mirror of
synced 2025-03-27 22:28:41 +00:00
79 lines
2.6 KiB
79 lines
2.6 KiB
# Creates 2 Certificate Chains for the ACA:
# 1 RSA 3K SHA 384
# 2 ECC 512 SHA 384
param (
[string]$LOG_FILE = $null,
[string]$PKI_PASS = $null,
[switch]$UNATTENDED = $false
$APP_HOME=(Split-Path -parent $PSCommandPath)
$ACA_COMMON_SCRIPT=(Join-Path "$APP_HOME" .. aca aca_common.ps1)
# Load other scripts
# Read aca.properties
read_aca_properties $global:HIRS_DATA_ACA_PROPERTIES_FILE
# Read spring application.properties
read_spring_properties $global:HIRS_DATA_SPRING_PROP_FILE
# Parameter check
if ($LOG_FILE) {
touch $LOG_FILE
} else {
if (!$PKI_PASS) {
if ($Env:HIRS_PKI_PWD) {
} else {
echo "Using randomly generated password for the PKI key password" | WriteAndLog
mkdir -p $global:HIRS_CONF_DIR 2>&1 > $null
echo "APP_HOME is $APP_HOME" | WriteAndLog
# Check for sudo or root user
if(!(New-Object Security.Principal.WindowsPrincipal(
).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
echo "This script requires root. Please run as root" | WriteAndLog
exit 1
# Create Cert Chains
if (![System.IO.Directory]::Exists($global:HIRS_DATA_CERTIFICATES_DIR)) {
if ([System.IO.Directory]::Exists($global:HIRS_REL_WIN_PKI_HOME)) {
} else {
echo "PKI_SETUP_DIR is $PKI_SETUP_DIR" | WriteAndLog
mkdir -F -p $global:HIRS_DATA_CERTIFICATES_DIR 2>&1 > $null
pwsh -ExecutionPolicy Bypass $PKI_SETUP_DIR/pki_chain_gen.ps1 "HIRS" "rsa" "3072" "sha384" "$PKI_PASS" "$global:LOG_FILE"
pwsh -ExecutionPolicy Bypass $PKI_SETUP_DIR/pki_chain_gen.ps1 "HIRS" "ecc" "512" "sha384" "$PKI_PASS" "$global:LOG_FILE"
# Save the password to the ACA properties file.
add_new_aca_property -file:"$global:HIRS_DATA_ACA_PROPERTIES_FILE" -newKeyAndValue:"hirs_pki_password=$PKI_PASS"
# Save connector information to the application properties file.
add_new_spring_property -file:"$global:HIRS_DATA_SPRING_PROP_FILE" -newKeyAndValue:"server.ssl.key-store-password=$PKI_PASS"
add_new_spring_property -file:"$global:HIRS_DATA_SPRING_PROP_FILE" -newKeyAndValue:"server.ssl.trust-store-password=$PKI_PASS"
} else {
echo "$global:HIRS_DATA_CERTIFICATES_DIR exists, skipping" | WriteAndLog