pinecrypt-gateway-frontend/templates/snippets/request-client.ps1
2021-05-27 13:15:46 +03:00

48 lines
1.6 KiB
PowerShell

# Generate keypair and submit CSR
{% if common_name %}$NAME = "{{ common_name }}"
{% else %}$NAME = $env:computername.toLower()
{% endif %}
@"
[NewRequest]
Subject = "CN=$NAME"
Exportable = FALSE
KeySpec = 1
KeyUsage = 0xA0
MachineKeySet = True
ProviderType = 12
RequestType = PKCS10
{% if authority.certificate.algorithm == "ec" %}ProviderName = "Microsoft Software Key Storage Provider"
KeyAlgorithm = ECDSA_P384
{% else %}ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
KeyLength = 2048
{% endif %}"@ | Out-File req.inf
C:\Windows\system32\certreq.exe -new -f -q req.inf host_csr.pem
Invoke-WebRequest `{% if token %}
-Uri 'https://{{ authority.namespace }}:8443/api/token/?token={{ token }}' `
-Method PUT `{% else %}
-Uri 'https://{{ authority.namespace }}:8443/api/request/?wait=yes&autosign=yes' `
-Method POST `{% endif %}
-TimeoutSec 900 `
-InFile host_csr.pem `
-ContentType application/pkcs10 `
-MaximumRedirection 3 -OutFile host_cert.pem
# Import certificate
Import-Certificate -FilePath host_cert.pem -CertStoreLocation Cert:\LocalMachine\My
{#
On Windows 7 the Import-Certificate cmdlet is missing,
but certutil.exe can be used instead:
C:\Windows\system32\certutil.exe -addstore My host_cert.pem
Everything seems to work except after importing the certificate
it is not properly associated with the private key,
that means "You have private key that corresponds to this certificate" is not
shown under "Valid from ... to ..." in MMC.
This results in error code 13806 during IKEv2 handshake and error message
"IKE failed to find valid machine certificate"
#}