Adds WinRM certificate auth scripts

Author: alexpilotti

SetupClientWinRMCertificateAuth.ps1

@@ -0,0 +1,48 @@
+$ErrorActionPreference = "Stop"
+
+# Setup the WinRM client in an elevated command prompt
+#& winrm set winrm/config/client `@`{TrustedHosts=`"*`"`}
+#& winrm set winrm/config/client/auth `@`{Certificate=`"true`"`}
+
+$remote_host = "192.168.209.134"
+$host_cacert_path = "C:\temp\ca_winrm.pem"
+$client_cert_pfx = "c:\temp\cert.pfx"
+$client_cert_pfx_password = "Passw0rd"
+
+# Get the user's personal certificate store
+$store = New-Object System.Security.Cryptography.X509Certificates.X509Store(
+    [System.Security.Cryptography.X509Certificates.StoreName]::My,
+    [System.Security.Cryptography.X509Certificates.StoreLocation]::CurrentUser)
+$store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
+
+# Get the user's Trusted Root CA store
+$castore = New-Object System.Security.Cryptography.X509Certificates.X509Store(
+    [System.Security.Cryptography.X509Certificates.StoreName]::Root,
+    [System.Security.Cryptography.X509Certificates.StoreLocation]::CurrentUser)
+$castore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
+
+# Import the client cert and its CA cert
+$coll = new-object System.Security.Cryptography.X509Certificates.X509Certificate2Collection
+$coll.Import($client_cert_pfx, $client_cert_pfx_password,
+    ([System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::UserKeySet -bor
+     [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::PersistKeySet))
+
+foreach($cert in $coll) {
+    # TODO: handle intermediate CAs
+    if ($cert.Subject -eq $cert.Issuer) {
+        $castore.Add($cert)
+    }
+    else {
+        $store.Add($cert)
+    }
+}
+
+# Import the server's cert CA cert.
+# This is necessary only due to a New-PSSession bug as the PSSessionOption.SkipCACheck setting is ignored
+$host_cacert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($host_cacert_path)
+$castore.Add($host_cacert)
+
+# Open a remote PowerShell session using certificate authentication
+$opt = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
+$session = New-PSSession -ComputerName $remote_host -UseSSL -CertificateThumbprint $clientcert.Thumbprint -SessionOption $opt
+Enter-PSSession $session

SetupWinRMAccess.ps1

@@ -16,7 +16,8 @@ function SetAdminOnlyACL($path) {
     {
         $sidObj = New-Object System.Security.Principal.SecurityIdentifier($sid)
         $account = $sidObj.Translate( [System.Security.Principal.NTAccount])
-        $ace = New-Object System.Security.AccessControl.FileSystemAccessRule ($account, $fsRights, $inheritanceFlags, $propagationFlags, $aceType)
+        $ace = New-Object System.Security.AccessControl.FileSystemAccessRule (
+            $account, $fsRights, $inheritanceFlags, $propagationFlags, $aceType)
         $acl.AddAccessRule($ace)
     }
 
@@ -41,12 +42,10 @@ mkdir crl
 
 $ca_conf_file="ca.cnf"
 $openssl_conf_file="openssl.cnf"
-$server_ext_conf_file="server_ext.cnf"
 
 $conf_base_url="https://raw.github.com/cloudbase/unattended-setup-scripts/master/"
 
 (new-object System.Net.WebClient).DownloadFile($conf_base_url + $ca_conf_file, "$ca_dir\$ca_conf_file")
-(new-object System.Net.WebClient).DownloadFile($conf_base_url + $server_ext_conf_file, "$ca_dir\$server_ext_conf_file")
 (new-object System.Net.WebClient).DownloadFile($conf_base_url + $openssl_conf_file, "$ca_dir\$openssl_conf_file")
 
