使用PowerShell更新证书
问题描述:
我正在尝试续订即将到期的证书(在本地计算机上)。我知道要手动执行此操作,但我无法找到使用Powershell执行此操作的方法。我查了PKIPS和QAD,但他们似乎没有任何有关更新证书的cmdlet。任何人都可以指向任何其他实现此任务的库吗?使用PowerShell更新证书
答
这是我用来续订从Active Directory模板生成的证书的功能。
function Renew-Certificate {
[CmdletBinding()]
Param([Parameter(Mandatory=$true, ValueFromPipeline=$false)] [ValidateNotNullOrEmpty()] [string]$Thumbprint,
[Parameter(Mandatory=$false, ValueFromPipeline=$false)] [switch]$MachineStore)
Process {
#https://msdn.microsoft.com/en-us/library/windows/desktop/aa379399(v=vs.85).aspx
#X509CertificateEnrollmentContext
$ContextUser =0x1
$ContextMachine =0x2
$ContextAdministratorForceMachine=0x3
#https://msdn.microsoft.com/en-us/library/windows/desktop/aa374936(v=vs.85).aspx
#EncodingType
$XCN_CRYPT_STRING_BASE64HEADER =0
$XCN_CRYPT_STRING_BASE64 =0x1
$XCN_CRYPT_STRING_BINARY =0x2
$XCN_CRYPT_STRING_BASE64REQUESTHEADER=0x3
$XCN_CRYPT_STRING_HEX =0x4
$XCN_CRYPT_STRING_HEXASCII =0x5
$XCN_CRYPT_STRING_BASE64_ANY =0x6
$XCN_CRYPT_STRING_ANY =0x7
$XCN_CRYPT_STRING_HEX_ANY =0x8
$XCN_CRYPT_STRING_BASE64X509CRLHEADER=0x9
$XCN_CRYPT_STRING_HEXADDR =0xa
$XCN_CRYPT_STRING_HEXASCIIADDR =0xb
$XCN_CRYPT_STRING_HEXRAW =0xc
$XCN_CRYPT_STRING_NOCRLF =0x40000000
$XCN_CRYPT_STRING_NOCR =0x80000000
#https://msdn.microsoft.com/en-us/library/windows/desktop/aa379430(v=vs.85).aspx
#X509RequestInheritOptions
$InheritDefault =0x00000000
$InheritNewDefaultKey =0x00000001
$InheritNewSimilarKey =0x00000002
$InheritPrivateKey =0x00000003
$InheritPublicKey =0x00000004
$InheritKeyMask =0x0000000f
$InheritNone =0x00000010
$InheritRenewalCertificateFlag=0x00000020
$InheritTemplateFlag =0x00000040
$InheritSubjectFlag =0x00000080
$InheritExtensionsFlag =0x00000100
$InheritSubjectAltNameFlag =0x00000200
$InheritValidityPeriodFlag =0x00000400
$X509RequestInheritOptions=$InheritDefault+$InheritRenewalCertificateFlag+$InheritTemplateFlag
if ($MachineStore.IsPresent) {
$Path="Cert:\LocalMachine\My\$Thumbprint"
$Context=$ContextAdministratorForceMachine
}
else {
$Path="Cert:\CurrentUser\My\$Thumbprint"
$Context=$ContextUser
}
$Cert=Get-Item -Path $Path
$PKCS10=New-Object -ComObject X509Enrollment.CX509CertificateRequestPkcs10
$PKCS10.Silent=$true
$PKCS10.InitializeFromCertificate($Context,[System.Convert]::ToBase64String($Cert.RawData), $XCN_CRYPT_STRING_BASE64, $X509RequestInheritOptions)
$PKCS10.AlternateSignatureAlgorithm=$false
$PKCS10.SmimeCapabilities=$false
$PKCS10.SuppressDefaults=$true
$PKCS10.Encode()
#OK=$InheritTemplateFlag+$InheritNewSimilarKey
#OK=$InheritSubjectFlag+$InheritTemplateFlag+$InheritNewSimilarKey
#OK=$InheritDefault+$InheritRenewalCertificateFlag+$InheritTemplateFlag
#BAD=$InheritNewSimilarKey+$InheritRenewalCertificateFlag
#BAD=$InheritDefault+$InheritRenewalCertificateFlag (Template required)
#https://msdn.microsoft.com/en-us/library/windows/desktop/aa377809(v=vs.85).aspx
$Enroll=New-Object -ComObject X509Enrollment.CX509Enrollment
$Enroll.InitializeFromRequest($PKCS10)
Write-Verbose "Renewing..."
$Error.Clear()
Try { $Enroll.Enroll() }
Catch {
Write-Verbose "Unable to renew"
$Errors=$Error.Clone()
$Errors | ForEach-Object { Write-Error $_.Exception.Message }
$result="0"
}
if ($Error.Count -eq 0) {
$Cert=New-Object Security.Cryptography.X509Certificates.X509Certificate2
$Cert.Import([System.Convert]::FromBase64String($Enroll.Certificate(1)))
$result=$Cert.Thumbprint
Write-Verbose "New Thumbprint is $result"
}
$result
}
}
PKIPS似乎有用于处理证书请求和从它们发出的证书的cmdlet。您是否尝试使用ADCS或商业/第三方CA? – briantist 2014-10-08 03:01:19
是的,我正在与ADCS合作。我正在寻找这样的东西http://geekswithblogs.net/shaunxu/archive/2012/01/13/working-with-active-directory-certificate-service-via-c.aspx但使用Powershell – Sridhar 2014-10-08 04:08:14
如果你有Windows 8 - http://technet.microsoft.com/en-us/library/hh848632.aspx,如果没有certenroll API - http://blogs.msdn.com/b/alejacma/archive/2009/01/28 /how-to-create-a-certificate-request-with-certenroll-javascript.aspx – 2014-10-08 07:11:04