Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/syntax-tm/PSCerts

A PowerShell module for managing certificates
https://github.com/syntax-tm/PSCerts

binary-module certificate certificates cmdlet csharp iis permissions pfx powershell security ssl x509 x509certificates

Last synced: 3 months ago
JSON representation

A PowerShell module for managing certificates

Awesome Lists containing this project

README

        
















A Powershell module for managing certificates.

## Install

```powershell
Install-Module -Name PSCerts
```

## TOC

- [Install](#install)
- [Commands](#commands)
- [Add-CertPermissions](#add-certpermissions)
- [Add-SiteBinding](#add-sitebinding)
- [Get-CertPermissions](#get-certpermissions)
- [Get-CertPrivateKey](#get-certprivatekey)
- [Get-CertSummary](#get-certsummary)
- [Set-CertFriendlyName](#set-certfriendlyname)
- [Building](#building)
- [Testing](#testing)
- [Unit Tests](#unit-tests)
- [In-Progress](#in-progress)
- [Backlog](#backlog)
- [Reference](#reference)
- [Additional Resources](#additional-resources)

## Commands

### Add-CertPermissions

Adds a [FileSystemAccessRule](https://learn.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.filesystemaccessrule) to a certificate's private key.

**Usage:**

```powershell
Add-CertPermissions [-Certificate] [-Identity] [-FileSystemRights] [[-AccessType] ]
Add-CertPermissions [-Certificate] [-Rule]
Add-CertPermissions [-Thumbprint] [-Identity] [-FileSystemRights] [[-AccessType] ]
Add-CertPermissions [-Thumbprint] [-Rule]
```

**Examples:**

```powershell
$cert = Get-Item Cert:\LocalMachine\My\10df834fc47ddfc4d069d2e4fe79e4bf1d6d4dae
Add-CertPermissions -Certificate $cert -Identity "Network Service" -FileSystemRights FullControl -AccessType Allow

Add-CertPermissions -Thumbprint "10df834fc47ddfc4d069d2e4fe79e4bf1d6d4dae" -Identity "Network Service" -FileSystemRights FullControl -AccessType Allow
```

**Returns:** `None`

---

### Add-SiteBinding

Adds or updates the SSL [Binding](https://learn.microsoft.com/en-us/dotnet/api/microsoft.web.administration.binding) of an IIS site.

**Usage:**

```powershell
Add-SiteBinding [-Certificate] [-Site] [[-BindingInformation] ] [[-SslFlags] ]
Add-SiteBinding [-Thumbprint] [-Site] [[-BindingInformation] ] [[-SslFlags] ]
Add-SiteBinding [-FilePath] [-Password] [-Site] [[-BindingInformation] ] [[-SslFlags] ]
Add-SiteBinding [-FilePath] [-SecurePassword] [-Site] [[-BindingInformation] ] [[-SslFlags] ]
```

**Examples:**

```powershell
# adds a new SSL binding for the default site
Add-SiteBinding -Thumbprint '10df834fc47ddfc4d069d2e4fe79e4bf1d6d4dae' -Site 'Default Web Site'
```

**Returns:** [CertBinding](./src/PSCerts/Models/CertBinding.cs)

---

### Get-CertPermissions

Returns the access control and audit security for a certificate's private key.

```powershell
Get-CertPermissions [-Certificate]
Get-CertPermissions [-Thumbprint]
```

**Examples:**

```powershell
$cert = Get-Item Cert:\LocalMachine\My\10df834fc47ddfc4d069d2e4fe79e4bf1d6d4dae
Get-CertPermissions -Certificate $cert

Get-CertPermissions -Thumbprint '10df834fc47ddfc4d069d2e4fe79e4bf1d6d4dae'
```

**Returns:** [List\](./src/PSCerts/Models/CertAccessRule.cs)

---

### Get-CertPrivateKey

Determines the name and location of the certificate's private key.

