Functions/New-RsaKeyPair.ps1

# Copyright 2012 Aaron Jensen
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

function New-RsaKeyPair
{
    <#
    .SYNOPSIS
    Generates a public/private RSA key pair.
 
    .DESCRIPTION
    Uses the `makecert.exe` and `pvk2pfx.exe` programs to generate a public/private RSA key pair, and saves each to files of your choosing. The public key is saved as an X509Certificate. The private key is saved as a PFX file. Both can be loaded by .NET's `X509Certificate` class. Returns `System.IO.FileInfo` objects for the public and private key, in that order.
 
    You will be prompted for the private key password. Once when creating the private key, once to save it to a file, and finally to export it to a PFX file. Sorry about that: the `makecert.exe` tool doesn't have an password command-line parameter. The first two prompts will be GUIs, so you can't run this command headless. To create a password-less private key, click "None" when prompted for the private key password, and leave the other password prompts blank.
 
    `makecert.exe` and `pvk2pfx.exe` are part of the Windows SDK. They can be downloaded from the following locations:
 
      * [Windows 7](http://www.microsoft.com/en-us/download/details.aspx?id=8279)
      * [Windows 8](http://msdn.microsoft.com/en-us/windows/desktop/hh852363.aspx)
      * [Windows 8.1](http://msdn.microsoft.com/en-us/windows/desktop/bg162891.aspx)
 
    .OUTPUTS
    System.IO.FileInfo
 
    .LINK
    http://www.microsoft.com/en-us/download/details.aspx?id=8279
 
    .LINK
    http://msdn.microsoft.com/en-us/windows/desktop/hh852363.aspx
 
    .LINK
    http://msdn.microsoft.com/en-us/windows/desktop/bg162891.aspx
 
    .EXAMPLE
    New-RsaKeyPair -Subject 'CN=MyName' -PublicKeyFile 'MyName.cer' -PrivateKeyFile 'MyName.pfx'
 
    Demonstrates the minimal parameters needed to generate a key pair. The key will use a sha512 signing algorithm, have a length of 4096 bits, expire on `DateTime::MaxValue`, as an `individual` authority. The public key will be saved in the current directory as `MyName.cer`. The private key will be saved to the current directory as `MyName.pfx`.
 
    .EXAMPLE
    New-RsaKeyPair -Subject 'CN=MyName' -PublicKeyFile 'MyName.cer' -PrivateKeyFile 'MyName.pfx' -Algorithm 'sha1' -ValidFrom (Get-Date -Year 2015 -Month 1 -Day 1) -ValidTo (Get-Date -Year 2015 -Month 12 -Day 31) -Length 1024 -Authority 'commercial'
 
    Demonstrates how to use all the parameters to create a truly customized key pair. The generated certificate will use the sha1 signing algorithm, becomes effective 1/1/2015, expires 12/31/2015, is 1024 bits in length, as specifies `commercial` as the signing authority.
    #>

    [OutputType([IO.FileInfo])]
    [CmdletBinding()]
    param(
        [Parameter(Mandatory=$true,Position=0)]
        [string]
        # The key's subject. Should be of the form `CN=Name,OU=Name,O=SuperMagicFunTime,ST=OR,C=US`. Only the `CN=Name` part is required.
        $Subject,

        [ValidateSet('md5','sha1','sha256','sha384','sha512')]
        [string]
        # The signature algorithm. Default is `sha512`.
        $Algorithm = 'sha512',

        [DateTime]
        # The date/time the keys will become valid. Default is now.
        $ValidFrom = (Get-Date),

        [DateTime]
        # The date/time the keys should expire. Default is `DateTime::MaxValue`.
        $ValidTo = ([DateTime]::MaxValue),

        [int]
        # The length, in bits, of the generated key length. Default is `4096`.
        $Length = 4096,

        [ValidateSet('commercial','individual')]
        [string]
        # The signing authority of the certificate. Must be `commercial` (for certificates used by commercial software publishers) or `individual`, for certificates used by individual software publishers. Default is `individual`.
        $Authority = 'individual',

        [Parameter(Mandatory=$true,Position=1)]
        [string]
        # The file where the public key should be stored. Saved as an X509 certificate.
        $PublicKeyFile,

        [Parameter(Mandatory=$true,Position=2)]
        [string]
        # The file where the private key should be stored. The private key will be saved as an X509 certificate in PFX format and will include the public key.
        $PrivateKeyFile,

        [Switch]
        # Overwrites `PublicKeyFile` and/or `PrivateKeyFile`, if they exist.
        $Force
    )

    Set-StrictMode -Version 'Latest'

