| | | 1 | | <# |
| | | 2 | | .SYNOPSIS |
| | | 3 | | Creates a self-signed certificate or localhost development certificate bundle. |
| | | 4 | | .DESCRIPTION |
| | | 5 | | New-KrSelfSignedCertificate generates a single self-signed certificate for development or testing, |
| | | 6 | | or, when -Development is specified, creates a localhost development bundle consisting of a CA |
| | | 7 | | root certificate and an issued leaf certificate. On Windows, you can optionally trust the |
| | | 8 | | generated or supplied development root certificate in the CurrentUser Root store. |
| | | 9 | | .PARAMETER DnsNames |
| | | 10 | | The DNS name(s) for the certificate. In development mode, if omitted, localhost loopback names |
| | | 11 | | are used by default. |
| | | 12 | | .PARAMETER KeyType |
| | | 13 | | The type of key to use for the certificate (RSA or ECDSA). |
| | | 14 | | .PARAMETER KeyLength |
| | | 15 | | The length of the key in bits (only applicable for RSA). |
| | | 16 | | .PARAMETER ValidDays |
| | | 17 | | The number of days the (non-development) certificate will be valid. |
| | | 18 | | In development mode, use -LeafValidDays and -RootValidDays. |
| | | 19 | | .PARAMETER KeyUsage |
| | | 20 | | Optional X.509 Key Usage flags to apply to the certificate. |
| | | 21 | | .PARAMETER CertificateAuthority |
| | | 22 | | Creates a CA certificate suitable for signing child certificates. |
| | | 23 | | .PARAMETER IssuerCertificate |
| | | 24 | | An optional issuer/root certificate used to sign the generated certificate. The issuer must include a private ke |
| | | 25 | | .PARAMETER Development |
| | | 26 | | Creates a localhost development bundle consisting of a CA root certificate and an issued leaf certificate. |
| | | 27 | | .PARAMETER RootCertificate |
| | | 28 | | An optional CA root certificate used to sign the generated development leaf certificate. |
| | | 29 | | .PARAMETER RootName |
| | | 30 | | The subject common name to use when creating a new development root certificate. |
| | | 31 | | .PARAMETER LeafValidDays |
| | | 32 | | The number of days the generated development leaf certificate is valid. |
| | | 33 | | .PARAMETER RootValidDays |
| | | 34 | | The number of days a generated development root certificate is valid. |
| | | 35 | | .PARAMETER TrustRoot |
| | | 36 | | If specified with -Development on Windows, adds the development root certificate to the CurrentUser Root store. |
| | | 37 | | On non-Windows platforms, this cmdlet writes a warning and continues without trusting the root certificate. |
| | | 38 | | .PARAMETER WhatIf |
| | | 39 | | When -TrustRoot is specified, shows the pending trust-store change and skips adding the |
| | | 40 | | development root to the Windows CurrentUser Root certificate store. |
| | | 41 | | .PARAMETER Confirm |
| | | 42 | | When -TrustRoot is specified, prompts for confirmation before adding the development root |
| | | 43 | | certificate to the Windows CurrentUser Root certificate store. |
| | | 44 | | .PARAMETER Ephemeral |
| | | 45 | | Indicates whether the certificate is ephemeral (temporary). |
| | | 46 | | .PARAMETER Exportable |
| | | 47 | | Indicates whether the private key is exportable. |
| | | 48 | | .EXAMPLE |
| | | 49 | | New-KrSelfSignedCertificate -DnsNames 'example.com' -KeyUsage DigitalSignature,KeyEncipherment |
| | | 50 | | |
| | | 51 | | This example creates a self-signed certificate and applies explicit key-usage flags using PowerShell-friendly en |
| | | 52 | | .EXAMPLE |
| | | 53 | | $bundle = New-KrSelfSignedCertificate -Development -TrustRoot |
| | | 54 | | |
| | | 55 | | Creates a development root CA, issues a localhost leaf certificate from it, trusts the root in the |
| | | 56 | | CurrentUser Root store on Windows, and returns the private root, public-only root, and leaf certificates. |
| | | 57 | | .EXAMPLE |
| | | 58 | | $root = Import-KrCertificate -FilePath './certs/dev-root.pfx' -Password $password |
| | | 59 | | $bundle = New-KrSelfSignedCertificate -Development -RootCertificate $root -DnsNames 'localhost','127.0.0.1','::1 |
| | | 60 | | |
| | | 61 | | Reuses an existing development root certificate to issue a new localhost leaf certificate. |
| | | 62 | | .NOTES |
| | | 63 | | This function is intended for use in development and testing environments only. Do not use self-signed certifica |
| | | 64 | | #> |
| | | 65 | | function New-KrSelfSignedCertificate { |
| | | 66 | | [KestrunRuntimeApi('Everywhere')] |
| | | 67 | | [CmdletBinding(DefaultParameterSetName = 'Standard', SupportsShouldProcess = $true, ConfirmImpact = 'Medium')] |
