###################################################################################
# PowerShell Script to generate a CSR for a SCEPman Intermediate CA certificate #
###################################################################################
# Authors: Aaron Navratil and GKGAB contributors
# License: Unlicense (https://unlicense.org/)
# Source: https://docs.scepman.com/scepman-configuration/optional/intermediate-certificate
TenantID = "" # <GUID> of your Azure AD Tenant
ApplicationID = "" # <GUID> -> the Application (Client) ID of your Azure App Registration
ApplicationKey = "" # Client secret from you Azure App Registration
KeyVaultName = "" # Name of your Azure Key Vault ressource
NewCertName = "" # Name of your new Intermediate CA certificate. Use Letters, Numbers, and/or spaces.
CompanyName = "" # Your Company Name. Use Letters, Numbers, and/or spaces.
grant_type = "client_credentials"
client_id = $config.ApplicationID
client_secret = $config.ApplicationKey
scope = "https://vault.azure.net/.default"
$TokenResponse = Invoke-RestMethod https://login.microsoftonline.com/$($config.TenantID)/oauth2/v2.0/token -Method Post -Body $body -UseBasicParsing
$AuthHeader = @{Authorization = $TokenResponse.token_type + " " + $TokenResponse.access_token}
"contentType": "application/x-pkcs12"
"subject": "O=$($config.CompanyName), OU=$($config.TenantID), CN=$($config.NewCertName)",
"lifetime_percentage": 80
"action_type": "EmailContacts"
"cert_transparency": false
# https://docs.microsoft.com/en-us/rest/api/keyvault/create-certificate/create-certificate#uri-parameters
$CertReq = Invoke-RestMethod https://$($config.KeyVaultName).vault.azure.net/certificates/$($config.NewCertName -replace "[^A-Za-z0-9-]", "-")/create?api-version=7.2 -Method Post -Body $CertBody -ContentType "application/json" -Headers $AuthHeader -UseBasicParsing
-----BEGIN CERTIFICATE REQUEST-----
$([regex]::Matches($CertReq.csr, "[^\s]{1,64}").value -join "`n")
-----END CERTIFICATE REQUEST-----
Write-Host -ForegroundColor Cyan @"
After Signing the CSR use the values of:
$($config.NewCertName -replace '[^A-Za-z0-9]', "-") in AppConfig:KeyVaultConfig:RootCertificateConfig:CertificateName
CN=$($config.NewCertName), OU=$($config.TenantID), O=$($config.CompanyName) in AppConfig:KeyVaultConfig:RootCertificateConfig:Subject