    Use-CallerPreference -Cmdlet $PSCmdlet -Session $ExecutionContext.SessionState

    function Find-WindowsSdkCommand
    {
        param(
            [Parameter(Mandatory=$true)]
            [string]
            $Name
        )

        Set-StrictMode -Version 'Latest'

        $item = Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\Microsoft SDKs\Windows' | 
                    Get-ItemProperty -Name 'InstallationFolder' |
                    Select-Object -ExpandProperty 'InstallationFolder' |
                    ForEach-Object { Join-Path -Path $_ -ChildPath ('Bin\{0}' -f $Name) } |
                    Where-Object { Test-Path -Path $_ -PathType Leaf } |
                    Get-Item |
                    Sort-Object -Property { $_.VersionInfo.ProductVersion } -Descending |
                    Select-Object -First 1

        if( -not $item )
        {
            Write-Error ('Command ''{0}'' not found. Please install a Windows SDK.' -f $Name)
            return
        }
        Write-Verbose ('{0} v{1}' -f $item.FullName,$item.VersionInfo.ProductVersion)
     
         $item   
    }

    function Resolve-KeyPath
    {
        param(
            [Parameter(Mandatory=$true)]
            [string]
            $Path
        )

        Set-StrictMode -Version 'Latest'

        $Path = Resolve-FullPath -Path $Path

        if( (Test-Path -Path $Path -PathType Leaf) )
        {
            if( -not $Force )
            {
                Write-Error ('File ''{0}'' exists. Use the -Force switch to overwrite.' -f $Path)
                return
            }
        }
        else
        {
            $root = Split-Path -Parent -Path $Path
            if( -not (Test-Path -Path $root -PathType Container) )
            {
                New-Item -Path $root -ItemType 'Directory' -Force | Out-Null
            }
        }

        return $Path
    }

    $PublicKeyFile = Resolve-KeyPath -Path $PublicKeyFile
    if( -not $PublicKeyFile )
    {
        return
    }

    $PrivateKeyFile = Resolve-KeyPath -Path $PrivateKeyFile
    if( -not $PrivateKeyFile )
    {
        return
    }

    if( (Test-Path -Path $PrivateKeyFile -PathType Leaf) )
    {
        if( -not $Force )
        {
            Write-Error ('Private key file ''{0}'' exists. Use the -Force switch to overwrite.' -f $PrivateKeyFile)
            return
        }
    }

    $tempDir = '{0}-{1}' -f (Split-Path -Leaf -Path $PSCommandPath),([IO.Path]::GetRandomFileName())
    $tempDir = Join-Path -Path $env:TEMP -ChildPath $tempDir
    New-Item -Path $tempDir -ItemType 'Directory' | Out-Null

    try
    {
        $makeCert = Find-WindowsSdkCommand 'makecert.exe'
        if( -not $makeCert )
        {
            return
        }

        $pvk2pfx = Find-WindowsSdkCommand 'pvk2pfx.exe'
        if( -not $pvk2pfx )
        {
            return
        }

        $privateKeyPath = Join-Path -Path $tempDir -ChildPath 'private.pkv'
        $output = & $makeCert.FullName -r `
                             -a $Algorithm `
                             -sky 'exchange' `
                             -n $Subject `
                             -pe `
                             -sv $privateKeyPath `
                             -len $Length `
                             -b ($ValidFrom.ToString('MM/dd/yyyy')) `
                             -e ($ValidTo.ToString('MM/dd/yyyy')) `
                             '-$' $Authority `
                             $PublicKeyFile
        if( $LASTEXITCODE )
        {
            Write-Error ('Failed to create public/private key pair:{0}{1}' -f ([Environment]::NewLine),($output -join ([Environment]::NewLine)))
            return
        }
        else
        {
            $output | Write-Verbose
        }

        $password = Read-Host -Prompt 'Enter private key password' -AsSecureString
        $password = Convert-SecureStringToString $password
        $passwordArgName = ''
        $passwordArgValue = ''
        if( $password )
        {
            $passwordArgName = '-pi'
            $passwordArgValue = $password
        }

        $output = & $pvk2pfx.FullName -pvk $privateKeyPath -spc $PublicKeyFile -pfx $PrivateKeyFile $passwordArgName $passwordArgValue -f
        if( $LASTEXITCODE )
        {
            Write-Error ('Failed to create PFX file for public/key pair:{0}{1}' -f ([Environment]::NewLine),($output -join ([Environment]::NewLine)))
            return
        }
        else
        {
            $output | Write-Verbose
        }

        Get-Item $PublicKeyFile
        Get-Item $PrivateKeyFile
    }
    finally
    {
        Remove-Item -Path $tempDir -Recurse
    }
}