section.
I create an inf file for the new request and convert it into a request file.
Then I submit the request to the CA specified in $CAName, if the executing user is a domain admin, the request is issued right away.
Finally I complete the request with -accept and do some cleanup.
I usually also export the new certificate into a PFX file.
for the IIS binding and certificate assignment you can use something like this:
New-WebBinding -Name www.test.local -Port 443 -Protocol https
$thumb = (Get-ChildItem cert:\LocalMachine\MY | where-object { $_.FriendlyName -like "www.test.local" } | Select-Object -First 1).Thumbprint
$guid = [guid]::NewGuid()
& netsh http add sslcert hostnameport=www.test.local:443 certhash=$thumb appid=`{$guid`} certstorename=MY