mavaddat · December 2, 2025 21:31
diff --git a/setupCerts.ps1 b/setupCerts.ps1
 #Requires -Version 6.0
 #Requires -PSEdition Core
 <#
 .SYNOPSIS
 Sets up Certificate Authority (CA) certificate bundles for various toolsets in Windows using PowerShell Core.

 .DESCRIPTION
 The Set-CaCertsBundles cmdlet is used to collect and set up CA certificates for various toolsets such as Python, AWS, Git, and NodeJs. It collects certificates from the local machine or current user store and configures environment variables for multiple toolsets to use these certificates. Optionally, it can create separate PEM files for NodeJs and import certificates into Windows Subsystem for Linux (WSL).

 .PARAMETER Target
 Specifies the environment variable target. Can be User or Machine. Defaults to Machine if the user has admin privileges, otherwise User.

 .PARAMETER CertOutPath
 Specifies the output file path for the combined certificates. Defaults to "$env:USERPROFILE\.certs\all.pem" and "$env:USERPROFILE\.certs\npmcerts.pem" if WithSpecialNPM is specified.

 .PARAMETER WithSpecialNPM
 Indicates whether to create a separate CRT file at "$env:USERPROFILE\.certs\npmcerts.pem" for the NodeJS package manager. If WithOpenSSL is specified, the cmdlet will automatically extract the URI's that NPM recently tried to connect to and collect certificates from them using openssl.

 .PARAMETER Wsl
 Indicates whether to create separate PEM files to import into Windows Subsystem for Linux (WSL).

 .PARAMETER FailFast
 Indicates whether to terminate the script immediately if an error occurs.

 .EXAMPLE
 Set-CaCertsBundles -Target User -WithSpecialNPM -Wsl

 This command sets up CA certificates for the current user, creates a separate CRT file for NodeJs, and imports certificates into WSL.

 .NOTES
 Requires PowerShell version 6.0 or higher.

 Function requires OpenSSL to be installed and available in the PATH.

 #>
 function Set-CaCertsBundles {
    [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'Medium')]
    param(
        [Parameter(HelpMessage = 'Environment variable target')]
        [ValidateScript({ $_ -ne [System.EnvironmentVariableTarget]::Machine -or ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) }, ErrorMessage = 'Cannot set machine environment variables without admin privileges')]
        [ArgumentCompleter({ [System.Enum]::GetNames([System.EnvironmentVariableTarget]) })]
        [System.EnvironmentVariableTarget]
        $Target = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) ? [System.EnvironmentVariableTarget]::Machine : [System.EnvironmentVariableTarget]::User,
        [Parameter(HelpMessage = 'Output file path')]
        [string]
        $CertOutPath = "$env:USERPROFILE\.certs\all.pem",
        [Parameter(HelpMessage = 'Create separate CRT file for the NodeJS package manager')]
        [switch]
        $WithSpecialNPM,
        [Parameter(HelpMessage = 'Create separate PEM files to import into Windows Subsystem for Linux (WSL)')]
        [switch]
        $Wsl,
        [Parameter(HelpMessage = 'Terminate on error')]
        [switch]
        $FailFast,
        [Parameter(HelpMessage = 'Use OpenSSL, if it is available')]
        [switch]
        $WithOpenSSL
    )
    #Requires -Version 6.0
    begin {
        if ($FailFast) {
            trap { Write-Error -Exception $_; return }  # Stop on error
        }
        $openSSLFound = $false
        if (-not(Get-Command -Name openssl.exe -ErrorAction SilentlyContinue)) {
            if (Test-Path "$env:ProgramFiles\OpenSSL-Win64\bin" -PathType Container) {
                $env:PATH += [System.IO.Path]::PathSeparator + "$env:ProgramFiles\OpenSSL-Win64\bin"
                $openSSLFound = $true
            }
        }
        else {
            $WithOpenSSL = $WithOpenSSL -and $openSSLFound  # OpenSSL provides additional preamble on each PEM, which is nice for human-readability
        }
        # Collect the certs from the local machine
        $CertLocation = $Target -eq 'Machine' ? 'LocalMachine' : 'CurrentUser'
        Write-Verbose -Message "Traversing Cert:\$CertLocation"
        $certs = Get-ChildItem -Path "Cert:\${CertLocation}" -Recurse | Where-Object -FilterScript { $_.Thumbprint }
        if ($null -eq $certs -or $certs.Count -eq 0) {
            Get-Error -Newest 1 | Set-Variable -Name LatestError
            if ($null -ne $LatestError -and $LatestError.Exception.ErrorCode -eq -2147467259) {
                Write-Error -Message "Unable to traverse Cert:\. Re-run as System with psexec -s -i pwsh $($MyInvocation.MyCommand) -Target $Target -CertOutPath `"$CertOutPath`" -Wsl:${Wsl} -FailFast:${FailFast}" -Exception $LatestError.Exception
                return
            }
            throw "No certificates found in 'Cert:\${CertLocation}'"
        }
        $certItem = (Test-Path -Path $CertOutPath -PathType Leaf) ? (Get-Item -Path $CertOutPath <# Get if exists #>) : (New-Item -Path $CertOutPath -ItemType File -Confirm:$ConfirmPreference -Force  <# Create if not exists #> ) 
        if ($null -eq $certItem -and $WhatIfPreference) {
            $certItem = [System.IO.FileInfo]::new($CertOutPath)  # For WhatIf, indicates hypothetical output file (not created)
        }
        $envVars = 'GIT_SSL_CAINFO', 'AWS_CA_BUNDLE', 'CURL_CA_BUNDLE', 'NODE_EXTRA_CA_CERTS', 'REQUESTS_CA_BUNDLE', 'SSL_CERT_FILE'
    }
    process {
        for ($i = 0; $i -lt $certs.Count; $i++) {
            Write-Progress -Activity 'Copying certificates' -PercentComplete (100 * $i / $certs.Count)
            if ($WithOpenSSL) {
                $thumbprintCrt = Join-Path -Path $env:TEMP -ChildPath "$($certs[$i].Thumbprint).crt"
                $fs = [System.IO.FileStream]::new($thumbprintCrt, [System.IO.FileMode]::OpenOrCreate)
                try {
                    $fs.Write($certs[$i].RawData, 0, $certs[$i].RawData.Length)    
                }
                finally {
                    $fs.Dispose()
                }
        