 $ENV:PATH+=";C:\OpenSSL-Win32\bin"
@@ -60,19 +59,26 @@ openssl req -newkey rsa:2048 -nodes -sha1 -keyout private\cert.key -keyform PEM
 if ($LastExitCode) { throw "openssl failed to create server certificate request" }
 
 $ENV:OPENSSL_CONF="$ca_dir\ca.cnf"
-openssl ca -batch -notext -in certs\cert.req -out certs\cert.pem -extensions v3_req_server -extensions v3_req_server
+openssl ca -batch -notext -in certs\cert.req -out certs\cert.pem -extensions v3_req_server
 if ($LastExitCode) { throw "openssl CA failed to sign server certificate request" }
 
 # Import CA certificate
 $cacert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("$ca_dir\certs\ca.pem")
-$castore = New-Object System.Security.Cryptography.X509Certificates.X509Store([System.Security.Cryptography.X509Certificates.StoreName]::Root, [System.Security.Cryptography.X509Certificates.StoreLocation]::LocalMachine)
+$castore = New-Object System.Security.Cryptography.X509Certificates.X509Store(
+    [System.Security.Cryptography.X509Certificates.StoreName]::Root,
+    [System.Security.Cryptography.X509Certificates.StoreLocation]::LocalMachine)
 $castore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
 $castore.Add($cacert)
 
 # Import server certificate
 openssl pkcs12 -export -in certs\cert.pem -inkey private\cert.key -out certs\cert.pfx -password pass:Passw0rd
-$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("$ca_dir\certs\cert.pfx", "Passw0rd", ([System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::MachineKeySet -bor [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::PersistKeySet))
-$store = New-Object System.Security.Cryptography.X509Certificates.X509Store([System.Security.Cryptography.X509Certificates.StoreName]::My, [System.Security.Cryptography.X509Certificates.StoreLocation]::LocalMachine)
+$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(
+    "$ca_dir\certs\cert.pfx", "Passw0rd",
+    ([System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::MachineKeySet -bor
+     [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::PersistKeySet))
+$store = New-Object System.Security.Cryptography.X509Certificates.X509Store(
+    [System.Security.Cryptography.X509Certificates.StoreName]::My,
+    [System.Security.Cryptography.X509Certificates.StoreLocation]::LocalMachine)
 $store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
 $store.Add($cert)
 del certs\cert.pfx

SetupWinRMCertificateAuth.ps1

@@ -0,0 +1,36 @@
+$ErrorActionPreference = "Stop"
+
+$username = "Administrator"
+$password = "Passw0rd"
+
+$client_cert_path = z:\Downloads\ca_test\certs\cert.pem"
+$client_ca_cert_path = "z:\Downloads\ca_test\certs\ca.pem"
+
+# Enable certificate authentication
+& winrm set winrm/config/service/auth `@`{Certificate=`"true`"`}
+
+# Import the client cert's CA cert
+$cacert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($client_ca_cert_path)
+$castore = New-Object System.Security.Cryptography.X509Certificates.X509Store(
+    [System.Security.Cryptography.X509Certificates.StoreName]::Root,
+    [System.Security.Cryptography.X509Certificates.StoreLocation]::LocalMachine)
+$castore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
+$castore.Add($cacert)
+
+# Import the client cert into TrustedPeople
+$clientcert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($client_cert_path)
+$store = New-Object System.Security.Cryptography.X509Certificates.X509Store(
+    [System.Security.Cryptography.X509Certificates.StoreName]::TrustedPeople,
+    [System.Security.Cryptography.X509Certificates.StoreLocation]::LocalMachine)
+$store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
+$store.Add($clientcert)
+
+$secure_password = ConvertTo-SecureString $password -AsPlainText -Force
+# For domain auth just replace $ENV:COMPUTERNAME with the domain name
+$cred = New-Object System.Management.Automation.PSCredential "$ENV:COMPUTERNAME\$username", $secure_password
+
+# Get the UPN from the cert extension
+$clientcert.Extensions[1].Format($false) -match ".*=(.*)"
+$upn = $Matches[1]
+
+New-Item -Path WSMan:\localhost\ClientCertificate -Issuer $cacert.Thumbprint -Subject $upn -Uri * -Credential $cred -Force

