When you have an internal Microsoft Certificate Authority you can create certificates for all your devices which will be trusted by all the domain member computer.
Domain members will automatically have a certificate generated for them. Devices such as switches, firewalls etc… generally will need the certificate to be created for each of them.
I find it convenient to generate a new certificate and private key and then import those into the device. This script will generate a new certificate from the internal CA. Export that certificate to a PFX file including the private key (password protected).
It then uses openssl to convert the certificate and key to a text format of the data. This might still need to be “cleaned up” for some devices but has the critical encoded data.
you will need to be running the code with an account that has the necessary privileges. The name of the certificate template you are using will need to be edited in the code Basically anything ACME will need to be replace with the relevant details for your setup.
create_and_export_certificate.ps1
#
# create_and_export_certificate.ps1
#
function My_Create_Certificate {
param (
[string]$hostname,
[string]$domain,
[string]$subject,
[string]$domain2,
[string]$domain3
)
# create a new certificate - 5 year expiration ACME-CA template
#$hostname="*"
$name="$hostname.$domain"
$dnsname=@()
$dnsname+=$name
if ( $domain2 -ne "" ) { $dnsname+="$hostname.$domain2" }
if ( $domain3 -ne "" ) { $dnsname+="$hostname.$domain3" }
$dnsname+="$hostname"
$newcert=Get-Certificate -template "myinternalwebservertemplate5years" -subjectname $subject -dnsname $dnsname -url ldap: -CertStoreLocation cert:localmachine\my
$newcert
}
# generate a random name for testing
$datetime=get-date -Format "yyyy-MM-dd-hh-mm-ss"
$hostname="my-new-device-$datetime"
$domain="acme.com.au"
$domain2="acme.local"
$domain3=""
$subject='C=AU;O="Acme Australia Pty Ltd";OU=HQ;CN='+"$hostname.$domain"
$newcert = My_Create_Certificate -hostname $hostname -domain $domain -subject $subject -domain2 $domain2 -domain3 $domain3
$password="e43$H()cvgs4344c434x612"
# export the certificate and its private key to a file
cd $env:TEMP
cd pfx
$mycerts=Get-ChildItem -Path "Cert:\localmachine\My\$($newcert.certificate.thumbprint)"
#$mycerts | Where-Object { $_.hasPrivateKey } | Foreach-Object {&certutil.exe @('-exportpfx', '-f', '-p','$password',$_.Thumbprint, "expo_$($_.Subject).pfx") }
foreach ( $cert in $mycerts ) {
if ( $cert.hasprivatekey ) {
$filename= $cert.subject -replace " ","-"
$filename= $filename -replace "\*","X"
$filename= $filename -replace ",",""
$filename= $filename -replace "CN=",""
$filename += ".pfx"
$retval= &certutil.exe @('-exportpfx', '-f', '-p',"$password",$cert.Thumbprint, "$filename")
dir $filename
#
# now use openssl to split into a key file and a cert file - as wanted by Cisco ISE
#
$fname = $filename -replace ".pfx", ""
start-process -filepath 'C:\Program Files\OpenSSL-Win64\bin\openssl.exe' -argumentlist "pkcs12 -in $filename -out $fname-certs.txt -nodes -nokeys -password pass:$password"
start-process -filepath 'C:\Program Files\OpenSSL-Win64\bin\openssl.exe' -argumentlist "pkcs12 -in $filename -out $fname-key.txt -nodes -nocerts -password pass:$password"
dir $fname*.txt
}
}