                openssl x509 -inform DER -in $thumbprintCrt -text | Add-Content -Path $certItem
                if ($LASTEXITCODE -ne 0 -and $FailFast) {
                    Write-Error -Message 'Could not create last pem; stopping script to prevent further errors'
                    return
                }
                Remove-Item -Path $thumbprintCrt
            }
            else {
                @"
 -----BEGIN CERTIFICATE-----
 $([System.Convert]::ToBase64String($certs[$i].RawData) -replace '.{64}',"`$0`n")
 -----END CERTIFICATE-----
 "@ | Add-Content -Path $certItem

            }
        }
    }
    end {
        for ($i = 0; $i -lt $envVars.Count; $i++) {
            Write-Progress -Activity 'Setting environment variables' -Status $envVars[$i] -PercentComplete (100 * $i / $envVars.Count)
            if ($PSCmdlet.ShouldProcess($envVars[$i], "Set environment variable to '$certItem'" )) {
                [Environment]::SetEnvironmentVariable($envVars[$i], $certItem.FullName, $Target)
            }
        }
        if ($Wsl -and (Get-Command -Name wsl -ErrorAction SilentlyContinue) -and ($defaultDistro = Select-String -InputObject (wsl --list *>&1 | Out-String) -Pattern '(.*)\([Default\u0000]+\)' | Select-Object -ExpandProperty Matches | ForEach-Object { ($_.Groups[1].Value -replace '\u0000').Trim() })) {
            Write-Verbose -Message 'Copying certificates to WSL'
            
            $wslCertPath = '/etc/apt/apt-ca-certificates.crt'
            $unixCertOutPath = $CertOutPath -replace '\\', '/' -creplace '([A-Z]):', { $_.Groups[1].Value.ToLower() }
            Write-Verbose -Message "Copying certificates to WSL '$wslCertPath'"
            wsl -d $defaultDistro -e sh -c "sudo mkdir -p /etc/apt && sudo cp $unixCertOutPath '$wslCertPath' && printf 'APT::Authentication::TrustCDN \"true\";\n' | sudo tee -a /etc/apt/apt.conf.d/99verify-cdn > /dev/null"

