blackicedbear/dms
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9b43446f652130e7bbdc3cbc77f1ce1d76ca38a9
dms/Setup-LDAPS-Certificate.ps1
T

111 lines
3.9 KiB
PowerShell
Raw Blame History

# ============================================================
# LDAPS Zertifikat Setup fuer Domain Controller
# Ausfuehren auf: SRV-DC01 (10.10.10.10) als Administrator
# Zweck: Aktiviert LDAPS (Port 636) fuer docker-mailserver
# ============================================================
Write-Host "`n=== LDAPS Zertifikat Setup ===" -ForegroundColor Cyan
# Schritt 1: INF-Datei erstellen
Write-Host "[1/4] Erstelle Zertifikat-Request (INF)..." -ForegroundColor Yellow
$infContent = @"
[Version]
Signature="`$Windows NT`$"
[NewRequest]
Subject = "CN=SRV-DC01.byte.trail"
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = FALSE
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = Cert
KeyUsage = 0xa0
HashAlgorithm = SHA256
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
[Extensions]
2.5.29.17 = "{text}"
_continue_ = "dns=SRV-DC01.byte.trail&"
_continue_ = "dns=byte.trail&"
_continue_ = "ip=10.10.10.10"
"@
Set-Content -Path "C:\ldaps.inf" -Value $infContent -Encoding ASCII
Write-Host " [OK] C:\ldaps.inf erstellt" -ForegroundColor Green
# Schritt 2: Zertifikat erstellen und im Machine Store installieren
Write-Host "[2/4] Erstelle und installiere Zertifikat..." -ForegroundColor Yellow
$result = certreq -new "C:\ldaps.inf" "C:\ldaps.cer" 2>&1
if ($LASTEXITCODE -eq 0) {
Write-Host " [OK] Zertifikat erstellt und installiert" -ForegroundColor Green
} else {
Write-Host " [!] Fehler bei certreq: $result" -ForegroundColor Red
Write-Host " [!] Versuche Fallback mit New-SelfSignedCertificate..." -ForegroundColor Yellow
# Fallback: New-SelfSignedCertificate mit Legacy CSP
$cert = New-SelfSignedCertificate `
-Subject "CN=SRV-DC01.byte.trail" `
-DnsName "SRV-DC01.byte.trail","byte.trail","10.10.10.10" `
-CertStoreLocation "Cert:\LocalMachine\My" `
-KeyAlgorithm RSA `
-KeyLength 2048 `
-KeyExportPolicy Exportable `
-NotAfter (Get-Date).AddYears(10) `
-Provider "Microsoft RSA SChannel Cryptographic Provider" `
-KeyUsage DigitalSignature, KeyEncipherment `
-TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1")
if ($cert) {
Write-Host " [OK] Zertifikat erstellt (Fallback)" -ForegroundColor Green
} else {
Write-Host " [!] FEHLER: Zertifikat konnte nicht erstellt werden!" -ForegroundColor Red
exit 1
}
}
# Schritt 3: NTDS neu starten
Write-Host "[3/4] Starte NTDS-Dienst neu..." -ForegroundColor Yellow
Restart-Service NTDS -Force
Start-Sleep -Seconds 5
Write-Host " [OK] NTDS neugestartet" -ForegroundColor Green
# Schritt 4: LDAPS testen
Write-Host "[4/4] Teste LDAPS (Port 636)..." -ForegroundColor Yellow
Start-Sleep -Seconds 3
try {
$tcp = New-Object System.Net.Sockets.TcpClient
$tcp.Connect("localhost", 636)
if ($tcp.Connected) {
$ssl = New-Object System.Net.Security.SslStream($tcp.GetStream(), $false, {$true})
try {
$ssl.AuthenticateAsClient("SRV-DC01.byte.trail")
Write-Host " [OK] LDAPS funktioniert! Zertifikat: $($ssl.RemoteCertificate.Subject)" -ForegroundColor Green
} catch {
Write-Host " [!] Port 636 offen, aber SSL-Handshake fehlgeschlagen: $($_.Exception.Message)" -ForegroundColor Red
Write-Host " [!] Moeglicherweise muss der Server komplett neugestartet werden (Restart-Computer)" -ForegroundColor Yellow
} finally {
$ssl.Close()
}
}
$tcp.Close()
} catch {
Write-Host " [!] Port 636 nicht erreichbar: $($_.Exception.Message)" -ForegroundColor Red
Write-Host " [!] Versuche: Restart-Computer -Force" -ForegroundColor Yellow
}
Write-Host "`n=== Setup abgeschlossen ===" -ForegroundColor Cyan
Write-Host "Falls LDAPS nicht funktioniert, fuehre 'Restart-Computer -Force' aus und teste erneut." -ForegroundColor Yellow
Write-Host ""
Reference in New Issue View Git Blame Copy Permalink