CA SHA1升级SHA256脚本

CA SHA1升级SHA256脚本

$OldEAP = $ErrorActionPreference

$ErrorActionPreference = 'stop'

#判断系统版本

$windows =(Get-WmiObject -class Win32_OperatingSystem).Caption

$sha = if($windows -gt "Microsoft Windows Server 2019" -or "Microsoft Windows Server 2016")

{"sha1" }

else

{

{"hash" }

}

Function Add-LogEntry

{

[CmdletBinding()]

Param(

[Parameter(Position = 0,

Mandatory = $True,

ValueFromPipeline = $True)]

[string]$LogLocation,

[Parameter(Position = 1,

Mandatory = $True,

ValueFromPipeline = $True)]

[string]$LogMessage

)

$LogThis = "$(Get-Date -Format 'MM/dd/yyyy hh:mm:ss'): $LogMessage"

$LogThis | Out-File -FilePath $LogLocation -Append

write-output $LogThis

}

Write-Output -InputObject @"

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: 此脚本将从 CSP 迁移 CA 密钥到 KSP，并设置 SHA256 以进行证书签名.

::

:: 能在 Windows 服务器 2019 2016 2012 或 2012 R2 上运行，其中 CA 配置了 CSP.

::

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

"@

设置变量

$Password = Read-Host -Prompt '设置密钥备份'

$Drivename = Read-Host -Prompt '设置驱动器号[C:]'

if ([string]::IsNullOrWhiteSpace($Drivename))

{

$Drivename = 'C:'

}

$Foldername = Read-Host -Prompt "Set folder name [CA-KSPMigration_$($env:computername)]"

if ([string]::IsNullOrWhiteSpace($Foldername))

{

$Foldername = "CA-KSPMigration_$($env:computername)"

}

if (Test-Path -Path "$Drivename\$Foldername")

{

Remove-Item -Path "$Drivename\$Foldername" -Recurse -Force

}

New-Item -ItemType Directory -Path "$Drivename\$Foldername"

$CAName = cmd.exe /c 'certutil.exe -cainfo name'

$CAName = $CAName[0].split(' ')[-1]

$Logpath = Read-Host -Prompt "Set log path [$($Drivename)\$($Foldername)\log.txt]"

if ([string]::IsNullOrWhiteSpace($Logpath))

{

$Logpath = "$($Drivename)\$($Foldername)\log.txt"

}

Add-LogEntry $Logpath 'Variables configured'

Add-LogEntry $Logpath "Password: $($Password)"

Add-LogEntry $Logpath "Drivename: $($Drivename)"

Add-LogEntry $Logpath "Foldername: $($Foldername)"

Add-LogEntry $Logpath "CAName: $($CAName)"

Add-LogEntry $Logpath "Logpath: $($Logpath)"

#endregion

#备份现有 CA

try

{

Add-LogEntry $Logpath 'Performing full CA backup'

cmd.exe /c "certutil -p $($Password) -backup $("$Drivename\$Foldername")"

Add-LogEntry $Logpath 'Saved CA database and cert'

cmd.exe /c "reg export hklm\system\currentcontrolset\services\certsvc\configuration $("$Drivename\$Foldername")\CA_Registry_Settings.reg /y"

Add-LogEntry $Logpath 'Saved reg keys'

Copy-Item -Path 'C:\Windows\System32\certsrv\certenroll\*.crl' -Destination "$Drivename\$Foldername"

Add-LogEntry $Logpath 'Copied CRL files'

cmd.exe /c 'certutil -catemplates' | Out-File -FilePath "$Drivename\$Foldername\Published_templates.txt"

Add-LogEntry $Logpath 'Got list of published cert templates'

Add-LogEntry $Logpath 'Finished full CA backup'

}

catch [Exception]

{

Add-LogEntry $Logpath "*** Activity failed - Exception Message: $($_.Exception.Message)"

Exit-PSHostProcess

}

#endregion

#删除现有证书和密钥

try

{

Stop-Service -Name 'certsvc'

Add-LogEntry $Logpath 'CA service stopped'

$CertSerial = cmd.exe /c "certutil -store My $("$CAName")" | Where-Object -FilterScript {

