From a46ffcba358a2e00d96edc66ac59431bfe99ed11 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lauri=20V=C3=B5sandi?= Date: Sat, 3 Mar 2018 11:37:43 +0000 Subject: [PATCH] Add PowerShell script for requesting certificates --- certidude/static/views/authority.html | 41 +++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/certidude/static/views/authority.html b/certidude/static/views/authority.html index 129bdd8..f9b2be6 100644 --- a/certidude/static/views/authority.html +++ b/certidude/static/views/authority.html @@ -17,6 +17,47 @@ certidude bootstrap {{session.authority.common_name}} +
Windows 10
+ +

On Windows execute following PowerShell script

+ +
+
$hostname = $env:computername.ToLower()
+$templ = @"
+[Version]
+Signature="$Windows NT$
+
+[NewRequest]
+Subject = "CN=$hostname"
+Exportable = FALSE
+KeyLength = 2048
+KeySpec = 1
+KeyUsage = 0xA0
+MachineKeySet = True
+ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
+ProviderType = 12
+RequestType = PKCS10
+"@
+
+$templ | Out-File req.inf
+
+# Fetch CA certificate and install it
+Invoke-WebRequest -Uri http://{{ window.location.hostname }}/api/certificate -OutFile ca_cert.pem
+Import-Certificate -FilePath ca_cert.pem -CertStoreLocation Cert:\LocalMachine\Root
+
+# Generate keypair and submit CSR
+C:\Windows\system32\certreq.exe -new -f -q req.inf client_csr.pem
+Invoke-WebRequest -TimeoutSec 900 -Uri http://{{ window.location.hostname }}/api/request/?wait=1 -InFile client_csr.pem -ContentType application/pkcs10 -Method POST  -MaximumRedirection 3 -OutFile client_cert.pem
+
+# Import certificate
+Import-Certificate -FilePath client_cert.pem -CertStoreLocation Cert:\LocalMachine\My
+
+# Set up IPSec VPN tunnel
+Remove-VpnConnection -AllUserConnection -Force k-space
+Add-VpnConnection -Name k-space -ServerAddress guests.k-space.ee -SplitTunneling -PassThru -TunnelType ikev2 -AllUserConnection -AuthenticationMethod MachineCertificate
+Set-VpnConnectionIPsecConfiguration -ConnectionName k-space -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA384 -PfsGroup PFS24 -DHGroup Group24 -PassThru -AllUserConnection -Force
+
+
UNIX & UNIX-like

On other UNIX-like machines generate key pair and submit the signing request using OpenSSL and cURL: