Zack Meier
227 lines
7.0 KiB
PowerShell
227 lines
7.0 KiB
PowerShell
Import-Module HPEiLOCmdlets
|
|
$iLOCred = $PrvCred
|
|
|
|
# Connect to OneView, Get list of servers
|
|
Connect-OVMgmt -Hostname itdmdnsyncompt1.nd.gov -Credential $PrvCred -AuthLoginDomain nd.gov -LoginAcknowledge
|
|
$AllOVServers = Get-OVServer
|
|
|
|
$iLOToRenew = @()
|
|
|
|
ForEach ($OVServer in $AllOVServers) {
|
|
Write-Warning -Message ($OVServer.ServerName)
|
|
$iLODnsName = $null
|
|
|
|
$iLODnsName = $OVServer.ServerName.split('.')[0] + "lo.nd.gov"
|
|
|
|
# is iLO cert about to expire?
|
|
$tcp = New-Object Net.Sockets.TcpClient($iLODnsName, 443)
|
|
$ssl = New-Object Net.Security.SslStream(
|
|
$tcp.GetStream(),
|
|
$false,
|
|
({ $true }) # accept any cert
|
|
)
|
|
|
|
$ssl.AuthenticateAsClient($iLODnsName)
|
|
|
|
$cert = New-Object Security.Cryptography.X509Certificates.X509Certificate2 $ssl.RemoteCertificate
|
|
|
|
$ssl.Dispose()
|
|
$tcp.Dispose()
|
|
|
|
If ( $cert.NotAfter.AddDays(-30) -le (Get-Date) ) {
|
|
Write-Warning -Message "Certificate for $iLODnsName expires on $($cert.NotAfter), add to renewal list."
|
|
$iLOToRenew += $iLODnsName
|
|
}
|
|
|
|
If ( $cert.subject -notlike "*.nd.gov*") {
|
|
Write-Warning -Message "Certificate for $iLODnsName is not a ND.gov cert, add to renewal list."
|
|
$iLOToRenew += $iLODnsName
|
|
}
|
|
}
|
|
|
|
$iloToRenew = $iLOToRenew | Select-Object -Unique
|
|
|
|
Write-Verbose -Message "Loop through iLOs to generate CSRs and request certs"
|
|
|
|
$iLOConnections = ForEach ($iLOFqdn in $iLOToRenew) {
|
|
Connect-HPEiLO -Address $iLOFqdn -Credential $iLOCred -DisableCertificateAuthentication
|
|
}
|
|
|
|
# Get-HPEiLOSSLCertificateInfo -Connection $iLOConnections -ov x
|
|
Write-Verbose -Message ([string]$iLOConnections.count + " iLO Connections established.") -Verbose
|
|
|
|
ForEach ($iLOConnection in $iLOConnections) {
|
|
Start-HPEiLOCertificateSigningRequest -Connection $iLOConnection `
|
|
-CommonName $iloConnection.Hostname `
|
|
-Organization "State of North Dakota" `
|
|
-Country US `
|
|
-City Bismarck `
|
|
-State "North Dakota" `
|
|
-OrganizationalUnit NDIT
|
|
}
|
|
|
|
Start-Sleep -Seconds 30 ## for some reason iLO needs time to generate a CSR
|
|
|
|
# set static values while we wait
|
|
$RequesterEmail = 'vmware@nd.gov'
|
|
$ServerType = "Linux"
|
|
$Format = "x509CO"
|
|
$OrgId = 8133
|
|
|
|
$OrderIds = @()
|
|
|
|
ForEach ($iloConnection in $iLOConnections) {
|
|
Write-Verbose -Message "Getting CSR for $($iLOConnection.Hostname)"
|
|
$CsrData = $null
|
|
|
|
While ($CsrData.CertificateSigningRequest -eq $null) {
|
|
try {
|
|
$CsrData = Get-HPEiLOCertificateSigningRequest -Connection $iLOConnection
|
|
}
|
|
catch {
|
|
Write-Warning -Message "CSR not ready yet for $($iLOConnection.Hostname), waiting 10 seconds."
|
|
Start-Sleep -Seconds 10
|
|
}
|
|
}
|
|
|
|
|
|
$AuthBody = @{
|
|
grant_type = 'client_credentials'
|
|
client_id = $SectigoAPIKey.UserName
|
|
client_secret = $SectigoAPIKey.GetNetworkCredential().Password
|
|
}
|
|
|
|
$AuthBaseAPIUrl = 'https://auth.sso.sectigo.com'
|
|
$BaseAPIUrl = 'https://admin.hard.sectigo.com'
|
|
|
|
$tokenEndpoint = $AuthBaseAPIUrl + '/auth/realms/apiclients/protocol/openid-connect/token'
|
|
$tokenResponse = Invoke-RestMethod -Method Post -Uri $tokenEndpoint -ContentType 'application/x-www-form-urlencoded' -Body $AuthBody
|
|
$env:SectigoToken = $tokenResponse.access_token
|
|
|
|
$headers = @{
|
|
"Authorization" = "Bearer $env:SectigoToken"
|
|
"Content-Type" = "application/json"
|
|
}
|
|
|
|
If ($env:SectigoToken) { Write-Warning -Message ("Sectigo Token Set " + $env:SectigoToken) }
|
|
|
|
[string]$RequestUrl = $BaseAPIUrl + "/api/ssl/v1/enroll"
|
|
|
|
$CertType = 2375
|
|
$ServerTypeCode = 'Linux'
|
|
|
|
$EnrollBody = @{
|
|
orgId = $OrgId;
|
|
certType = $CertType
|
|
term = 365;
|
|
comments = "iLO Certificate Renewal for $($iloConnection.Hostname)"
|
|
serverType = $ServerTypeCode
|
|
csr = $CsrData.CertificateSigningRequest
|
|
externalRequester = "vmware@nd.gov"
|
|
customFields = @(
|
|
@{
|
|
name = 'ApplicationName'
|
|
value = 'Infra-VMware'
|
|
}
|
|
)
|
|
}
|
|
|
|
$InvokeRestMethodParams = @{
|
|
Uri = $RequestUrl
|
|
Method = 'Post'
|
|
Headers = $headers
|
|
Body = ($EnrollBody | ConvertTo-Json -Depth 10)
|
|
ContentType = 'application/json'
|
|
}
|
|
|
|
$Response = Invoke-RestMethod @InvokeRestMethodParams #actual enrollment/request
|
|
$OrderIds += $Response.sslId
|
|
}
|
|
|
|
|
|
<## approval step -- can't approve own requests, need alternate method... auto-approval of some kind?
|
|
$ApproveUrl = $BaseAPIUrl + "/api/ssl/v1/approve/${OrderId}"
|
|
$ApproveBody = @{
|
|
message = 'Approved VMware Auto'
|
|
}
|
|
$ApproveSplat = @{
|
|
Uri = $ApproveUrl
|
|
Method = 'Post'
|
|
Headers = $headers
|
|
Body = ($ApproveBody) | ConvertTo-Json
|
|
ContentType = 'application/json'
|
|
}
|
|
|
|
Invoke-RestMethod @ApproveSplat
|
|
#>
|
|
|
|
|
|
|
|
## download the certificate - the first link email / "Certificate only, PEM encoded"
|
|
|
|
### re-establish token with Sectigo
|
|
$tokenResponse = Invoke-RestMethod -Method Post -Uri $tokenEndpoint -ContentType 'application/x-www-form-urlencoded' -Body $AuthBody
|
|
$env:SectigoToken = $tokenResponse.access_token
|
|
|
|
$headers = @{
|
|
"Authorization" = "Bearer $env:SectigoToken"
|
|
"Content-Type" = "application/json"
|
|
}
|
|
|
|
$Format = 'x509CO'
|
|
|
|
ForEach ($OrderId in $OrderIds) {
|
|
$Certificate = $null
|
|
While ($Certificate.status -ne "Issued") {
|
|
$ValidateUrl = "${BaseAPIUrl}/api/ssl/v1/${OrderId}"
|
|
$ValidateSplat = @{
|
|
Uri = $ValidateUrl
|
|
Method = 'Get'
|
|
Headers = $headers
|
|
}
|
|
|
|
$Certificate = Invoke-RestMethod @ValidateSplat
|
|
}
|
|
|
|
$CollectUrl = $BaseAPIUrl + "/api/ssl/v1/collect/${OrderId}?format=${Format}"
|
|
|
|
$CommonName = $Certificate.commonName
|
|
|
|
$DownloadSplat = @{
|
|
Uri = $CollectUrl
|
|
Method = 'Get'
|
|
Headers = $headers
|
|
UseBasicParsing = $true
|
|
}
|
|
|
|
Invoke-WebRequest @DownloadSplat -OutFile "C:\certs\$CommonName-$OrderId.pem"
|
|
}
|
|
|
|
## set new certs on iLOs
|
|
$Certs = Get-ChildItem -Path "C:\certs\" -Filter "*.pem"
|
|
ForEach ($iLOConnection in $iLOConnections) {
|
|
Write-Verbose -Message "Uploading certificate to $($iLOConnection.Hostname)" -Verbose
|
|
$CertFileToUse = $Certs | Where-Object { $_.Name -like "$($iLOConnection.Hostname)*" }
|
|
$Cert = Get-Content -Path $CertFileToUse.FullName
|
|
|
|
Import-HPEiLOCertificate -Certificate ($Cert | Out-String) -Connection $iLOConnection -Force
|
|
}
|
|
|
|
ForEach ($iLODnsName in $iLOToRenew) {
|
|
# is iLO cert about to expire?
|
|
$tcp = New-Object Net.Sockets.TcpClient($iLODnsName, 443)
|
|
$ssl = New-Object Net.Security.SslStream(
|
|
$tcp.GetStream(),
|
|
$false,
|
|
({ $true }) # accept any cert
|
|
)
|
|
|
|
$ssl.AuthenticateAsClient($iLODnsName)
|
|
|
|
$newcert = New-Object Security.Cryptography.X509Certificates.X509Certificate2 $ssl.RemoteCertificate
|
|
|
|
$ssl.Dispose()
|
|
$tcp.Dispose()
|
|
|
|
$NewCert | select @{n='zSubject'; e={$NewCert.Subject.split(',')[0]}}, NotBefore, NotAfter
|
|
} |