            Write-Verbose -Message 'Setting WSL environment variables'
            if ($WithSpecialNPM -and $openSSLFound) {
                Write-Verbose -Message 'Collecting npm certificates'
                $WithSpecialNPMCertOutPath = Join-Path -Path (Split-Path -Path $CertOutPath -Parent) -ChildPath 'npmcerts.pem'
                Write-Verbose -Message "NPM certificate output path: '$WithSpecialNPMCertOutPath'"
                # Extract relevant URI's from the npm logs
                $uris = Select-String -Path "$env:LOCALAPPDATA\npm-cache\_logs\*.log" -Pattern 'https?://\S+' -AllMatches | Select-Object -ExpandProperty Matches | ForEach-Object { 
                    $result = [uri]$null
                    if ([uri]::TryCreate($_, [System.UriKind]::Absolute, [ref]$result)) {
                        $result
                    }
                }
                $certs = [System.Collections.Concurrent.ConcurrentBag[string]]::new()  # For parallel processing
                $uniqueUris = $uris | Select-Object -Property Host, Port -Unique
                Write-Verbose -Message "Found $($uniqueUris.Count) unique URIs to collect certificates from"
                Format-Table -AutoSize -Wrap -InputObject $uniqueUris | Out-String | Write-Debug
                $uniqueUris | Select-Object -Property Host, Port -Unique | ForEach-Object -ThrottleLimit $env:NUMBER_OF_PROCESSORS -Parallel {
                    $certs = $using:certs
                    $uri = $_
                    # This uses openssl to connect to the URI and get the complete certificate chain
                    Write-Output -InputObject '' | openssl s_client -showcerts -servername "$($uri.Host)" -connect "$($uri.Host):$($uri.Port)" 2>$null | Out-String | Select-String -Pattern '(?sm)-+BEGIN CERTIFICATE-+([^-]+[\r\n]+)+-+END CERTIFICATE-+' -AllMatches -CaseSensitive | Select-Object -ExpandProperty Matches | ForEach-Object { $certs.Add(($_.Value)) }
                }
                $certs.ToArray() | Set-Content -Path $WithSpecialNPMCertOutPath
                Get-Content -Path $CertOutPath -Raw | Select-String -Pattern '(?sm)-+BEGIN CERTIFICATE-+([^-]+[\r\n]+)+-+END CERTIFICATE-+' -AllMatches -CaseSensitive | Select-Object -ExpandProperty Matches | ForEach-Object { $_.Value } | Add-Content -Path $WithSpecialNPMCertOutPath
                if ($PSCmdlet.ShouldProcess('NODE_EXTRA_CA_CERTS', "Set environment variable to '$WithSpecialNPMCertOutPath" )) {
                    [Environment]::SetEnvironmentVariable('NODE_EXTRA_CA_CERTS', $WithSpecialNPMCertOutPath, $Target)
                }
            }
        }
    }
 }
	#Requires -Version 6.0
	#Requires -PSEdition Core
	<#
	.SYNOPSIS
	Sets up Certificate Authority (CA) certificate bundles for various toolsets in Windows using PowerShell Core.

	.DESCRIPTION
	The Set-CaCertsBundles cmdlet is used to collect and set up CA certificates for various toolsets such as Python, AWS, Git, and NodeJs. It collects certificates from the local machine or current user store and configures environment variables for multiple toolsets to use these certificates. Optionally, it can create separate PEM files for NodeJs and import certificates into Windows Subsystem for Linux (WSL).

	.PARAMETER Target
	Specifies the environment variable target. Can be User or Machine. Defaults to Machine if the user has admin privileges, otherwise User.

	.PARAMETER CertOutPath
	Specifies the output file path for the combined certificates. Defaults to "$env:USERPROFILE\.certs\all.pem" and "$env:USERPROFILE\.certs\npmcerts.pem" if WithSpecialNPM is specified.

	.PARAMETER WithSpecialNPM
	Indicates whether to create a separate CRT file at "$env:USERPROFILE\.certs\npmcerts.pem" for the NodeJS package manager. If WithOpenSSL is specified, the cmdlet will automatically extract the URI's that NPM recently tried to connect to and collect certificates from them using openssl.

	.PARAMETER Wsl
	Indicates whether to create separate PEM files to import into Windows Subsystem for Linux (WSL).

	.PARAMETER FailFast
	Indicates whether to terminate the script immediately if an error occurs.

	.EXAMPLE
	Set-CaCertsBundles -Target User -WithSpecialNPM -Wsl

	This command sets up CA certificates for the current user, creates a separate CRT file for NodeJs, and imports certificates into WSL.

	.NOTES
	Requires PowerShell version 6.0 or higher.

	Function requires OpenSSL to be installed and available in the PATH.

