Public/New-IntermediateCA.ps1
<#
.Synopsis Creates a Certificate Signing Request (CSR) for an Intermediate CA Certificate that SCEPman shall use .Parameter SCEPmanAppServiceName The name of the existing SCEPman App Service. .Parameter SCEPmanResourceGroup The Azure resource group hosting the SCEPman App Service. Leave empty for auto-detection. .Parameter SearchAllSubscriptions Set this flag to search all subscriptions for the SCEPman App Service. Otherwise, pre-select the right subscription in az or pass in the correct SubscriptionId. .Parameter SubscriptionId The ID of the Subscription where SCEPman is installed. Can be omitted if it is pre-selected in az already or use the SearchAllSubscriptions flag to search all accessible subscriptions .PARAMETER GraphBaseUri URI of Microsoft Graph. This is https://graph.microsoft.com/ for the global cloud (default) and https://graph.microsoft.us/ for the GCC High cloud. .Example # Configure SCEPman in your tenant where the app service name is as-scepman $csr = New-IntermediateCA -SCEPmanAppServiceName as-scepman #> function New-IntermediateCA { [CmdletBinding()] param( $SCEPmanAppServiceName, $SCEPmanResourceGroup, [switch]$SearchAllSubscriptions, $SubscriptionId, $GraphBaseUri = 'https://graph.microsoft.com' ) $version = $MyInvocation.MyCommand.ScriptBlock.Module.Version Write-Verbose "Invoked $($MyInvocation.MyCommand)" Write-Information "SCEPman Module version $version on PowerShell $($PSVersionTable.PSVersion)" $cliVersion = [Version]::Parse((GetAzVersion).'azure-cli') Write-Information "Detected az version: $cliVersion" if ([String]::IsNullOrWhiteSpace($SCEPmanAppServiceName)) { $SCEPmanAppServiceName = Read-Host "Please enter the SCEPman app service name" } $GraphBaseUri = $GraphBaseUri.TrimEnd('/') Write-Information "Configuring SCEPman and CertMaster" Write-Information "Logging in to az" $null = AzLogin Write-Information "Getting subscription details" $subscription = GetSubscriptionDetails -AppServiceName $SCEPmanAppServiceName -SearchAllSubscriptions $SearchAllSubscriptions.IsPresent -SubscriptionId $SubscriptionId Write-Information "Subscription is set to $($subscription.name)" Write-Information "Setting resource group" if ([String]::IsNullOrWhiteSpace($SCEPmanResourceGroup)) { # No resource group given, search for it now $SCEPmanResourceGroup = GetResourceGroup -SCEPmanAppServiceName $SCEPmanAppServiceName Write-Information "Found resource group $SCEPmanResourceGroup" } $vaultUrl = FindConfiguredKeyVaultUrl -SCEPmanAppServiceName $SCEPmanAppServiceName -SCEPmanResourceGroup $SCEPmanResourceGroup $certificateName = az webapp config appsettings list --name $SCEPmanAppServiceName --resource-group $SCEPmanResourceGroup --query "[?name=='AppConfig:KeyVaultConfig:RootCertificateConfig:CertificateName'].value | [0]" --output tsv Write-Information "Found Key Vault configuration with URL $vaultUrl and certificate name $certificateName. Creating certificate request in Key Vault ..." $policy = $global:subCaPolicy $policy.policy.x509_props.subject = $policy.policy.x509_props.subject.Replace('{{TenantId}}', $subscription.tenantId) $csr = New-IntermediateCaCsr -vaultUrl $vaultUrl -certificateName $certificateName -policy $policy Write-Information "Created a CSR. Submit the CSR to a CA and merge the signed certificate in the Azure Portal" Write-Output $csr } function Get-IntermediateCaPolicy () { return $global:subCaPolicy } function Set-IntermediateCaPolicy () { [CmdletBinding()] param( $Policy ) $global:subCaPolicy = $Policy } function Reset-IntermediateCaPolicy () { [CmdletBinding()] param( $Organization ) $policy = Get-RsaDefaultPolicy if (-not [string]::IsNullOrWhiteSpace($Organization)) { $Organization = $Organization -replace ',','\,' $policy.policy.x509_props.subject += ",O=$Organization" } Set-IntermediateCaPolicy -Policy $policy } Reset-IntermediateCaPolicy |