| | | 68 | | [OutputType([System.Security.Cryptography.X509Certificates.X509Certificate2], ParameterSetName = 'Standard')] |
| | | 69 | | [OutputType([object], ParameterSetName = 'Development')] |
| | | 70 | | param( |
| | | 71 | | [Parameter(Mandatory, ParameterSetName = 'Standard')] |
| | | 72 | | [Parameter(ParameterSetName = 'Development')] |
| | | 73 | | [string[]]$DnsNames, |
| | | 74 | | |
| | | 75 | | [Parameter(ParameterSetName = 'Standard')] |
| | | 76 | | [ValidateSet('Rsa', 'Ecdsa')] |
| | | 77 | | [string]$KeyType = 'Rsa', |
| | | 78 | | |
| | | 79 | | [Parameter(ParameterSetName = 'Standard')] |
| | | 80 | | [ValidateRange(256, 8192)] |
| | | 81 | | [int]$KeyLength = 2048, |
| | | 82 | | |
| | | 83 | | [Parameter(ParameterSetName = 'Standard')] |
| | | 84 | | [ValidateRange(1, 3650)] |
| | | 85 | | [int]$ValidDays = 365, |
| | | 86 | | |
| | | 87 | | [Parameter(ParameterSetName = 'Standard')] |
| | | 88 | | [System.Security.Cryptography.X509Certificates.X509KeyUsageFlags[]]$KeyUsage = @(), |
| | | 89 | | |
| | | 90 | | [Parameter(ParameterSetName = 'Standard')] |
| | | 91 | | [Alias('IsCertificateAuthority')] |
| | | 92 | | [switch]$CertificateAuthority, |
| | | 93 | | |
| | | 94 | | [Parameter(ParameterSetName = 'Standard')] |
| | | 95 | | [System.Security.Cryptography.X509Certificates.X509Certificate2]$IssuerCertificate, |
| | | 96 | | |
| | | 97 | | [Parameter(ParameterSetName = 'Development', Mandatory)] |
| | | 98 | | [switch]$Development, |
| | | 99 | | |
| | | 100 | | [Parameter(ParameterSetName = 'Development')] |
| | | 101 | | [System.Security.Cryptography.X509Certificates.X509Certificate2]$RootCertificate, |
| | | 102 | | |
| | | 103 | | [Parameter(ParameterSetName = 'Development')] |
| | | 104 | | [string]$RootName = 'Kestrun Development Root CA', |
| | | 105 | | |
| | | 106 | | [Parameter(ParameterSetName = 'Development')] |
| | | 107 | | [ValidateRange(1, 3650)] |
| | | 108 | | [int]$LeafValidDays = 30, |
| | | 109 | | |
| | | 110 | | [Parameter(ParameterSetName = 'Development')] |
| | | 111 | | [ValidateRange(1, 36500)] |
| | | 112 | | [int]$RootValidDays = 3650, |
| | | 113 | | |
| | | 114 | | [Parameter(ParameterSetName = 'Development')] |
| | | 115 | | [switch]$TrustRoot, |
| | | 116 | | |
| | | 117 | | [Parameter(ParameterSetName = 'Standard')] |
| | | 118 | | [switch]$Ephemeral, |
| | | 119 | | |
| | | 120 | | [Parameter()] |
| | | 121 | | [switch]$Exportable |
| | | 122 | | ) |
| | | 123 | | |
| | 1 | 124 | | $keyUsageFlags = if ($PSBoundParameters.ContainsKey('KeyUsage') -and $KeyUsage.Count -gt 0) { |
| | 1 | 125 | | Join-KeyUsageFlag -KeyUsage $KeyUsage |
| | | 126 | | } |
| | | 127 | | |
| | 1 | 128 | | $trustRoot = $false |
| | 1 | 129 | | if ($TrustRoot.IsPresent) { |
| | 0 | 130 | | if (-not $IsWindows) { |
| | 0 | 131 | | Write-KrLog -level Warning ` |
| | 0 | 132 | | -Message ('The -TrustRoot parameter is only supported on Windows. The development certificate will be cr |
| | | 133 | | "Trust the root certificate manually using your platform certificate store tools.') |
| | | 134 | | } else { |
| | 0 | 135 | | $trustTarget = if ($PSBoundParameters.ContainsKey('RootCertificate') -and $null -ne $RootCertificate) { |
| | 0 | 136 | | $RootCertificate.Subject |
| | | 137 | | } else { |
| | 0 | 138 | | "development root certificate '$RootName'" |
| | | 139 | | } |
| | | 140 | | |
| | 0 | 141 | | if ($PSCmdlet.ShouldProcess($trustTarget, 'Trust in Windows CurrentUser Root certificate store')) { |
| | 0 | 142 | | $trustRoot = $true |
| | | 143 | | } |
| | | 144 | | } |
| | | 145 | | } |
| | | 146 | | |
| | 1 | 147 | | $opts = [Kestrun.Certificates.SelfSignedOptions]::new( |
| | | 148 | | $DnsNames, |
| | | 149 | | [Kestrun.Certificates.KeyType]::$KeyType, |
| | | 150 | | $KeyLength, |
| | | 151 | | $null, # purposes |
| | | 152 | | $keyUsageFlags, |
| | | 153 | | $ValidDays, |
| | | 154 | | $Ephemeral.IsPresent, |
| | | 155 | | $Exportable.IsPresent, |
| | | 156 | | $CertificateAuthority.IsPresent, |
| | | 157 | | $IssuerCertificate, |
| | | 158 | | $Development.IsPresent, |
| | | 159 | | $RootCertificate, |
| | | 160 | | $RootName, |
| | | 161 | | $LeafValidDays, |
| | | 162 | | $RootValidDays, |
| | | 163 | | $trustRoot |
| | | 164 | | ) |
| | | 165 | | |
| | 1 | 166 | | $result = [Kestrun.Certificates.CertificateManager]::NewSelfSigned($opts) |
| | | 167 | | |
| | 1 | 168 | | if ($Development.IsPresent) { |
| | 1 | 169 | | return $result |
| | | 170 | | } |
| | | 171 | | |
| | 1 | 172 | | return $result.Certificate |
| | | 173 | | } |