Nota:
El acceso a esta página requiere autorización. Puede intentar iniciar sesión o cambiar directorios.
El acceso a esta página requiere autorización. Puede intentar cambiar los directorios.
Este script automatiza la generación y firma de certificados de seguridad de la capa de transporte (TLS) mediante OpenSSL. Crea una solicitud de firma de certificado (CSR) mediante la API de gráficos de inspección tls. El script crea una entidad de certificación raíz autofirmado mediante OpenSSL, firma la CSR y carga el certificado y la cadena en la configuración de inspección de TLS.
Prerrequisitos
- Instale OpenSSL para Windows o Linux.
Nota:
Aunque otras herramientas podrían estar disponibles para la administración de certificados, este código de ejemplo de este artículo usa OpenSSL. OpenSSL se incluye con muchas distribuciones de Linux, como Ubuntu.
Generación y firma de certificados TLS
# This script requires the following:
# - PowerShell 5.1 (x64) or later
# - Module: Microsoft.Graph.Beta
#
# Before you begin:
#
# - Make sure you're running PowerShell as an administrator
# - Make sure you run: Install-Module Microsoft.Graph.Beta -AllowClobber -Force
# - Make sure OpenSSL is installed
# - Replace the OpenSSL path below if needed
Import-Module Microsoft.Graph.Beta.NetworkAccess
# Connect to Microsoft Graph
Connect-MgGraph -Scopes "NetworkAccess.ReadWrite.All" -NoWelcome
# Modify the following with your own settings before running the script:
$name = "TLSiDemoCA"
$commonName = "Contoso TLS Demo"
$organizationName = "Contoso"
# Replace with your OpenSSL path
$openSSLPath = "C:\Program Files\OpenSSL-Win64\bin\openssl.exe"
# Generated file names
$rootKey = "TlsDemorootCA.key"
$rootCert = "TlsDemorootCAcert.pem"
$subject = "/C=US/ST=Washington/L=Redmond/O=Contoso/CN=Contoso"
$signedCert = "signedcertificate.pem"
$csrPath = "$name.csr"
$opensslCnfPath = "openssl.cnf"
# Check if External Certificate Authority Certificates already exist
try {
$response = Get-MgBetaNetworkAccessTlExternalCertificateAuthorityCertificate -ErrorAction Stop
if ($response.Count -gt 0) {
Write-Host "A certificate for TLS inspection already exists."
exit 1
}
}
catch {
if ($_.Exception.Message -match "404|NotFound|Tenant TLS Tenant Settings does not exist") {
Write-Host "TLS inspection tenant settings do not exist yet. Continuing with CSR creation..."
}
else {
Write-Error "The Graph SDK call failed: $($_.Exception.Message)"
exit 1
}
}
# Create the certificate signing request (CSR)
$paramscsr = @{
"@odata.type" = "#microsoft.graph.networkaccess.externalCertificateAuthorityCertificate"
name = $name
commonName = $commonName
organizationName = $organizationName
}
$createResponse = $null
try {
$createResponse = New-MgBetaNetworkAccessTlExternalCertificateAuthorityCertificate -BodyParameter $paramscsr -ErrorAction Stop
}
catch {
Write-Error "Failed to create certificate signing request: $($_.Exception.Message)"
exit 1
}
# Save CSR to file
$csr = $createResponse.CertificateSigningRequest
Set-Content -Path $csrPath -Value $csr -Encoding ASCII
Write-Host "CSR saved to $csrPath"
# Save certificate ID to upload later
$externalCertificateAuthorityCertificateId = $createResponse.Id
# Create OpenSSL config
$opensslCnfContent = @"
[ rootCA_ext ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ interCA_ext ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:1
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ signedCA_ext ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:1
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
extendedKeyUsage = serverAuth
[ server_ext ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:false
keyUsage = critical, digitalSignature
extendedKeyUsage = serverAuth
"@
Set-Content -Path $opensslCnfPath -Value $opensslCnfContent -Encoding ASCII
# Generate Root CA private key and certificate
Write-Host "Generating Root CA key and certificate..."
& $openSSLPath req -x509 -new -nodes -newkey rsa:4096 `
-keyout $rootKey `
-sha256 `
-days 370 `
-out $rootCert `
-subj $subject `
-config $opensslCnfPath `
-extensions rootCA_ext
if ($LASTEXITCODE -ne 0) {
Write-Error "Failed to generate the Root CA certificate."
exit 1
}
# Sign CSR using Root CA
if (Test-Path $csrPath) {
Write-Host "Signing CSR file $csrPath..."
& $openSSLPath x509 -req `
-in $csrPath `
-CA $rootCert `
-CAkey $rootKey `
-CAcreateserial `
-out $signedCert `
-days 370 `
-sha256 `
-extfile $opensslCnfPath `
-extensions signedCA_ext
if ($LASTEXITCODE -ne 0) {
Write-Error "Failed to sign the CSR."
exit 1
}
Write-Host "Successfully saved signed certificate to $signedCert"
}
else {
Write-Error "CSR file '$csrPath' not found. Please generate it first."
exit 1
}
# Optional validation output
Write-Host "`nValidating signed certificate..."
& $openSSLPath x509 -in $signedCert -text -noout
# Read certificate and chain
$paramsupload = @{
certificate = Get-Content -Path $signedCert -Raw
chain = Get-Content -Path $rootCert -Raw
}
# Upload the signed certificate and its chain to Microsoft Graph
try {
Update-MgBetaNetworkAccessTlExternalCertificateAuthorityCertificate `
-ExternalCertificateAuthorityCertificateId $externalCertificateAuthorityCertificateId `
-BodyParameter $paramsupload `
-ErrorAction Stop
}
catch {
Write-Error "Failed to upload certificate and chain: $($_.Exception.Message)"
exit 1
}
Write-Host "Certificate is uploaded successfully via Microsoft Graph SDK."