	#>
	function Set-CaCertsBundles {
	[CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'Medium')]
	param(
	[Parameter(HelpMessage = 'Environment variable target')]
	[ValidateScript({ $_ -ne [System.EnvironmentVariableTarget]::Machine -or ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) }, ErrorMessage = 'Cannot set machine environment variables without admin privileges')]
	[ArgumentCompleter({ [System.Enum]::GetNames([System.EnvironmentVariableTarget]) })]
	[System.EnvironmentVariableTarget]
	$Target = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) ? [System.EnvironmentVariableTarget]::Machine : [System.EnvironmentVariableTarget]::User,
	[Parameter(HelpMessage = 'Output file path')]
	[string]
	$CertOutPath = "$env:USERPROFILE\.certs\all.pem",
	[Parameter(HelpMessage = 'Create separate CRT file for the NodeJS package manager')]
	[switch]
	$WithSpecialNPM,
	[Parameter(HelpMessage = 'Create separate PEM files to import into Windows Subsystem for Linux (WSL)')]
	[switch]
	$Wsl,
	[Parameter(HelpMessage = 'Terminate on error')]
	[switch]
	$FailFast,
	[Parameter(HelpMessage = 'Use OpenSSL, if it is available')]
	[switch]
	$WithOpenSSL
	)
	#Requires -Version 6.0
	begin {
	if ($FailFast) {
	trap { Write-Error -Exception $_; return } # Stop on error
	}
	$openSSLFound = $false
	if (-not(Get-Command -Name openssl.exe -ErrorAction SilentlyContinue)) {
	if (Test-Path "$env:ProgramFiles\OpenSSL-Win64\bin" -PathType Container) {
	$env:PATH += [System.IO.Path]::PathSeparator + "$env:ProgramFiles\OpenSSL-Win64\bin"
	$openSSLFound = $true
	}
	}
	else {
	$WithOpenSSL = $WithOpenSSL -and $openSSLFound # OpenSSL provides additional preamble on each PEM, which is nice for human-readability
	}
	# Collect the certs from the local machine
	$CertLocation = $Target -eq 'Machine' ? 'LocalMachine' : 'CurrentUser'
	Write-Verbose -Message "Traversing Cert:\$CertLocation"
	$certs = Get-ChildItem -Path "Cert:\${CertLocation}" -Recurse \| Where-Object -FilterScript { $_.Thumbprint }
	if ($null -eq $certs -or $certs.Count -eq 0) {
	Get-Error -Newest 1 \| Set-Variable -Name LatestError
	if ($null -ne $LatestError -and $LatestError.Exception.ErrorCode -eq -2147467259) {
	Write-Error -Message "Unable to traverse Cert:\. Re-run as System with psexec -s -i pwsh $($MyInvocation.MyCommand) -Target $Target -CertOutPath `"$CertOutPath`" -Wsl:${Wsl} -FailFast:${FailFast}" -Exception $LatestError.Exception
	return
	}
	throw "No certificates found in 'Cert:\${CertLocation}'"
	}
	$certItem = (Test-Path -Path $CertOutPath -PathType Leaf) ? (Get-Item -Path $CertOutPath <# Get if exists #>) : (New-Item -Path $CertOutPath -ItemType File -Confirm:$ConfirmPreference -Force <# Create if not exists #> )
	if ($null -eq $certItem -and $WhatIfPreference) {
	$certItem = [System.IO.FileInfo]::new($CertOutPath) # For WhatIf, indicates hypothetical output file (not created)
	}
	$envVars = 'GIT_SSL_CAINFO', 'AWS_CA_BUNDLE', 'CURL_CA_BUNDLE', 'NODE_EXTRA_CA_CERTS', 'REQUESTS_CA_BUNDLE', 'SSL_CERT_FILE'
	}
	process {
	for ($i = 0; $i -lt $certs.Count; $i++) {
	Write-Progress -Activity 'Copying certificates' -PercentComplete (100 * $i / $certs.Count)
	if ($WithOpenSSL) {
	$thumbprintCrt = Join-Path -Path $env:TEMP -ChildPath "$($certs[$i].Thumbprint).crt"
	$fs = [System.IO.FileStream]::new($thumbprintCrt, [System.IO.FileMode]::OpenOrCreate)
	try {
	$fs.Write($certs[$i].RawData, 0, $certs[$i].RawData.Length)
	}
	finally {
	$fs.Dispose()
	}

	openssl x509 -inform DER -in $thumbprintCrt -text \| Add-Content -Path $certItem
	if ($LASTEXITCODE -ne 0 -and $FailFast) {
	Write-Error -Message 'Could not create last pem; stopping script to prevent further errors'
	return
	}
	Remove-Item -Path $thumbprintCrt
	}
	else {
	@"
	-----BEGIN CERTIFICATE-----
	$([System.Convert]::ToBase64String($certs[$i].RawData) -replace '.{64}',"`$0`n")
	-----END CERTIFICATE-----
	"@ \| Add-Content -Path $certItem

