Powershell and Certificate Requests

I recently became involved in a project to get SCCM working on all our endpoints in various DMZ’s. These servers are all in workgroups in DMZ’s so can’t use the standard method of using the Certificate MMC Snap-in to enroll in certificates (needed to encrypt the SCCM communication).

In case you aren’t aware, to do a Computer-based certificate request you need to do the following:

  • create an INF file that includes all the information for your certificate template
  • create the .cer request based off of the INF
  • submit it to your PKI server
  • download the completed cert and complete the request
  • export the request to a pfx file

In the case of our scenario where your DMZ box needs a certificate issued by your internal PKI you need to create and submit the request from a domain joined machine by an account with access to enroll in the certificate. Then you have to export the certificate and import it into the DMZ server directly. You also have to import your certificate chain into the DMZ machine, but that’s relatively easy and I’m not going to cover it in this article.

Here’s the script, and ‘ll explain it below


param(
$MYCERTNAME
)

$Path = "d:\scripts\certreqs"

$BuildINF = $null
$BuildINF = "[NewRequest]"
$BuildINF += "`r`n"
$BuildINF += "Subject = ""CN=$MyCertName""`r`n"
$BuildINF += "MachineKeySet = TRUE`r`n"
$BuildINF += "Exportable = TRUE`r`n"
$BuildINF += "KeyLength = 2048`r`n"
$BuildINF += "[Extensions]`r`n"
$BuildINF += "2.5.29.17 = ""{text}""`r`n"
$BuildINF += "_continue_ = ""dns=$MYCERTNAME""`r`n"
$BuildINF += "[RequestAttributes]`r`n"
$BuildINF += "CertificateTemplate = ConfigMgrClientCertificate`r`n"
$BuildINF += "SAN = ""DNS=$MYCERTNAME""`r`n"

$BuildINF | out-file -filepath $path\$MyCertName.inf

sleep 4
certreq -new $path\$MYCERTNAME.inf $path\$MYCERTNAME.req
certreq -submit -config "omacsgipkis01.csgicorp.com\PKI Server" $path\$MYCERTNAME.req $path\$MYCERTNAME.cer
certreq -accept $path\$MYCERTNAME.cer
certutil -exportpfx -p "Welcome123" MY $MYCERTNAME $path\clientcerts\$MYCERTNAME.pfx

remove-item -path $path\$MYCERTNAME.req -force
remove-item -path $path\$MYCERTNAME.inf -force
remove-item -path $path\$MYCERTNAME.cer -force

So let’s say our DMZ machine has a fully qualified domain name (FQDN) of testserver1.testdomain.com

We call the script with .\cert.ps1 testserver1.testdomain.com

The first thing the script does is build the INF file that we need:


[NewRequest]

Subject = "CN=testdomain1.testdomain.com"
MachineKeySet = TRUE
Exportable = TRUE
KeyLength = 2048
[Extensions]
2.5.29.17 = "{text}"
_continue_ = "dns=testdomain1.testdomain.com"
[RequestAttributes]
CertificateTemplate = ConfigMgrClientCertificate
SAN = "DNS=testdomain1.testdomain.com"

The rest of the commands are pretty obvious how to read from the code, but essentially it throws out a bunch of certreq commands to create and submit the certificate request and then export it to the pfx we need to ultimately copy to the new DMZ box. And then it cleans up after itself and deletes the working files.

To import our trusted root certificates into the DMZ box, run the following commands:


Certutil –addstore –f “ROOT” “d:\certs\rootca.cer”

Certutil –addstore –f “ROOT” “d:\certs\subca.cer”

After we import the root certificates into the trusted root store, we need to import the PFX file we created with the powershell script above.


Certutil –p Welcome123 –importpfx “d:\<pfx file name>.pfx”

And that’s it. You’ve now created your pfx certificate and imported it into the DMZ machine.