Knowledge Base

Bitte , um Beiträge und Themen zu erstellen.

Sophos UTM: Zertifikat der WAF mittels PowerShell exportieren (Exchange Version)

Orig:

https://www.frankysweb.de/sophos-utm-zertifikat-der-waf-mittels-powershell-exportieren-exchange-version/

MPCA adaptiert:

#Requires -RunAsAdministrator
param(
[Parameter(Position=0, Mandatory=$false)]
$UTMAddress = "interne SOPHOS-FW URL",
[Parameter(Position=1, Mandatory=$false)]
[string]$UTMApiToken = "API-Token von UTM FW",
[Parameter(Position=2, Mandatory=$false)]
[string]$CertREF = "REF_Zertifikat",
[Parameter(Position=3, Mandatory=$false)]
[string]$OpenSSLPath = "C:\Program Files\OpenSSL-Win64\bin\openssl.exe",
[Parameter(Position=4, Mandatory=$false)]
[string]$PFXFilePath = $PSScriptRoot,
[Parameter(Position=5, Mandatory=$false)]
[string]$LOGFilePath = "Pfad zum Logfile script.log"
)

#Schreibe Ausgabe in Log Datei
function logme($text)
{
$text | out-file -Filepath $LOGFilePath -append
}

#"Starte Script" | out-file -Filepath $LOGFilePath -append

logme "Starte Script"

#Set TLS Settings (Only TSLv1.1 and TLSv1.2)
try
{
#write-warning "Changing PowerShell TLS settings"
logme "Changing PowerShell TLS settings"
[System.Net.ServicePointManager]::SecurityProtocol = @("Tls12","Tls11","Tls")
}
catch
{
#write-error "Can't change PowerShell TLS settings: $Error[0]"
logme "Can't change PowerShell TLS settings: $Error[0]"
}

#Build Credentials
try
{
#Write-Warning "Building UTM Rest API Creds"
logme "Building UTM Rest API Creds"
$securePassword = ConvertTo-SecureString $UTMApiToken -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential("token", $securePassword)
}
catch
{
#write-error "Error building UTM creds: $Error[0]"
logme "Error building UTM creds: $Error[0]"
exit
}

#UTM API Call to get certificate and private key
try
{
#Write-Warning "Getting Cert from UTM REST API"
logme "Getting Cert from UTM REST API"
$UTMAPICall = "https://$UTMAddress" + ":4444/api/objects/ca/host_key_cert/$CertREF"
$UTMCertResponse = Invoke-RestMethod -Method GET -Uri $UTMAPICall -Credential $credential
}
catch
{
#Write-error "Error getting certificate from UTM: $Error[0]"
logme "Error getting certificate from UTM: $Error[0]"
exit
}

#Write private key and certificate to temp files
try
{
#Write-Warning "Writing cert TMP files"
logme "Writing cert TMP files"
$TempCertFile = "$env:temp\" + $CertREF + ".cer"
$TempKeyFile = "$env:temp\" + $CertREF + ".key"
$UTMCertResponse.certificate | set-content $TempCertFile
$UTMCertResponse.key | set-content $TempKeyFile
}
catch
{
#write-error "Error writing temp files: $Error[0]"
logme "Error writing temp files: $Error[0]"
exit
}

#Build PFX File from certificate and key
try
{
#Write-Warning "Convert UTM Cert and Key to PKCS12"
logme "Convert UTM Cert and Key to PKCS12"
$PFXFilePath = $PSScriptRoot
$PFXFileNameAndPath = "$PFXFilePath" + "\" + "$CertREF" + ".pfx"
. $OpenSSLPath pkcs12 -export -in $TempCertFile -inkey $TempKeyFile -out $PFXFileNameAndPath -password pass:$UTMApiToken
remove-item $TempCertFile -force
remove-item $TempKeyFile -force
}
catch
{
#write-error "Error building PFX File: $Error[0]"
logme "Error building PFX File: $Error[0]"
}

#Get UTM certs serial number
try
{
$UTMCertSerial = $UTMCertResponse.certificate.split(" ")[35].ToUpper().Replace(":","").Trim()
#Write-Warning "UTM Cert Serial: $UTMCertSerial"
logme "UTM Cert Serial: $UTMCertSerial"
}
catch
{
#write-error "Can't find serial number of UTMs certificate: $Error[0]"
logme "Can't find serial number of UTMs certificate: $Error[0]"
exit
}

