0

I have created the following CA and Intermediate using powershell New-SelfSignedCertificate. I now have a CSR which is generated using openssl/from another source.

Is there an option where the CSR can be signed using the similar powershell option in Windows, so I can put it in the script to run, which I can then import the signed certificate back to the other source.

Note: I understand that I can use openssl to sign the CSR, but looking for option in powershell in Windows. Thanks!

Root CA
$RootCA = New-SelfSignedCertificate -Subject 'CN=KeyCARootCN,O=Test Organisation, OU=Test RootCA,C=AU' -KeyLength 2048 -KeyAlgorithm 'RSA' -HashAlgorithm 'SHA256' -KeyExportPolicy Exportable -KeyUsage KeyEncipherment,DataEncipherment,CertSign,DigitalSignature,CRLSign -Provider 'Microsoft Enhanced RSA and AES Cryptographic Provider' -NotAfter (Get-Date).AddYears(40) -KeyUsageProperty All -TextExtension @(“2.5.29.19 ={critical} {text}ca=1&pathlength=5”) -CertStoreLocation Cert:\LocalMachine\My
$RootCA
$RootCAthumbprint = $RootCA.Thumbprint


$CertRootCAPassword = ConvertTo-SecureString -String “Test123” -Force –AsPlainText
$CertRootCAFilePFX = Export-PfxCertificate -Cert cert:\LocalMachine\My\$RootCAthumbprint -FilePath C:\Users\KeyCARoot.pfx -Password $CertRootCAPassword

$CertRootCAFileCER = Export-Certificate -Cert $RootCA -FilePath C:\Users\KeyCARoot.cer

$CertRootCAFileCER
$CertRootCAPath = 'C:\Users\KeyCARoot.cer'
Import-Certificate -FilePath C:\Users\KeyCARoot.cer -CertStoreLocation Cert:\LocalMachine\Root
Intermediate CA
$InterCA = New-SelfSignedCertificate -Subject 'CN=KeyInterCARootCN,O=Test Organisation, OU=Test InterCA,C=AU' -Signer $RootCA -KeyLength 2048 -HashAlgorithm 'SHA256' -KeyExportPolicy Exportable -KeyUsage KeyEncipherment,DataEncipherment,CertSign,DigitalSignature,CRLSign -Provider 'Microsoft Enhanced RSA and AES Cryptographic Provider' -NotAfter (Get-Date).AddYears(35) -KeyUsageProperty Sign -TextExtension @(“2.5.29.19 = {critical} {text}ca=1&pathlength=0”) -CertStoreLocation Cert:\LocalMachine\My
$InterCAthumbprint = $InterCA.Thumbprint


$CertInterCAPassword = ConvertTo-SecureString -String “Test123” -Force –AsPlainText
$CertInterCAFilePFX = Export-PfxCertificate -Cert cert:\LocalMachine\My\$InterCAthumbprint -FilePath C:\Users\KeyInterCARoot.pfx -Password $CertInterCAPassword

$CertInterCAFileCER = Export-Certificate -Cert $InterCA -FilePath C:\Users\KeyInterCARoot.cer

$CertInterCAFileCER
Import-Certificate -FilePath C:\Users\KeyInterCARoot.cer -CertStoreLocation Cert:\LocalMachine\CA
Melissa
  • 23
  • 6
  • I will need to clarify further that the intermediate and rootCA are created in powershell using the commands above and are imported via mmc console in the windows virtualbox. They are then imported into another source for testing purpose. With the setup above in the windows virtualbox , how can I specify in a powershell command to ensure it is the intermediate CA which will sign the csr? – Melissa Dec 02 '20 at 09:53
  • You may need to stick with OpenSSL here. It's actually the simplest approach for signing CSRs with self-signed roots, and can be called directly from PowerShell, as well. Otherwise, if you really want to get your hands dirty, [check here for some clues](https://stackoverflow.com/a/48210587/11609403), or use a [.NET wrapper for OpenSSL libraries](https://github.com/openssl-net/openssl-net), or consider submitting your CSRs to an Enterprise CA instead. Good luck. – leeharvey1 Dec 03 '20 at 03:36

0 Answers0