$_ -match $sha

}

$CertSerial | Out-File -FilePath "$Drivename\$Foldername\CA_Certificates.txt"

Add-LogEntry $Logpath 'Got CA cert serials'

$CertProvider = cmd.exe /c "certutil -store My $("$CAName")" | Where-Object -FilterScript {

$_ -match 'provider'

}

$CertProvider | Out-File -FilePath "$Drivename\$Foldername\CSP.txt"

Add-LogEntry $Logpath 'Got CA CSPs'

$CertSerial | ForEach-Object -Process {

cmd.exe /c "certutil -delstore My ​​"$($_.Split(':')[-1].trim(' '))​​""

}

Add-LogEntry $Logpath 'Deleted CA certificates'

$CertProvider | ForEach-Object -Process {

cmd.exe /c "certutil -CSP ​​"$($_.Split('=')[-1].trim(' '))​​" -delkey $("$CAName")"

}

Add-LogEntry $Logpath 'Deleted CA private keys'

}

catch [Exception]

{

Add-LogEntry $Logpath "*** Activity failed - Exception Message: $($_.Exception.Message)"

Exit-PSHostProcess

}

#endregion

#在 KSP 中导入密钥并还原到 CA

try

{

cmd.exe /c "certutil -p $Password -csp ​​"Microsoft Software Key Storage Provider​​​" -importpfx ​​"$("$Drivename\$Foldername\$CAName.p12")​​""

Add-LogEntry $Logpath 'Imported CA cert and keys into KSP'

cmd.exe /c "certutil -exportpfx -p $Password My $("$CAName") ​​"$("$Drivename\$Foldername\NewCAKeys.p12")​​""

Add-LogEntry $Logpath 'Exported keys so they can be installed on the CA'

cmd.exe /c "certutil -p $Password -restorekey ​​"$("$Drivename\$Foldername\NewCAKeys.p12")​​""

Add-LogEntry $Logpath 'Restored keys into CA'

}

catch [Exception]

{

Add-LogEntry $Logpath "*** Activity failed - Exception Message: $($_.Exception.Message)"

Exit-PSHostProcess

}

#endregion

#创建和导入所需的注册表设置

try

{

$CSPreg = @"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\$CAName\CSP]

"CNGHashAlgorithm"="SHA256"

"CNGPublicKeyAlgorithm"="RSA"

"HashAlgorithm"=dword:ffffffff

"MachineKeyset"=dword:00000001

"Provider"="Microsoft Software Key Storage Provider"

"ProviderType"=dword:00000000

"@

$CSPreg | Out-File -FilePath "$Drivename\$Foldername\csp.reg"

Add-LogEntry $Logpath 'Created csp.reg'

$Encryptionreg = @"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\$CAName\EncryptionCSP]

"CNGEncryptionAlgorithm"="3DES"

"CNGPublicKeyAlgorithm"="RSA"

"EncryptionAlgorithm"=dword:6603

"MachineKeyset"=dword:00000001

"Provider"="Microsoft Software Key Storage Provider"

"ProviderType"=dword:00000000

"SymmetricKeySize"=dword:000000a8

"@

$Encryptionreg | Out-File -FilePath "$Drivename\$Foldername\encryption.reg"

Add-LogEntry $Logpath 'Created encryption.reg'

}

catch [Exception]

{

Add-LogEntry $Logpath "*** Activity failed - Exception Message: $($_.Exception.Message)"

Exit-PSHostProcess

}

$ErrorActionPreference = 'SilentlyContinue'

cmd.exe /c "reg import $("$Drivename\$Foldername\encryption.reg")"

Add-LogEntry $Logpath 'Imported encryption.reg'

cmd.exe /c "reg import $("$Drivename\$Foldername\csp.reg")"

Add-LogEntry $Logpath 'Imported csp.reg'

Start-Service -Name 'certsvc'

Add-LogEntry $Logpath 'Started certsvc'

#endregion

$ErrorActionPreference = $OldEAP

#续订CA根证书

certutil -renewCert ReuseKeys

#重启证书服务

Start-Service -Name 'certsvc'

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。