-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathprovision-certificate.ps1
More file actions
131 lines (121 loc) · 4.04 KB
/
provision-certificate.ps1
File metadata and controls
131 lines (121 loc) · 4.04 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
param(
[string]$clusterFqdn = $null,
[string]$clusterIp = $null,
[string]$computerIp = $null
)
# define a function for easing the execution of bash scripts.
$bashPath = 'C:\tools\msys64\usr\bin\bash.exe'
function Bash($script) {
$eap = $ErrorActionPreference
$ErrorActionPreference = 'Continue'
try {
# we also redirect the stderr to stdout because PowerShell
# oddly interleaves them.
# see https://www.gnu.org/software/bash/manual/bash.html#The-Set-Builtin
Write-Output 'exec 2>&1;set -eu;export PATH="/usr/bin:$PATH"' $script | &$bashPath
if ($LASTEXITCODE) {
throw "bash execution failed with exit code $LASTEXITCODE"
}
} finally {
$ErrorActionPreference = $eap
}
}
# create a testing CA and a certificate for the current machine.
$ca_file_name = 'example-ca'
$ca_common_name = 'Example CA'
Bash @"
mkdir -p /c/vagrant/tmp/ca
cd /c/vagrant/tmp/ca
# see https://www.openssl.org/docs/man1.0.2/apps/x509v3_config.html
# create CA certificate.
if [ ! -f $ca_file_name-crt.pem ]; then
openssl genrsa \
-out $ca_file_name-key.pem \
2048 \
2>/dev/null
chmod 400 $ca_file_name-key.pem
openssl req -new \
-sha256 \
-subj "/CN=$ca_common_name" \
-key $ca_file_name-key.pem \
-out $ca_file_name-csr.pem
openssl x509 -req -sha256 \
-signkey $ca_file_name-key.pem \
-extensions a \
-extfile <(echo "[a]
basicConstraints=critical,CA:TRUE,pathlen:0
keyUsage=critical,digitalSignature,keyCertSign,cRLSign
") \
-days $(5*365) \
-in $ca_file_name-csr.pem \
-out $ca_file_name-crt.pem
openssl x509 \
-in $ca_file_name-crt.pem \
-outform der \
-out $ca_file_name-crt.der
# dump the certificate contents (for logging purposes).
#openssl x509 -noout -text -in $ca_file_name-crt.pem
fi
"@
Write-Host "Importing $ca_file_name CA..."
Import-Certificate `
-FilePath "c:\vagrant\tmp\ca\$ca_file_name-crt.der" `
-CertStoreLocation Cert:\LocalMachine\Root `
| Out-Null
# if we do not have a cluster fqdn, just bail. the intent was to just create
# and import the CA.
if (!$clusterFqdn) {
Exit 0
}
# create a certificate for the current machine.
$domain = $env:COMPUTERNAME
$ip = $computerIp
$clusterDomain = $clusterFqdn.ToLowerInvariant()
$clusterHostname = ($clusterFqdn -split '\.')[0].ToUpperInvariant()
Bash @"
mkdir -p /c/vagrant/tmp/ca
cd /c/vagrant/tmp/ca
# see https://www.openssl.org/docs/man1.0.2/apps/x509v3_config.html
# create a server certificate that is usable by SQL Server.
if [ ! -f $domain-crt.pem ]; then
openssl genrsa \
-out $domain-key.pem \
2048 \
2>/dev/null
chmod 400 $domain-key.pem
openssl req -new \
-sha256 \
-subj "/CN=$domain" \
-key $domain-key.pem \
-out $domain-csr.pem
openssl x509 -req -sha256 \
-CA $ca_file_name-crt.pem \
-CAkey $ca_file_name-key.pem \
-CAcreateserial \
-extensions a \
-extfile <(echo "[a]
subjectAltName=DNS:$clusterDomain,DNS:$clusterHostname,IP:$clusterIp,DNS:$domain,IP:$ip
extendedKeyUsage=critical,serverAuth
") \
-days $(5*365) \
-in $domain-csr.pem \
-out $domain-crt.pem
openssl pkcs12 -export \
-keyex \
-inkey $domain-key.pem \
-in $domain-crt.pem \
-certfile $domain-crt.pem \
-passout pass: \
-out $domain-key.p12
# dump the certificate contents (for logging purposes).
#openssl x509 -noout -text -in $domain-crt.pem
#openssl pkcs12 -info -nodes -passin pass: -in $domain-key.p12
fi
"@
Write-Host "Importing $domain p12..."
Import-PfxCertificate `
-FilePath "c:\vagrant\tmp\ca\$domain-key.p12" `
-CertStoreLocation Cert:\LocalMachine\My `
-Password $null `
-Exportable `
| Out-Null