<# NOT FUNCTIONAL YET - WORK IN PROGRESS .SYNOPSIS Update/renew any expired iLO certificates in the VMware/Synergy environment .DESCRIPTION Update/renew any expired iLO certificates in the VMware/Synergy environment .NOTES # retrieve all iLO from Synergy # find all certificates expiring in the next 3 days, or ones that do not have nd.gov in name, add to an array # loop through list ## connect to ilo ## generate CSR ## send CSR to sectigo to generate new ## wait for approval ## download new cert ## upload/update/set on iLO .LINK .EXAMPLE Test-MyTestFunction -Verbose Explanation of the function or its result. You can include multiple examples with additional .EXAMPLE lines #> [CmdletBinding()] param ( [Parameter(ParameterSetName = 'ByHostName')] [string[]] $HostName = $null, [Parameter(ParameterSetName = 'SynergyDiscovery')] [switch] $SynergyDiscovery ) function Get-SectigoToken { Write-Verbose -Message "Retrieving Sectigo API key for VMware" -Verbose $SectigoCred = Get-ITDPassword -Title "Sectigo API key for VMware" -UserName "f595aa76-c26b-4664-b95d-cb805cc7ff4e" Write-Verbose -Message "Confirming SectigoCred is $($SectigoCred.UserName)" -Verbose $AuthBody = @{ grant_type = 'client_credentials' #client_id = $Secret:sectigo_vmware.UserName #client_secret = $Secret:sectigo_vmware.GetNetworkCredential().Password client_id = $SectigoCred.UserName client_secret = $SectigoCred.GetNetworkCredential().Password } $AuthBaseAPIUrl = 'https://auth.sso.sectigo.com' $tokenEndpoint = $AuthBaseAPIUrl + '/auth/realms/apiclients/protocol/openid-connect/token' $env:SectigoToken = (Invoke-RestMethod -Method Post -Uri $tokenEndpoint -ContentType 'application/x-www-form-urlencoded' -Body $AuthBody).access_token Return $env:SectigoToken } Write-Verbose -Message "Retrieving OneView Service Account credentials" -Verbose $OVCred = Get-ITDPassword -Title "VMware iLO Service Account" -UserName "ndgov\svcitdvmhpe" Write-Verbose -Message "Confirming OneView is $($OVCred.UserName)" -Verbose Import-Module HPEiLOCmdlets -Force Write-Verbose -Message "Gather PSUniversal Job Information" -Verbose $PSUJobId = $UAJob.Id Write-Verbose -Message "Set static variables" -Verbose $RequesterEmail = 'vmware@nd.gov' $AppName = "Infra-VMware" $ServerTypeCode = "Linux" $Format = "x509CO" $OrgId = 8133 # Sectigo OrgDept ID for State of North Dakota Information Technology Department - Cloud & Infrastructure $CertType = 2375 # Sectigo Cert Type for Standard SSL Multi-Domain $BaseAPIUrl = 'https://admin.hard.sectigo.com' switch ($PSCmdlet.ParameterSetName) { 'ByHostName' { $AllILOServers = $HostName } 'SynergyDiscovery' { Write-Verbose -Message "Retrieving iLO information from OneView/Synergy" -Verbose $OneviewServers = @('itdmdnsyncompt1.nd.gov', 'itdmdnsyncompp1.nd.gov', 'itdbissyncompp1.nd.gov') $AllILOServers = @() ForEach ($OneviewServer in $OneViewServers ) { Write-Verbose -Message "Connecting to OneView server $OneviewServer" -Verbose Connect-OVMgmt -Hostname $OneviewServer -Credential $OVCred -AuthLoginDomain nd.gov -LoginAcknowledge $AllILOServers += (Get-OVServer).ServerName | ForEach-Object { $_.split('.')[0] + "lo.nd.gov" } Disconnect-OVMgmt } } default { Write-Error -Message "Invalid parameter set." exit 1 } } Write-Verbose -Message "Checking iLO certificates for expiration or invalid issuer/commonname" -Verbose $AlliLOToRenew = @() ForEach ($iLODnsName in $AllILOServers) { Write-Verbose -Message "Checking certificate for iLO $iLODnsName" -Verbose $cert = Get-SslCertificate -DNSName $iLODnsName If ( $cert.NotAfter.AddDays(-7) -le (Get-Date) ) { Write-Warning -Message "Certificate for $iLODnsName expires on $($cert.NotAfter), add to renewal list." $AlliLOToRenew += $iLODnsName } If ( $cert.subject -notlike "*.nd.gov*") { Write-Warning -Message "Certificate for $iLODnsName is not a ND.gov cert, add to renewal list." $AlliLOToRenew += $iLODnsName } } ForEach ($iLOToRenew in $AlliLOToRenew | Select-Object -Unique) { Write-Verbose -Message "Processing iLO $iLOToRenew for certificate renewal" -Verbose $iLOCred = $null switch ($iLOToRenew) { { $_ -like "*bis*" } { Write-Verbose -Message "BIS iLO detected, getting credentials for itdbissyncompp1" -Verbose $iloCred = Get-ITDPassword -Title "itdbissyncompp1 iLO" -UserName "Administrator"; } { $_ -like "*mdn*" } { Write-Verbose -Message "MDN iLO detected, getting credentials for itdmdnsyncompp1" -Verbose $iloCred = Get-ITDPassword -Title "itdmdnsyncompp1 iLO" -UserName "Administrator"; } { $_ -like "*test*" } { Write-Verbose -Message "TEST iLO detected, getting credentials for itdmdnsyncompt1" -Verbose $iloCred = Get-ITDPassword -Title "itdmdnsyncompt1 iLO" -UserName "Administrator"; } default { Write-Error -Message "No iLO credentials found for $iLOToRenew, skipping."; continue; } } try { Write-Verbose -Message "Establishing connection to iLO $iLOToRenew" -Verbose $iLOConnection = Connect-HPEiLO -Address $iLOToRenew -Credential $iLOCred -DisableCertificateAuthentication Write-Verbose -Message "Generating CSR on iLO $iLOToRenew" -Verbose Start-HPEiLOCertificateSigningRequest -Connection $iLOConnection ` -CommonName $iLOConnection.Hostname ` -Organization "State of North Dakota" ` -Country US ` -City Bismarck ` -State "North Dakota" Start-Sleep -Seconds 30 ### for some reason if you check iLO for CSR too frequently it doesn't work Write-Verbose -Message "Getting CSR for $iLOToRenew" $CsrData = $null While ($null -eq $CsrData.CertificateSigningRequest) { try { $CsrData = Get-HPEiLOCertificateSigningRequest -Connection $iLOConnection } catch { Write-Warning -Message "CSR not ready yet for $iLOToRenew, waiting 10 seconds." Start-Sleep -Seconds 10 } } Disconnect-HPEiLO -Connection $iLOConnection $iLOConnection = $null Write-Verbose -Message "Submitting CSR to Sectigo for $iLOToRenew" -Verbose #Get-SectigoToken ## function above loaded into memory $EnrollBody = @{ orgId = $OrgId; certType = $CertType term = 365; comments = "iLO Certificate Renewal for $iLOToRenew" serverType = $ServerTypeCode csr = $CsrData.CertificateSigningRequest externalRequester = "vmware@nd.gov" customFields = @( @{ name = 'ApplicationName' value = 'Infra-VMware' } ) } $EnrollParams = @{ Method = 'Post' Uri = $BaseAPIUrl + "/api/ssl/v1/enroll" Headers = @{ "Authorization" = ("Bearer " + (Get-SectigoToken)) "Content-Type" = "application/json" } Body = ($EnrollBody | ConvertTo-Json -Depth 10) ContentType = 'application/json' } $EnrollResponse = Invoke-RestMethod @EnrollParams $OrderId = $EnrollResponse.sslId Write-Verbose -Message "Waiting for certificate issuance for $iLOToRenew" -Verbose $Certificate = $null Start-Sleep -Seconds 15 While ($Certificate.status -ne "Issued") { $ValidateUrl = "${BaseAPIUrl}/api/ssl/v1/${OrderId}" $ValidateSplat = @{ Uri = $ValidateUrl Method = 'Get' Headers = @{ "Authorization" = ("Bearer " + (Get-SectigoToken)) "Content-Type" = "application/json" } } $Certificate = Invoke-RestMethod @ValidateSplat If ($Certificate.status -ne "Issued") { Write-Warning -Message "Certificate for $iLOToRenew not issued yet, waiting 15 seconds." Start-Sleep -Seconds 15 } } Write-Verbose -Message "Downloading issued certificate for $iLOToRenew" -Verbose $CollectUrl = $BaseAPIUrl + "/api/ssl/v1/collect/${OrderId}?format=${Format}" $CommonName = $Certificate.commonName $DownloadSplat = @{ Uri = $CollectUrl Method = 'Get' Headers = @{ "Authorization" = ("Bearer " + (Get-SectigoToken)) "Content-Type" = "application/json" } UseBasicParsing = $true } Write-Verbose -Message "Downloading certificate to F:\iLO_certs\$CommonName-$OrderId-$PSUJobId.pem" -Verbose Invoke-WebRequest @DownloadSplat -OutFile "F:\iLO_certs\$CommonName-$OrderId-$PSUJobId.pem" Write-Verbose -Message "Importing new certificate to iLO $iLOToRenew" -Verbose $CertificateToUpload = Get-Content -Path "F:\iLO_certs\$CommonName-$OrderId-$PSUJobId.pem" -Raw $iLOConnection = Connect-HPEiLO -Address $iLOToRenew -Credential $iLOCred -DisableCertificateAuthentication -Verbose Import-HPEiLOCertificate -Certificate ($CertificateToUpload | Out-String) -Connection $iLOConnection -Force Disconnect-HPEiLO -Connection $iLOConnection Write-Verbose -Message "Disconnecting from iLO $iLOToRenew" -Verbose } catch { } }