Untitled

avatar
unknown
plain_text
8 months ago
2.6 kB
5
Indexable
# Check required criteria in the CSR
    $csrText = openssl req -in $csrPath -noout -text -subject
    
    # Extract the subject line
    $subjectLine = ($csrText | Select-String -Pattern "^subject=").Line
    
    # Check country (must match the CA's country)
    $csrCountryMatch = $subjectLine -match "C=($caCountry)"
    if (-not $csrCountryMatch) {
        Write-Error "The CSR country does not match the CA's country ($caCountry)"
        return
    }
    
    # Check organization (must match the CA's organization)
    $csrOrgMatch = $subjectLine -match "O=($caOrg)"
    if (-not $csrOrgMatch) {
        Write-Error "The CSR organization does not match the CA's organization ($caOrg)"
        return
    }
    
    # Check organizational unit (mandatory)
    $orgUnitCheck = $subjectLine -match "OU=([^,]+)"
    if (-not $orgUnitCheck) {
        Write-Error "The CSR does not contain an organizational unit"
        return
    }
    
    # Check locality/city (mandatory)
    $localityCheck = $subjectLine -match "L=([^,]+)"
    if (-not $localityCheck) {
        Write-Error "The CSR does not contain a locality (city)"
        return
    }
    
    # Check email address (mandatory)
    $emailCheck = $subjectLine -match "emailAddress=([^,]+)"
    if (-not $emailCheck) {
        Write-Error "The CSR does not contain an email address"
        return
    }
    
    # Extract username and email from the CSR
    $username = [System.IO.Path]::GetFileNameWithoutExtension($CsrFile)
    $emailMatch = $csrText | Select-String -Pattern "emailAddress\s*:\s*(.*)"
    $email = $emailMatch.Matches.Groups[1].Value.Trim()
    
    # Create a temporary file for certificate-specific extensions
    $extFile = "$MINICA_PATH\temp_extensions.cnf"
    @"
nsComment = "Certificate for $username"
nsCertType = client, email
subjectAltName = email:$email,otherName:1.3.6.1.4.1.311.20.2.3;UTF8:$username@EPITAF.local
"@ | Out-File -Encoding ASCII $extFile
    
    # Sign the CSR to generate the certificate (valid for 30 days)
    $certPath = "$MINICA_CERT\$CrtFile"
    openssl ca -config "$MINICA_PATH\openssl.cnf" -in $csrPath -out $certPath -days 30 `
        -extfile $extFile -extensions usr_cert -batch
    
    # Clean up the temporary file
    Remove-Item $extFile -Force
    
    Write-Host "Certificate signed and saved at $certPath (valid for 30 days)"
    
    # Copy the certificate to the public folder for distribution
    Copy-Item $certPath -Destination "$MINICA_PUBLIC\$CrtFile" -Force
    Write-Host "Certificate also available for distribution at \\EPITAF.fr\PKI\public\$CrtFile"
}
Editor is loading...
Leave a Comment