-
-
Save brootware/02fd95592197f1e007027ee3506dad37 to your computer and use it in GitHub Desktop.
| param ( | |
| [string]$CSRPath, | |
| [string]$SignedCertificatePath = "${CSRPath.Replace('.req', '.cer')}" | |
| ) | |
| # Create a new certificate request | |
| $Subject = Read-Host "Enter the subject name for the certificate (e.g. CN=www.example.com)" | |
| $KeyLength = Read-Host "Enter the key length (e.g. 2048)" | |
| $Algorithm = Read-Host "Enter the signature algorithm (e.g. SHA256)" | |
| $CertificateRequest = New-CertificateRequest -Subject $Subject -KeyLength $KeyLength -KeyAlgorithm $Algorithm -HashAlgorithm $Algorithm -Path $CSRPath | |
| # Submit the certificate request to the CA | |
| Submit-CertificateRequest -CertificateRequest $CertificateRequest -CAConfig "StandAloneRootCA" | |
| # Retrieve the pending certificate request | |
| $PendingRequest = Get-PendingRequest | Where-Object {$_.CertificateRequest -eq $CertificateRequest} | |
| # Approve the pending certificate request | |
| Approve-CertificateRequest -RequestId $PendingRequest.RequestId | |
| # Retrieve the issued certificate | |
| $IssuedCertificate = Get-IssuedRequest -RequestId $PendingRequest.RequestId | |
| Export-Certificate -Cert $IssuedCertificate -FilePath $SignedCertificatePath | |
| # .\SignCSR.ps1 -TemplateName "Web Server" -CSRPath "C:\temp\webserver.req" | |
| # Note: This script assumes that the CA is a standalone root CA, and that the CertificateAuthority module is installed. If you are using a # different type of CA or do not have the module installed, you may need to make adjustments to the script. |
| param ( | |
| [string]$Domain = $(Throw "Error: No domain name argument provided. Usage: Provide a domain name as an argument.") | |
| ) | |
| $DOMAIN = $Domain | |
| # Create root CA & Private key | |
| $CreateRootCA = "openssl req -x509 -sha256 -days 356 -nodes -newkey rsa:2048 -subj `"/CN=$DOMAIN/C=US/L=San Fransisco`" -keyout rootCA.key -out rootCA.crt" | |
| Invoke-Expression $CreateRootCA | |
| # Generate Private key | |
| $CreatePrivateKey = "openssl genrsa -out $DOMAIN.key 2048" | |
| Invoke-Expression $CreatePrivateKey | |
| # Create csr conf | |
| $CsrConf = @" | |
| [ req ] | |
| default_bits = 2048 | |
| prompt = no | |
| default_md = sha256 | |
| req_extensions = req_ext | |
| distinguished_name = dn | |
| [ dn ] | |
| C = US | |
| ST = California | |
| L = San Fransisco | |
| O = MLopsHub | |
| OU = MlopsHub Dev | |
| CN = $DOMAIN | |
| [ req_ext ] | |
| subjectAltName = @alt_names | |
| [ alt_names ] | |
| DNS.1 = $DOMAIN | |
| DNS.2 = www.$DOMAIN | |
| IP.1 = 192.168.1.5 | |
| IP.2 = 192.168.1.6 | |
| "@ | |
| Set-Content -Path csr.conf -Value $CsrConf | |
| # create CSR request using private key | |
| $CreateCsr = "openssl req -new -key $DOMAIN.key -out $DOMAIN.csr -config csr.conf" | |
| Invoke-Expression $CreateCsr | |
| # Create a external config file for the certificate | |
| $CertConf = @" | |
| authorityKeyIdentifier=keyid,issuer | |
| basicConstraints=CA:FALSE | |
| keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment | |
| subjectAltName = @alt_names | |
| [alt_names] | |
| DNS.1 = $DOMAIN | |
| "@ | |
| Set-Content -Path cert.conf -Value $CertConf | |
| # Create SSl with self signed CA | |
| $CreateSSL = "openssl x509 -req -in $DOMAIN.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out $DOMAIN.crt -days 365 -sha256 -extfile cert.conf" | |
| Invoke-Expression $CreateSSL |
The steps for installing a server certificate and the CA certificate on a Linux server typically involve the following steps:
Copy the server certificate and the CA certificate to the server node. You can use SCP or FTP to transfer the files.
Store the certificates in the appropriate location, typically in /etc/ssl/certs/ or /usr/local/share/ca-certificates/.
Update the trusted certificate store of the system. You can do this by running the update-ca-certificates command as root.
Restart the server or the service that will use the certificate.
The exact steps may vary depending on the Linux distribution you are using and the service that will use the certificate. For example, Apache web server uses its own certificate store and the steps for installing a certificate in Apache will be different from the steps for installing a certificate in OpenSSL.
Installing a server certificate and a CA certificate on a Windows Server typically involves the following steps:
Copy the certificate and CA certificate files to the Windows Server.
Open the Microsoft Management Console (MMC) on the Windows Server.
Click on File and then click on Add/Remove Snap-in.
Select the Certificates Snap-in and click on Add.
Choose Computer account and click Next.
Choose Local computer and click Finish.
Click OK to close the Add/Remove Snap-in window.
Expand the Certificates (Local Computer) folder.
Right-click on the Trusted Root Certification Authorities folder and select All Tasks, then Import.
Follow the Certificate Import Wizard to import the CA certificate.
Right-click on the Personal folder and select All Tasks, then Import.
Follow the Certificate Import Wizard to import the server certificate.
Restart the server to make sure the changes take effect.
Configure the server software, such as IIS or Apache, to use the certificate for secure communication.
Note: These steps are just an overview, the exact steps may differ slightly based on the version of Windows Server you are using.
How it'll look like in typical CA and server node
Install the server certificate and the CA certificate on the server node.
Note: In this example, the ca_cert.pem and ca_private_key.pem represent the CA's certificate and private key, respectively. The server_private_key.pem and server_cert.pem are the private key and certificate for the server node, respectively. The number of days specified in the -days option is the number of days the certificate is valid for.