Powershell and Certificate Requests

I recently became involved in a project to get SCCM working on all our endpoints in various DMZ’s. These servers are all in workgroups in DMZ’s so can’t use the standard method of using the Certificate MMC Snap-in to enroll in certificates (needed to encrypt the SCCM communication).

In case you aren’t aware, to do a Computer-based certificate request you need to do the following:

  • create an INF file that includes all the information for your certificate template
  • create the .cer request based off of the INF
  • submit it to your PKI server
  • download the completed cert and complete the request
  • export the request to a pfx file

In the case of our scenario where your DMZ box needs a certificate issued by your internal PKI you need to create and submit the request from a domain joined machine by an account with access to enroll in the certificate. Then you have to export the certificate and import it into the DMZ server directly. You also have to import your certificate chain into the DMZ machine, but that’s relatively easy and I’m not going to cover it in this article.

Here’s the script, and ‘ll explain it below


param(
$MYCERTNAME
)

$Path = "d:\scripts\certreqs"

$BuildINF = $null
$BuildINF = "[NewRequest]"
$BuildINF += "`r`n"
$BuildINF += "Subject = ""CN=$MyCertName""`r`n"
$BuildINF += "MachineKeySet = TRUE`r`n"
$BuildINF += "Exportable = TRUE`r`n"
$BuildINF += "KeyLength = 2048`r`n"
$BuildINF += "[Extensions]`r`n"
$BuildINF += "2.5.29.17 = ""{text}""`r`n"
$BuildINF += "_continue_ = ""dns=$MYCERTNAME""`r`n"
$BuildINF += "[RequestAttributes]`r`n"
$BuildINF += "CertificateTemplate = ConfigMgrClientCertificate`r`n"
$BuildINF += "SAN = ""DNS=$MYCERTNAME""`r`n"

$BuildINF | out-file -filepath $path\$MyCertName.inf

sleep 4
certreq -new $path\$MYCERTNAME.inf $path\$MYCERTNAME.req
certreq -submit -config "omacsgipkis01.csgicorp.com\PKI Server" $path\$MYCERTNAME.req $path\$MYCERTNAME.cer
certreq -accept $path\$MYCERTNAME.cer
certutil -exportpfx -p "Welcome123" MY $MYCERTNAME $path\clientcerts\$MYCERTNAME.pfx

remove-item -path $path\$MYCERTNAME.req -force
remove-item -path $path\$MYCERTNAME.inf -force
remove-item -path $path\$MYCERTNAME.cer -force

So let’s say our DMZ machine has a fully qualified domain name (FQDN) of testserver1.testdomain.com

We call the script with .\cert.ps1 testserver1.testdomain.com

The first thing the script does is build the INF file that we need:


[NewRequest]

Subject = "CN=testdomain1.testdomain.com"
MachineKeySet = TRUE
Exportable = TRUE
KeyLength = 2048
[Extensions]
2.5.29.17 = "{text}"
_continue_ = "dns=testdomain1.testdomain.com"
[RequestAttributes]
CertificateTemplate = ConfigMgrClientCertificate
SAN = "DNS=testdomain1.testdomain.com"

The rest of the commands are pretty obvious how to read from the code, but essentially it throws out a bunch of certreq commands to create and submit the certificate request and then export it to the pfx we need to ultimately copy to the new DMZ box. And then it cleans up after itself and deletes the working files.

To import our trusted root certificates into the DMZ box, run the following commands:


Certutil –addstore –f “ROOT” “d:\certs\rootca.cer”

Certutil –addstore –f “ROOT” “d:\certs\subca.cer”

After we import the root certificates into the trusted root store, we need to import the PFX file we created with the powershell script above.


Certutil –p Welcome123 –importpfx “d:\<pfx file name>.pfx”

And that’s it. You’ve now created your pfx certificate and imported it into the DMZ machine.

Advertisements

3 thoughts on “Powershell and Certificate Requests

  1. jamesavery336 says:

    How did you deploy certificates to the SCCM HTTPS workgroup clients?

    • Jason Jones says:

      Manually. Since all of our DMZ clients have rulesets on them most of our automated tools don’t work. I wrote a batch file that manually installs the root certificate into the Trusted roots on the machine:

      Certutil -addstore -f “ROOT” “trustedroot.cer”
      Certutil -addstore -f “ROOT” “SubCA.cer”

      Then manually installed the new local certificate:

      Certutil –p Welcome123 –importpfx “newcert.pfx”

      Hope that helps!

      • Jason Jones says:

        One last thing I found I had to do was specify the CA in the SCCM client install command:

        ccmsetup.exe /BITSPriority:HIGH /NoCRLCheck /UsePKICert SMSSITECODE=BLAH CCMCERTISSUERS=”CN=Root CA; DC=domain; DC=com” RESETKEYINFORMATION=TRUE DNSSUFFIX=domain.com CCMALWAYSINF=1 CCMHOSTNAME=sccmfqdn.domain.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s