From d9b6224116d91f15fb3c7c3760c721d73ba1d526 Mon Sep 17 00:00:00 2001
From: AkiraFFM <46425192+AkiraFFM@users.noreply.github.com>
Date: Tue, 22 Nov 2022 23:49:21 +0100
Subject: [PATCH] Add Subject parameter to New-PACertificate, New-PAOrder, and
Set-PAOrder (#463)
---
Posh-ACME/Private/New-Csr.ps1 | 6 +-
Posh-ACME/Public/New-PACertificate.ps1 | 5 ++
Posh-ACME/Public/New-PAOrder.ps1 | 4 ++
Posh-ACME/Public/Set-PAOrder.ps1 | 10 +++
Posh-ACME/en-US/Posh-ACME-help.xml | 84 ++++++++++++++++++++++++++
docs/Functions/New-PACertificate.md | 17 +++++-
docs/Functions/New-PAOrder.md | 27 +++++++--
docs/Functions/Set-PAOrder.md | 21 ++++++-
8 files changed, 163 insertions(+), 11 deletions(-)
diff --git a/Posh-ACME/Private/New-Csr.ps1 b/Posh-ACME/Private/New-Csr.ps1
index 1ff3184e..214d52b9 100644
--- a/Posh-ACME/Private/New-Csr.ps1
+++ b/Posh-ACME/Private/New-Csr.ps1
@@ -74,7 +74,11 @@ function New-Csr {
# start building the cert request
# create the subject
- $subject = New-Object Org.BouncyCastle.Asn1.X509.X509Name("CN=$($Order.MainDomain)")
+ if ($Order.Subject) {
+ $subject = New-Object Org.BouncyCastle.Asn1.X509.X509Name($Order.Subject)
+ } else {
+ $subject = New-Object Org.BouncyCastle.Asn1.X509.X509Name("CN=$($Order.MainDomain)")
+ }
# create a .NET Dictionary to hold our extensions because that's what BouncyCastle needs
$extDict = New-Object 'Collections.Generic.Dictionary[Org.BouncyCastle.Asn1.DerObjectIdentifier,Org.BouncyCastle.Asn1.X509.X509Extension]'
diff --git a/Posh-ACME/Public/New-PACertificate.ps1 b/Posh-ACME/Public/New-PACertificate.ps1
index 714c8a98..d020c03e 100644
--- a/Posh-ACME/Public/New-PACertificate.ps1
+++ b/Posh-ACME/Public/New-PACertificate.ps1
@@ -30,6 +30,8 @@ function New-PACertificate {
[Parameter(ParameterSetName='FromScratch')]
[switch]$OCSPMustStaple,
[Parameter(ParameterSetName='FromScratch')]
+ [string]$Subject,
+ [Parameter(ParameterSetName='FromScratch')]
[string]$FriendlyName,
[Parameter(ParameterSetName='FromScratch')]
[string]$PfxPass='poshacme',
@@ -157,6 +159,7 @@ function New-PACertificate {
KeyLength = $CertKeyLength
OCSPMustStaple = $OCSPMustStaple
AlwaysNewKey = $AlwaysNewKey
+ Subject = $Subject
FriendlyName = $FriendlyName
PfxPass = $PfxPass
UseModernPfxEncryption = $UseModernPfxEncryption
@@ -168,6 +171,7 @@ function New-PACertificate {
if ($oldOrder) {
@( 'OCSPMustStaple'
'AlwaysNewKey'
+ 'Subject'
'FriendlyName'
'PfxPass'
'UseModernPfxEncryption'
@@ -223,6 +227,7 @@ function New-PACertificate {
'PluginArgs'
'DnsAlias'
'Install'
+ 'Subject'
'FriendlyName'
'PfxPass'
'UseModernPfxEncryption'
diff --git a/Posh-ACME/Public/New-PAOrder.ps1 b/Posh-ACME/Public/New-PAOrder.ps1
index f466aa86..026ad6ba 100644
--- a/Posh-ACME/Public/New-PAOrder.ps1
+++ b/Posh-ACME/Public/New-PAOrder.ps1
@@ -28,6 +28,9 @@ function New-PAOrder {
[switch]$AlwaysNewKey,
[Parameter(ParameterSetName='FromScratch')]
[Parameter(ParameterSetName='ImportKey')]
+ [string]$Subject,
+ [Parameter(ParameterSetName='FromScratch')]
+ [Parameter(ParameterSetName='ImportKey')]
[string]$FriendlyName,
[Parameter(ParameterSetName='FromScratch')]
