171 lines
7.7 KiB
PowerShell
171 lines
7.7 KiB
PowerShell
param(
|
|
[string]$OutputPath = ".\",
|
|
[switch]$Force = $false
|
|
)
|
|
|
|
$companyName = "oxmc-servers"
|
|
$certBase = "O=$companyName, L=Puyallup, S=Washington, C=US"
|
|
$rootSubject = "CN=$companyName Root CA, $certBase"
|
|
$signingSubject = "CN=$companyName Code Signing, $certBase"
|
|
$microsoftResignSubject = "CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
|
|
$pfxPassword = "OxMcSecurePassword7769!"
|
|
|
|
function Write-ColorOutput {
|
|
param([string]$Message, [string]$Color = "White")
|
|
Write-Host $Message -ForegroundColor $Color
|
|
}
|
|
|
|
# Run as Administrator check
|
|
$isAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
|
|
if (-not $isAdmin) {
|
|
Write-ColorOutput "ERROR: Run as Administrator!" "Red"
|
|
exit 1
|
|
}
|
|
|
|
Write-ColorOutput "Creating certificate chain for signing..." "Green"
|
|
|
|
try {
|
|
# Remove old certificates
|
|
$certFiles = @(
|
|
"$companyName-rootca.pfx",
|
|
"$companyName-rootca.cer",
|
|
"$companyName-signing.pfx",
|
|
"$companyName-signing.cer",
|
|
"microsoft-windows-resigner.pfx",
|
|
"microsoft-windows-resigner.cer"
|
|
)
|
|
|
|
foreach ($file in $certFiles) {
|
|
if (Test-Path "$OutputPath\$file") {
|
|
Remove-Item "$OutputPath\$file" -Force
|
|
}
|
|
}
|
|
|
|
$securePassword = ConvertTo-SecureString $pfxPassword -AsPlainText -Force
|
|
|
|
# 1. Create Root CA Certificate
|
|
Write-ColorOutput "Creating Root CA certificate..." "Yellow"
|
|
$rootCert = New-SelfSignedCertificate `
|
|
-Subject $rootSubject `
|
|
-FriendlyName "oxmc-servers Root Certificate Authority" `
|
|
-Type Custom `
|
|
-KeySpec Signature `
|
|
-KeyUsage CertSign, CRLSign, DigitalSignature `
|
|
-KeyLength 4096 `
|
|
-HashAlgorithm SHA256 `
|
|
-Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" `
|
|
-KeyExportPolicy Exportable `
|
|
-KeyUsageProperty All `
|
|
-CertStoreLocation "Cert:\LocalMachine\My" `
|
|
-NotAfter (Get-Date).AddYears(10) `
|
|
-TextExtension @("2.5.29.19={text}ca=1&pathlength=2")
|
|
|
|
Write-ColorOutput "Root CA created - Thumbprint: $($rootCert.Thumbprint)" "Green"
|
|
|
|
# 2. Create Code Signing Certificate (issued by Root CA)
|
|
Write-ColorOutput "Creating Code Signing certificate..." "Yellow"
|
|
$signingCert = New-SelfSignedCertificate `
|
|
-Subject $signingSubject `
|
|
-FriendlyName "oxmc-servers Application Signing" `
|
|
-Type CodeSigning `
|
|
-KeySpec Signature `
|
|
-KeyUsage DigitalSignature, KeyEncipherment `
|
|
-KeyLength 2048 `
|
|
-HashAlgorithm SHA256 `
|
|
-Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" `
|
|
-KeyExportPolicy Exportable `
|
|
-CertStoreLocation "Cert:\LocalMachine\My" `
|
|
-NotAfter (Get-Date).AddYears(5) `
|
|
-Signer $rootCert
|
|
|
|
Write-ColorOutput "Signing certificate created - Thumbprint: $($signingCert.Thumbprint)" "Green"
|
|
|
|
# 3. Create Microsoft Windows Re-signer Certificate (issued by Root CA with Microsoft's exact subject)
|
|
Write-ColorOutput "Creating Microsoft Windows Re-signer certificate..." "Yellow"
|
|
Write-ColorOutput "Subject: $microsoftResignSubject" "Cyan"
|
|
|
|
$resignerCert = New-SelfSignedCertificate `
|
|
-Subject $microsoftResignSubject `
|
|
-FriendlyName "oxmc-servers Microsoft Windows Re-signer" `
|
|
-Type CodeSigning `
|
|
-KeySpec Signature `
|
|
-KeyUsage DigitalSignature, KeyEncipherment `
|
|
-KeyLength 2048 `
|
|
-HashAlgorithm SHA256 `
|
|
-Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" `
|
|
-KeyExportPolicy Exportable `
|
|
-CertStoreLocation "Cert:\LocalMachine\My" `
|
|
-NotAfter (Get-Date).AddYears(5) `
|
|
-Signer $rootCert
|
|
|
|
Write-ColorOutput "Microsoft Windows Re-signer certificate created - Thumbprint: $($resignerCert.Thumbprint)" "Green"
|
|