**Usage:**

```powershell
Get-CertPrivateKey [-Certificate]
Get-CertPrivateKey [-Thumbprint]
```

**Examples:**

```powershell
$cert = Get-Item Cert:\LocalMachine\My\10df834fc47ddfc4d069d2e4fe79e4bf1d6d4dae
Get-CertPrivateKey -Certificate $cert

Get-CertPrivateKey -Thumbprint '10df834fc47ddfc4d069d2e4fe79e4bf1d6d4dae'
```

**Returns:** [FileInfo](https://learn.microsoft.com/en-us/dotnet/api/system.io.fileinfo)

---

### Get-CertSummary

Returns information about the currently installed certificates.

**Usage:**

```powershell
Get-CertSummary [-WithPrivateKey]
```

**Examples:**

```powershell
Get-CertSummary
Get-CertSummary -WithPrivateKey
```

**Returns:** [List\](/src/PSCerts/Models/Summary/CertSummaryItem.cs)

---

### Set-CertFriendlyName

Updates the [FriendlyName](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509certificate2.friendlyname) of an [X509Certificate2](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509certificate2).

**Usage:**

```powershell
Set-CertFriendlyName [-Certificate] [-FriendlyName]
Set-CertFriendlyName [-Thumbprint] [-FriendlyName]
```

**Examples:**

```powershell
Set-CertFriendlyName -Thumbprint '10df834fc47ddfc4d069d2e4fe79e4bf1d6d4dae' -FriendlyName "My Test Cert"
```

**Returns:** [X509Certificate2](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509certificate2)

---

## Building

The `build.ps1` script will build and publish both the CLR (`net462`) and Core CLR (`netstandard2.0`) frameworks.

```powershell
.\src\scripts\build.ps1
```

Once that is done, the module and all required assemblies, type data, manifest, etc will be in the `src\publish` directory. If you are wanting to import the module you can use this directory but it's recommended to use the [Test](#test) script.

## Testing

Because **PSCerts** is a binary module, importing the assembly from the build or publish directory will keep you from being able to buiild and/or deploy. Simply removing the module from the session with `Remove-Module` is **not** enough to remove the actual assembly reference. To get around this, `test.ps1` will run `build.ps1` and copy everything to `src\test`. You can load the assembly from the `test` path and still be able run build and publish.

If you are developing in VSCode, which is recommnded, you can configure the PowerShell add-on to create a temporary console for each debugging session. This prevents locking the binary and the script will automatically re-import the module with each session.

```json
"powershell.debugging.createTemporaryIntegratedConsole": true
```

### Unit Tests

`PSCerts.Tests` is the unit testing project. It's very much a work-in-progress.

---

## In-Progress

Import-Certs

**certfile (Required):** The path to a certificate file
**stores (Required):** One or more stores the certificate will be imported to
**permissions:** File permissions for the private key (Optional)
**password:** The password for the certificate.

The `type` indicates how to handle the `value` property (see below).

- Type: `text`
- The value is the password. (Not recommended)
- [Example](/docs/examples/ImportCerts/basic.json)
- Type: `file`
- The value is the path to a file that contains the password.
- [Example](/docs/examples/ImportCerts/passwordFromFile.json)
- Type: `env`
- The value is the name of an environment variable containing the password.
- [Example](/docs/examples/ImportCerts/passwordFromEnv.json)

## Backlog

- [ ] Finish documentation for `Import-Certs`
- [ ] Add Cmdlet help information
- [ ] Add unit tests
- [ ] Add version history, release notes, etc. to the module manifest
- [ ] Move non-Cmdlet code to a separate project
- [ ] Create NuGet package for the core functionality
- [ ] Come up with better names for the model classes (and others)
- [ ] Create documentation (wiki)

## Reference

- [Version History](/CHANGELOG.txt)

## Additional Resources

- [Key Storage and Retrieval](https://learn.microsoft.com/en-us/windows/win32/seccng/key-storage-and-retrieval)