generate_winrm_client_cert.sh

@@ -0,0 +1,116 @@
+#!/bin/bash
+set -e
+
+USER_NAME=user$RANDOM
+
+UPN=$USER_NAME@localhost
+PFX_FILE=`pwd`/cert.pfx
+PFX_PASSWORD=Passw0rd
+
+CA_DIR=`mktemp -d -t openssl`
+
+pushd .
+cd $CA_DIR
+
+mkdir private
+chmod 700 private
+mkdir certs
+mkdir crl
+
+cat > ca.cnf << EOF
+[ ca ]
+default_ca = mypersonalca
+
+[ mypersonalca ]
+dir = $CA_DIR
+certs = \$dir/certs
+crl_dir = \$dir/crl
+database = \$dir/index.txt
+new_certs_dir = \$dir/certs
+certificate = \$dir/certs/ca.pem
+serial = \$dir/serial
+crl = \$dir/crl/crl.pem
+private_key = \$dir/private/ca.key
+RANDFILE = \$dir/private/.rand
+x509_extensions = usr_cert
+default_days = 3650
+default_crl_days= 30
+default_md = sha1
+preserve = no
+policy = mypolicy
+x509_extensions = certificate_extensions
+
+[ mypolicy ]
+commonName = supplied
+stateOrProvinceName = supplied
+countryName = supplied
+emailAddress = supplied
+organizationName = supplied
+organizationalUnitName = optional
+
+[ certificate_extensions ]
+basicConstraints = CA:false
+
+[ req ]
+default_keyfile = $CA_DIR/private/ca.key
+default_md = sha1
+prompt = no
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+string_mask = utf8only
+basicConstraints = CA:true
+distinguished_name = root_ca_distinguished_name
+x509_extensions = root_ca_extensions
+
+[ root_ca_distinguished_name ]
+commonName = WinRM CA
+stateOrProvinceName = Timis
+countryName = RO
+emailAddress = [email protected]
+organizationName = WinRM CA
+
+[ root_ca_extensions ]
+basicConstraints = CA:true
+
+[v3_req_server]
+extendedKeyUsage = serverAuth
+EOF
+
+cat > openssl.cnf << EOF
+distinguished_name  = req_distinguished_name
+[req_distinguished_name]
+[v3_req]
+[v3_req_server]
+extendedKeyUsage = serverAuth
+[v3_ca]
+EOF
+
+touch index.txt
+echo 01 > serial
+
+export OPENSSL_CONF=ca.cnf
+openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -out certs/ca.pem -outform PEM -keyout private/ca.key
+
+export OPENSSL_CONF=openssl.cnf
+openssl req -newkey rsa:2048 -nodes -sha1 -keyout private/cert.key -keyform PEM -out certs/cert.req -outform PEM -subj \
+"/C=US/ST=Timis/L=Timisoara/[email protected]/organizationName=IT/CN=$USER_NAME"
+
+EXT_CONF_FILE=`mktemp -t openssl`
+
+cat > $EXT_CONF_FILE << EOF
+[v3_req_client]
+extendedKeyUsage = clientAuth
+subjectAltName = otherName:1.3.6.1.4.1.311.20.2.3;UTF8:$UPN
+EOF
+
+export OPENSSL_CONF=ca.cnf
+openssl ca -batch -notext -in certs/cert.req -out certs/cert.pem -extensions v3_req_client -extfile $EXT_CONF_FILE
+
+rm $EXT_CONF_FILE
+
+# Export the certificate, including the CA chain, into cert.pfx
+openssl pkcs12 -export -in certs/cert.pem -inkey private/cert.key -chain -CAfile certs/ca.pem -out $PFX_FILE -password pass:$PFX_PASSWORD
+
+popd
+rm -rf $CA_DIR
+