Write-ColorOutput "IMPORTANT: This certificate has the exact Microsoft Windows subject but is issued by your Root CA" "Yellow"
|
|
|
|
# Export certificates
|
|
Write-ColorOutput "Exporting certificates..." "Yellow"
|
|
|
|
# Root CA
|
|
Export-PfxCertificate -Cert $rootCert -FilePath "$OutputPath\oxmc-servers-rootca.pfx" -Password $securePassword
|
|
Export-Certificate -Cert $rootCert -FilePath "$OutputPath\oxmc-servers-rootca.cer"
|
|
Write-ColorOutput "Root CA exported" "Green"
|
|
|
|
# Signing Certificate
|
|
Export-PfxCertificate -Cert $signingCert -FilePath "$OutputPath\oxmc-servers-signing.pfx" -Password $securePassword
|
|
Export-Certificate -Cert $signingCert -FilePath "$OutputPath\oxmc-servers-signing.cer"
|
|
Write-ColorOutput "Signing certificate exported" "Green"
|
|
|
|
# Microsoft Windows Re-signer Certificate
|
|
Export-PfxCertificate -Cert $resignerCert -FilePath "$OutputPath\microsoft-windows-resigner.pfx" -Password $securePassword
|
|
Export-Certificate -Cert $resignerCert -FilePath "$OutputPath\microsoft-windows-resigner.cer"
|
|
Write-ColorOutput "Microsoft Windows Re-signer certificate exported" "Green"
|
|
|
|
# Import to certificate stores for trust
|
|
Write-ColorOutput "Installing certificates to certificate stores..." "Yellow"
|
|
|
|
# Import Root CA to Trusted Root store
|
|
Import-Certificate -FilePath "$OutputPath\oxmc-servers-rootca.cer" -CertStoreLocation "Cert:\LocalMachine\Root"
|
|
Write-ColorOutput "Root CA installed to Trusted Root store" "Green"
|
|
|
|
# Import signing cert to Personal store for current user
|
|
Import-PfxCertificate -FilePath "$OutputPath\oxmc-servers-signing.pfx" -CertStoreLocation "Cert:\CurrentUser\My" -Password $securePassword -Exportable
|
|
Write-ColorOutput "Signing certificate installed to Personal store" "Green"
|
|
|
|
# Import Microsoft resigner cert to Personal store for current user
|
|
Import-PfxCertificate -FilePath "$OutputPath\microsoft-windows-resigner.pfx" -CertStoreLocation "Cert:\CurrentUser\My" -Password $securePassword -Exportable
|
|
Write-ColorOutput "Microsoft Windows Re-signer certificate installed to Personal store" "Green"
|
|
|
|
Write-ColorOutput "`nCertificate chain creation complete!" "Green"
|
|
Write-ColorOutput "=========================================" "Cyan"
|
|
Write-ColorOutput "Root CA Thumbprint: $($rootCert.Thumbprint)" "Cyan"
|
|
Write-ColorOutput "Signing Cert Thumbprint: $($signingCert.Thumbprint)" "Cyan"
|
|
Write-ColorOutput "Microsoft Re-signer Cert Thumbprint: $($resignerCert.Thumbprint)" "Cyan"
|
|
Write-ColorOutput "=========================================" "Cyan"
|
|
Write-ColorOutput "`nUsage:" "White"
|
|
Write-ColorOutput "- Root CA (oxmc-servers-rootca.pfx): Trust anchor - install in Trusted Root" "White"
|
|
Write-ColorOutput "- Signing Cert (oxmc-servers-signing.pfx): Sign your own applications" "White"
|
|
Write-ColorOutput "- Microsoft Re-signer (microsoft-windows-resigner.pfx): Re-sign Microsoft applications" "White"
|
|
Write-ColorOutput " NOTE: This has the exact Microsoft subject but chains to your Root CA" "Yellow"
|
|
|
|
# Copy certificates to OEM directory
|
|
$OEMDir = ".\..\..\`$OEM`$\`$`$\OEM\"
|
|
if (Test-Path $OEMDir) {
|
|
Write-ColorOutput "`nCopying certificates to OEM directory..." "Yellow"
|
|
$certFilesToCopy = @(
|
|
"oxmc-servers-rootca.cer"
|
|
)
|
|
|
|
foreach ($file in $certFilesToCopy) {
|
|
if (Test-Path "$OutputPath\$file") {
|
|
copy-item "$OutputPath\$file" -Destination $OEMDir -Force
|
|
Write-ColorOutput "Copied: $file" "Green"
|
|
}
|
|
}
|
|
Write-ColorOutput "All certificates copied to OEM directory: $OEMDir" "Green"
|
|
} else {
|
|
Write-ColorOutput "WARNING: OEM directory not found: $OEMDir" "Yellow"
|
|
}
|
|
|
|
} catch {
|
|
Write-ColorOutput "Error: $($_.Exception.Message)" "Red"
|
|
Write-ColorOutput "Stack Trace: $($_.ScriptStackTrace)" "Red"
|
|
} |