#Get current Exchange Server certificate
try
{
#write-warning "Get current Exchange Server Certificate"
logme "Get current Exchange Server Certificate"
Import-Module -Name WebAdministration
Add-PSSnapin Microsoft.Exchange*
$AllIISCerts = Get-ChildItem IIS:SSLBindings
foreach ($IISCert in $AllIISCerts)
{
if ($IISCert.sites.value -match "Default Web Site") {$IISThumbprint = $IISCert.Thumbprint}
}
$CurrentExchangeCert = Get-ExchangeCertificate -Thumbprint $IISThumbprint
$CurrentExchangeCertSerial = $CurrentExchangeCert.SerialNumber
#write-warning "Exchange Cert Serial: $CurrentExchangeCertSerial"
logme "Exchange Cert Serial: $CurrentExchangeCertSerial"
}
catch
{
write-error "Can't find current Exchange certificate: $Error[0]"
exit
}

#Test if current Exchange Cert matches UTM Cert
try
{
if ($CurrentExchangeCertSerial -eq $UTMCertSerial)
{
#Write-Warning "Exchange certificate matches UTM certificate: Nothing to do!"
logme "Exchange certificate matches UTM certificate: Nothing to do!"
$ExchangeCertChangeRequierd = $false
}
else
{
#write-warning "UTM Cert dosen't match Exchange certificate!"
logme "UTM Cert dosen't match Exchange certificate!"
$ExchangeCertChangeRequierd = $true
}
}
catch
{
#write-error "Don't know if cert change is requierd: $Error[0]"
logme "Don't know if cert change is requierd: $Error[0]"
exit
}

#If needed: lets try to change the Exchange Server certificate
if ($ExchangeCertChangeRequierd -eq $true)
{
try
{
#Write-Warning "Let's try to change the certificate"
logme "Let's try to change the certificate"
$CertFilePath = "\\" + $env:computername + "\" + $PFXFileNameAndPath.Replace(":","$")
#$CertFilePath = $PSScriptRoot + $PFXFileNameAndPath.Replace(":","$")

OLD: $ImportCert = Import-ExchangeCertificate -FileName $CertFilePath -Password $securePassword -PrivateKeyExportable:$true -FriendlyName "$CertREF"

NEW: $ImportCert = Import-ExchangeCertificate -FileData ([System.IO.File]::ReadAllBytes($CertFilePath)) -Password $securePassword -PrivateKeyExportable:$true -FriendlyName "$CertREF"

$EnableCert = Get-ExchangeCertificate | where {$_.SerialNumber -eq $UTMCertSerial} | Enable-ExchangeCertificate -Services POP,IMAP,SMTP,IIS -force
$ChangeSuccessfull = $true
#write-warning "Change Sucessfull: $ChangeSuccessfull"
logme $CertFilePath
logme $PFXFileNameAndPath
logme "Change Sucessfull: $ChangeSuccessfull"
}
catch
{
#write-error "Can't change certificate: $Error[0]"
logme "Can't change certificate: $Error[0]"
exit
}
}
if ($ExchangeCertChangeRequierd -eq $false)
{
#Write-Information "No certificate change needed"
logme "No certificate change needed"
exit
}

#Remove the old Exchange server certificate if change was successfull
if ($ChangeSuccessfull -eq $true)
{
try
{
#Write-Warning "Removing old certificate"
logme "Removing old certificate"
$RemoveCert = Remove-ExchangeCertificate -Thumbprint $IISThumbprint -Confirm:$false
}
catch
{
#write-error "Can't remove old certificate: $Error[0]"
logme "Can't remove old certificate: $Error[0]"
exit
}
}

Aufruf:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -file Pfad zum Skript\scriptname.ps1
SSL Client: slproweb.com/products/Win32OpenSSL.html

REF_vomZertifikat: kann man herausfinden, indem man im Browser die URL https://URLzurUTM:4444/api/objects/ca/host_key_cert/ aufruft.
Username: token
Password=ApiToken
Danach nach dem Zertifikatsnamen oder der URL suchen, dann die REF_ kopieren und einfügen.

Damit die Auth. nicht fehlschlägt (Access Denied), muss von der IP-Adresse des aufrufenden Systems generell das Login ins Webadminportal funktionieren. Weiters muss auch dem, mit dem ApiToken verbundenen User, loginrechte gegeben werden und das Zertifikat sowie der Zertifizierungsstelle der UTM muss der Server vertrauen. (als Stammzertifizierungsstelle)