手机插件管理:优化你的手机体验
1460
2022-09-16
CA SHA1升级SHA256脚本
$OldEAP = $ErrorActionPreference
$ErrorActionPreference = 'stop'
#判断系统版本
$windows =(Get-WmiObject -class Win32_OperatingSystem).Caption
$sha = if($windows -gt "Microsoft Windows Server 2019" -or "Microsoft Windows Server 2016")
{"sha1" }
else
{
{"hash" }
}
Function Add-LogEntry
{
[CmdletBinding()]
Param(
[Parameter(Position = 0,
Mandatory = $True,
ValueFromPipeline = $True)]
[string]$LogLocation,
[Parameter(Position = 1,
Mandatory = $True,
ValueFromPipeline = $True)]
[string]$LogMessage
)
$LogThis = "$(Get-Date -Format 'MM/dd/yyyy hh:mm:ss'): $LogMessage"
$LogThis | Out-File -FilePath $LogLocation -Append
write-output $LogThis
}
Write-Output -InputObject @"
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: 此脚本将从 CSP 迁移 CA 密钥到 KSP,并设置 SHA256 以进行证书签名.
::
:: 能在 Windows 服务器 2019 2016 2012 或 2012 R2 上运行,其中 CA 配置了 CSP.
::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
"@
设置变量
$Password = Read-Host -Prompt '设置密钥备份'
$Drivename = Read-Host -Prompt '设置驱动器号[C:]'
if ([string]::IsNullOrWhiteSpace($Drivename))
{
$Drivename = 'C:'
}
$Foldername = Read-Host -Prompt "Set folder name [CA-KSPMigration_$($env:computername)]"
if ([string]::IsNullOrWhiteSpace($Foldername))
{
$Foldername = "CA-KSPMigration_$($env:computername)"
}
if (Test-Path -Path "$Drivename\$Foldername")
{
Remove-Item -Path "$Drivename\$Foldername" -Recurse -Force
}
New-Item -ItemType Directory -Path "$Drivename\$Foldername"
$CAName = cmd.exe /c 'certutil.exe -cainfo name'
$CAName = $CAName[0].split(' ')[-1]
$Logpath = Read-Host -Prompt "Set log path [$($Drivename)\$($Foldername)\log.txt]"
if ([string]::IsNullOrWhiteSpace($Logpath))
{
$Logpath = "$($Drivename)\$($Foldername)\log.txt"
}
Add-LogEntry $Logpath 'Variables configured'
Add-LogEntry $Logpath "Password: $($Password)"
Add-LogEntry $Logpath "Drivename: $($Drivename)"
Add-LogEntry $Logpath "Foldername: $($Foldername)"
Add-LogEntry $Logpath "CAName: $($CAName)"
Add-LogEntry $Logpath "Logpath: $($Logpath)"
#endregion
#备份现有 CA
try
{
Add-LogEntry $Logpath 'Performing full CA backup'
cmd.exe /c "certutil -p $($Password) -backup $("$Drivename\$Foldername")"
Add-LogEntry $Logpath 'Saved CA database and cert'
cmd.exe /c "reg export hklm\system\currentcontrolset\services\certsvc\configuration $("$Drivename\$Foldername")\CA_Registry_Settings.reg /y"
Add-LogEntry $Logpath 'Saved reg keys'
Copy-Item -Path 'C:\Windows\System32\certsrv\certenroll\*.crl' -Destination "$Drivename\$Foldername"
Add-LogEntry $Logpath 'Copied CRL files'
cmd.exe /c 'certutil -catemplates' | Out-File -FilePath "$Drivename\$Foldername\Published_templates.txt"
Add-LogEntry $Logpath 'Got list of published cert templates'
Add-LogEntry $Logpath 'Finished full CA backup'
}
catch [Exception]
{
Add-LogEntry $Logpath "*** Activity failed - Exception Message: $($_.Exception.Message)"
Exit-PSHostProcess
}
#endregion
#删除现有证书和密钥
try
{
Stop-Service -Name 'certsvc'
Add-LogEntry $Logpath 'CA service stopped'
$CertSerial = cmd.exe /c "certutil -store My $("$CAName")" | Where-Object -FilterScript {
$_ -match $sha
}