[Parameter(ParameterSetName='ImportKey')]
@@ -259,6 +262,7 @@ function New-PAOrder {
DnsAlias = $null
DnsSleep = $DnsSleep
ValidationTimeout = $ValidationTimeout
+ Subject = $Subject
FriendlyName = $FriendlyName
PfxPass = $PfxPass
Install = $Install.IsPresent
diff --git a/Posh-ACME/Public/Set-PAOrder.ps1 b/Posh-ACME/Public/Set-PAOrder.ps1
index e1c592f8..8d1d54b6 100644
--- a/Posh-ACME/Public/Set-PAOrder.ps1
+++ b/Posh-ACME/Public/Set-PAOrder.ps1
@@ -29,6 +29,9 @@ function Set-PAOrder {
[string]$NewName,
[Parameter(ParameterSetName='Edit')]
[ValidateNotNullOrEmpty()]
+ [string]$Subject,
+ [Parameter(ParameterSetName='Edit')]
+ [ValidateNotNullOrEmpty()]
[string]$FriendlyName,
[Parameter(ParameterSetName='Edit')]
[ValidateNotNullOrEmpty()]
@@ -147,6 +150,13 @@ function Set-PAOrder {
$saveChanges = $true
}
+ if ('Subject' -in $psbKeys -and $Subject -ne $order.Subject) {
+ Write-Verbose "Setting Subject to '$Subject'"
+ Write-Warning "Changing the value of Subject only affects future certificates generated with this order. It can not change the state of an existing certificate."
+ $order.Subject = $Subject
+ $saveChanges = $true
+ }
+
if ('FriendlyName' -in $psbKeys -and $FriendlyName -ne $order.FriendlyName) {
Write-Verbose "Setting FriendlyName to '$FriendlyName'"
$order.FriendlyName = $FriendlyName
diff --git a/Posh-ACME/en-US/Posh-ACME-help.xml b/Posh-ACME/en-US/Posh-ACME-help.xml
index 0bb22397..9b8b3860 100644
--- a/Posh-ACME/en-US/Posh-ACME-help.xml
+++ b/Posh-ACME/en-US/Posh-ACME-help.xml
@@ -2925,6 +2925,18 @@ New-PAAccount -ExtAcctKID $eabKID -ExtAcctHMACKey $eabHMAC -Contact 'me@example.
False
+
+ Subject
+
+ Sets the x509 "Subject" field in the certificate request that gets sent to the ACME server. By default, it is set to 'CN=FQDN' where 'FQDN' is the first name in the Domain parameter. For public certificate authorities issuing DV certificates, anything other than a DNS name from the list of domains will either be rejected or stripped from the finalized certificate.
+
+ String
+
+ String
+
+
+ None
+
FriendlyName
@@ -3392,6 +3404,18 @@ New-PAAccount -ExtAcctKID $eabKID -ExtAcctHMACKey $eabHMAC -Contact 'me@example.
False
+
+ Subject
+
+ Sets the x509 "Subject" field in the certificate request that gets sent to the ACME server. By default, it is set to 'CN=FQDN' where 'FQDN' is the first name in the Domain parameter. For public certificate authorities issuing DV certificates, anything other than a DNS name from the list of domains will either be rejected or stripped from the finalized certificate.
+
+ String
+
+ String
+
+
+ None
+
FriendlyName
@@ -3717,6 +3741,18 @@ New-PACertificate 'example.com' -Plugin FakeDNS -PluginArgs $pArgs -DnsAlias 'ac
False
+
+ Subject
+
+ Sets the x509 "Subject" field in the certificate request that gets sent to the ACME server. By default, it is set to 'CN=FQDN' where 'FQDN' is the first name in the Domain parameter. For public certificate authorities issuing DV certificates, anything other than a DNS name from the list of domains will either be rejected or stripped from the finalized certificate.