	}
	}
	}
	end {
	for ($i = 0; $i -lt $envVars.Count; $i++) {
	Write-Progress -Activity 'Setting environment variables' -Status $envVars[$i] -PercentComplete (100 * $i / $envVars.Count)
	if ($PSCmdlet.ShouldProcess($envVars[$i], "Set environment variable to '$certItem'" )) {
	[Environment]::SetEnvironmentVariable($envVars[$i], $certItem.FullName, $Target)
	}
	}
	if ($Wsl -and (Get-Command -Name wsl -ErrorAction SilentlyContinue) -and ($defaultDistro = Select-String -InputObject (wsl --list >&1 \| Out-String) -Pattern '(.)\([Default\u0000]+\)' \| Select-Object -ExpandProperty Matches \| ForEach-Object { ($_.Groups[1].Value -replace '\u0000').Trim() })) {
	Write-Verbose -Message 'Copying certificates to WSL'

	$wslCertPath = '/etc/apt/apt-ca-certificates.crt'
	$unixCertOutPath = $CertOutPath -replace '\\', '/' -creplace '([A-Z]):', { $_.Groups[1].Value.ToLower() }
	Write-Verbose -Message "Copying certificates to WSL '$wslCertPath'"
	wsl -d $defaultDistro -e sh -c "sudo mkdir -p /etc/apt && sudo cp $unixCertOutPath '$wslCertPath' && printf 'APT::Authentication::TrustCDN \"true\";\n' \| sudo tee -a /etc/apt/apt.conf.d/99verify-cdn > /dev/null"

	Write-Verbose -Message 'Setting WSL environment variables'
	if ($WithSpecialNPM -and $openSSLFound) {
	Write-Verbose -Message 'Collecting npm certificates'
	$WithSpecialNPMCertOutPath = Join-Path -Path (Split-Path -Path $CertOutPath -Parent) -ChildPath 'npmcerts.pem'
	Write-Verbose -Message "NPM certificate output path: '$WithSpecialNPMCertOutPath'"
	# Extract relevant URI's from the npm logs
	$uris = Select-String -Path "$env:LOCALAPPDATA\npm-cache\_logs\*.log" -Pattern 'https?://\S+' -AllMatches \| Select-Object -ExpandProperty Matches \| ForEach-Object {
	$result = [uri]$null
	if ([uri]::TryCreate($_, [System.UriKind]::Absolute, [ref]$result)) {
	$result
	}
	}
	$certs = [System.Collections.Concurrent.ConcurrentBag[string]]::new() # For parallel processing
	$uniqueUris = $uris \| Select-Object -Property Host, Port -Unique
	Write-Verbose -Message "Found $($uniqueUris.Count) unique URIs to collect certificates from"
	Format-Table -AutoSize -Wrap -InputObject $uniqueUris \| Out-String \| Write-Debug
	$uniqueUris \| Select-Object -Property Host, Port -Unique \| ForEach-Object -ThrottleLimit $env:NUMBER_OF_PROCESSORS -Parallel {
	$certs = $using:certs
	$uri = $_
	# This uses openssl to connect to the URI and get the complete certificate chain
	Write-Output -InputObject '' \| openssl s_client -showcerts -servername "$($uri.Host)" -connect "$($uri.Host):$($uri.Port)" 2>$null \| Out-String \| Select-String -Pattern '(?sm)-+BEGIN CERTIFICATE-+([^-]+[\r\n]+)+-+END CERTIFICATE-+' -AllMatches -CaseSensitive \| Select-Object -ExpandProperty Matches \| ForEach-Object { $certs.Add(($_.Value)) }
	}
	$certs.ToArray() \| Set-Content -Path $WithSpecialNPMCertOutPath
	Get-Content -Path $CertOutPath -Raw \| Select-String -Pattern '(?sm)-+BEGIN CERTIFICATE-+([^-]+[\r\n]+)+-+END CERTIFICATE-+' -AllMatches -CaseSensitive \| Select-Object -ExpandProperty Matches \| ForEach-Object { $_.Value } \| Add-Content -Path $WithSpecialNPMCertOutPath
	if ($PSCmdlet.ShouldProcess('NODE_EXTRA_CA_CERTS', "Set environment variable to '$WithSpecialNPMCertOutPath" )) {
	[Environment]::SetEnvironmentVariable('NODE_EXTRA_CA_CERTS', $WithSpecialNPMCertOutPath, $Target)
	}
	}
	}
	}
	}
No results found