$CertSerial | Out-File -FilePath "$Drivename\$Foldername\CA_Certificates.txt"
Add-LogEntry $Logpath 'Got CA cert serials'
$CertProvider = cmd.exe /c "certutil -store My $("$CAName")" | Where-Object -FilterScript {
$_ -match 'provider'
}
$CertProvider | Out-File -FilePath "$Drivename\$Foldername\CSP.txt"
Add-LogEntry $Logpath 'Got CA CSPs'
$CertSerial | ForEach-Object -Process {
cmd.exe /c "certutil -delstore My "$($_.Split(':')[-1].trim(' '))""
}
Add-LogEntry $Logpath 'Deleted CA certificates'
$CertProvider | ForEach-Object -Process {
cmd.exe /c "certutil -CSP "$($_.Split('=')[-1].trim(' '))" -delkey $("$CAName")"
}
Add-LogEntry $Logpath 'Deleted CA private keys'
}
catch [Exception]
{
Add-LogEntry $Logpath "*** Activity failed - Exception Message: $($_.Exception.Message)"
Exit-PSHostProcess
}
#endregion
#在 KSP 中导入密钥并还原到 CA
try
{
cmd.exe /c "certutil -p $Password -csp "Microsoft Software Key Storage Provider" -importpfx "$("$Drivename\$Foldername\$CAName.p12")""
Add-LogEntry $Logpath 'Imported CA cert and keys into KSP'
cmd.exe /c "certutil -exportpfx -p $Password My $("$CAName") "$("$Drivename\$Foldername\NewCAKeys.p12")""
Add-LogEntry $Logpath 'Exported keys so they can be installed on the CA'
cmd.exe /c "certutil -p $Password -restorekey "$("$Drivename\$Foldername\NewCAKeys.p12")""
Add-LogEntry $Logpath 'Restored keys into CA'
}
catch [Exception]
{
Add-LogEntry $Logpath "*** Activity failed - Exception Message: $($_.Exception.Message)"
Exit-PSHostProcess
}
#endregion
#创建和导入所需的注册表设置
try
{
$CSPreg = @"
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\$CAName\CSP]
"CNGHashAlgorithm"="SHA256"
"CNGPublicKeyAlgorithm"="RSA"
"HashAlgorithm"=dword:ffffffff
"MachineKeyset"=dword:00000001
"Provider"="Microsoft Software Key Storage Provider"
"ProviderType"=dword:00000000
"@
$CSPreg | Out-File -FilePath "$Drivename\$Foldername\csp.reg"
Add-LogEntry $Logpath 'Created csp.reg'
$Encryptionreg = @"
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\$CAName\EncryptionCSP]
"CNGEncryptionAlgorithm"="3DES"
"CNGPublicKeyAlgorithm"="RSA"
"EncryptionAlgorithm"=dword:6603
"MachineKeyset"=dword:00000001
"Provider"="Microsoft Software Key Storage Provider"
"ProviderType"=dword:00000000
"SymmetricKeySize"=dword:000000a8
"@
$Encryptionreg | Out-File -FilePath "$Drivename\$Foldername\encryption.reg"
Add-LogEntry $Logpath 'Created encryption.reg'
}
catch [Exception]
{
Add-LogEntry $Logpath "*** Activity failed - Exception Message: $($_.Exception.Message)"
Exit-PSHostProcess
}
$ErrorActionPreference = 'SilentlyContinue'
cmd.exe /c "reg import $("$Drivename\$Foldername\encryption.reg")"
Add-LogEntry $Logpath 'Imported encryption.reg'
cmd.exe /c "reg import $("$Drivename\$Foldername\csp.reg")"
Add-LogEntry $Logpath 'Imported csp.reg'
Start-Service -Name 'certsvc'
Add-LogEntry $Logpath 'Started certsvc'
#endregion
$ErrorActionPreference = $OldEAP
#续订CA根证书
certutil -renewCert ReuseKeys
#重启证书服务
Start-Service -Name 'certsvc'
版权声明:本文内容由网络用户投稿,版权归原作者所有,本站不拥有其著作权,亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容,请联系我们jiasou666@gmail.com 处理,核实后本网站将在24小时内删除侵权内容。
发表评论
暂时没有评论,来抢沙发吧~