+
+ String
+
+ String
+
+
+ None
+
FriendlyName
@@ -3964,6 +4000,18 @@ New-PACertificate 'example.com' -Plugin FakeDNS -PluginArgs $pArgs -DnsAlias 'ac
False
+
+ Subject
+
+ Sets the x509 "Subject" field in the certificate request that gets sent to the ACME server. By default, it is set to 'CN=FQDN' where 'FQDN' is the first name in the Domain parameter. For public certificate authorities issuing DV certificates, anything other than a DNS name from the list of domains will either be rejected or stripped from the finalized certificate.
+
+ String
+
+ String
+
+
+ None
+
FriendlyName
@@ -4392,6 +4440,18 @@ New-PACertificate 'example.com' -Plugin FakeDNS -PluginArgs $pArgs -DnsAlias 'ac
False
+
+ Subject
+
+ Sets the x509 "Subject" field in the certificate request that gets sent to the ACME server. By default, it is set to 'CN=FQDN' where 'FQDN' is the first name in the Domain parameter. For public certificate authorities issuing DV certificates, anything other than a DNS name from the list of domains will either be rejected or stripped from the finalized certificate.
+
+ String
+
+ String
+
+
+ None
+
FriendlyName
@@ -6865,6 +6925,18 @@ Set-PAAccount -UseAltPluginEncryption:$false
None
+
+ Subject
+
+ Sets the x509 "Subject" field in the certificate request that gets sent to the ACME server. By default, it is set to 'CN=FQDN' where 'FQDN' is the first name in the Domain parameter. For public certificate authorities issuing DV certificates, anything other than a DNS name from the list of domains will either be rejected or stripped from the finalized certificate.
+
+ String
+
+ String
+
+
+ None
+
FriendlyName
@@ -7137,6 +7209,18 @@ Set-PAAccount -UseAltPluginEncryption:$false
None
+
+ Subject
+
+ Sets the x509 "Subject" field in the certificate request that gets sent to the ACME server. By default, it is set to 'CN=FQDN' where 'FQDN' is the first name in the Domain parameter. For public certificate authorities issuing DV certificates, anything other than a DNS name from the list of domains will either be rejected or stripped from the finalized certificate.
+
+ String
+
+ String
+
+
+ None
+
FriendlyName
diff --git a/docs/Functions/New-PACertificate.md b/docs/Functions/New-PACertificate.md
index 01f6dd71..491e9d03 100644
--- a/docs/Functions/New-PACertificate.md
+++ b/docs/Functions/New-PACertificate.md
@@ -17,7 +17,7 @@ Request a new certificate
```powershell
New-PACertificate [-Domain] [-Name ] [-Contact ] [-CertKeyLength ]
[-AlwaysNewKey] [-AcceptTOS] [-AccountKeyLength ] [-DirectoryUrl ] [-Plugin ]
- [-PluginArgs ] [-LifetimeDays ] [-DnsAlias ] [-OCSPMustStaple]
+ [-PluginArgs ] [-LifetimeDays ] [-DnsAlias ] [-OCSPMustStaple] [-Subject ]
[-FriendlyName ] [-PfxPass ] [-PfxPassSecure ] [-UseModernPfxEncryption]
[-Install] [-UseSerialValidation] [-Force] [-DnsSleep ] [-ValidationTimeout ]
[-PreferredChain ] []
@@ -317,6 +317,21 @@ Accept pipeline input: False
Accept wildcard characters: False
```
+### -Subject
+Sets the x509 "Subject" field in the certificate request that gets sent to the ACME server. By default, it is set to 'CN=FQDN' where 'FQDN' is the first name in the Domain parameter. For public certificate authorities issuing DV certificates, anything other than a DNS name from the list of domains will either be rejected or stripped from the finalized certificate.
+
+```yaml
+Type: String
+Parameter Sets: FromScratch
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
### -FriendlyName
Set a friendly name for the certificate.
diff --git a/docs/Functions/New-PAOrder.md b/docs/Functions/New-PAOrder.md
index cb611462..8ed01fff 100644
--- a/docs/Functions/New-PAOrder.md
+++ b/docs/Functions/New-PAOrder.md
@@ -17,18 +17,18 @@ Create a new order on the current ACME account.
```powershell
New-PAOrder [-Domain] [[-KeyLength] ] [-Name ] [-Plugin ]
[-PluginArgs ] [-LifetimeDays ] [-DnsAlias ] [-OCSPMustStaple] [-AlwaysNewKey]
- [-FriendlyName ] [-PfxPass ] [-PfxPassSecure ] [-UseModernPfxEncryption]
- [-Install] [-UseSerialValidation] [-DnsSleep ] [-ValidationTimeout ] [-PreferredChain ]
- [-Force] [-WhatIf] [-Confirm] []
+ [-Subject ] [-FriendlyName ] [-PfxPass ] [-PfxPassSecure ]
+ [-UseModernPfxEncryption] [-Install] [-UseSerialValidation] [-DnsSleep ] [-ValidationTimeout ]
+ [-PreferredChain ] [-Force] [-WhatIf] [-Confirm] []
```
### ImportKey
```powershell
New-PAOrder [-Domain] -KeyFile [-Name ] [-Plugin ]
[-PluginArgs ] [-LifetimeDays ] [-DnsAlias ] [-OCSPMustStaple] [-AlwaysNewKey]
- [-FriendlyName ] [-PfxPass ] [-PfxPassSecure ] [-UseModernPfxEncryption]
- [-Install] [-UseSerialValidation] [-DnsSleep ] [-ValidationTimeout ] [-PreferredChain ]
- [-Force] [-WhatIf] [-Confirm] []
+ [-Subject ] [-FriendlyName ] [-PfxPass ] [-PfxPassSecure ]
+ [-UseModernPfxEncryption] [-Install] [-UseSerialValidation] [-DnsSleep ] [-ValidationTimeout ]
+ [-PreferredChain ] [-Force] [-WhatIf] [-Confirm] []
```
### FromCSR
@@ -261,6 +261,21 @@ Accept pipeline input: False
Accept wildcard characters: False
```
+### -Subject
+Sets the x509 "Subject" field in the certificate request that gets sent to the ACME server. By default, it is set to 'CN=FQDN' where 'FQDN' is the first name in the Domain parameter. For public certificate authorities issuing DV certificates, anything other than a DNS name from the list of domains will either be rejected or stripped from the finalized certificate.
+
+```yaml
+Type: String
+Parameter Sets: FromScratch, ImportKey
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
### -FriendlyName
Set a friendly name for the certificate.
This will populate the "Friendly Name" field in the Windows certificate store when the PFX is imported.
diff --git a/docs/Functions/Set-PAOrder.md b/docs/Functions/Set-PAOrder.md
index 79c1b2a5..6ff5db8f 100644
--- a/docs/Functions/Set-PAOrder.md
+++ b/docs/Functions/Set-PAOrder.md
@@ -17,9 +17,9 @@ Switch to or modify an order.
```powershell
Set-PAOrder [[-MainDomain] ] [-Name ] [-NoSwitch] [-Plugin ]
[-PluginArgs ] [-LifetimeDays ] [-DnsAlias ] [-NewName ]
- [-FriendlyName ] [-PfxPass ] [-PfxPassSecure ] [-UseModernPfxEncryption]
- [-Install] [-OCSPMustStaple] [-DnsSleep ] [-ValidationTimeout ] [-PreferredChain ]
- [-AlwaysNewKey] [-UseSerialValidation] [-WhatIf] [-Confirm] []
+ [-Subject ] [-FriendlyName ] [-PfxPass ] [-PfxPassSecure ]
+ [-UseModernPfxEncryption] [-Install] [-OCSPMustStaple] [-DnsSleep ] [-ValidationTimeout ]
+ [-PreferredChain ] [-AlwaysNewKey] [-UseSerialValidation] [-WhatIf] [-Confirm] []
```
### Revoke
@@ -209,6 +209,21 @@ Accept pipeline input: False
Accept wildcard characters: False
```
+### -Subject
+Sets the x509 "Subject" field in the certificate request that gets sent to the ACME server. By default, it is set to 'CN=FQDN' where 'FQDN' is the first name in the Domain parameter. For public certificate authorities issuing DV certificates, anything other than a DNS name from the list of domains will either be rejected or stripped from the finalized certificate.
+
+```yaml
+Type: String
+Parameter Sets: Edit
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
### -FriendlyName
The friendly name for the certificate and subsequent renewals.
This will populate the "Friendly Name" field in the Windows certificate store when the PFX is imported.