Improvements to certificate handling (#369)

# Description
Summary of changes:
This pull request includes several updates to improve the handling of
certificates in the `SdnDiagnostics` module. The most important changes
include renaming the `New-SdnCertificate` function, introducing a
utility function to confirm if a certificate is self-signed, and
ensuring administrative checks are performed consistently.

Improvements to certificate handling:

*
[`src/SdnDiagnostics.psd1`](diffhunk://#diff-17aaaa968cc894449c79b449c228b28d8a8990bde4000e59bcf24d8189671ee1L126-R126):
Renamed `New-SdnCertificate` to `New-SdnSelfSignedCertificate` to
clarify its purpose.
*
[`src/modules/SdnDiag.Common.psm1`](diffhunk://#diff-9ab71f66f6e21719dc9527f01ea738656003bbbe631f4f1bd85ab1ab8a746f24L368-R368):
Added `Confirm-IsCertSelfSigned` function to check if a certificate is
self-signed and replaced direct comparisons with calls to this function.
[[1]](diffhunk://#diff-9ab71f66f6e21719dc9527f01ea738656003bbbe631f4f1bd85ab1ab8a746f24L368-R368)
[[2]](diffhunk://#diff-9ab71f66f6e21719dc9527f01ea738656003bbbe631f4f1bd85ab1ab8a746f24L1693-R1726)
[[3]](diffhunk://#diff-9ab71f66f6e21719dc9527f01ea738656003bbbe631f4f1bd85ab1ab8a746f24L1811-R1843)
[[4]](diffhunk://#diff-9ab71f66f6e21719dc9527f01ea738656003bbbe631f4f1bd85ab1ab8a746f24R1879-R1882)
[[5]](diffhunk://#diff-15898640fc68e07afa836ad8d93af4f22a4442978d9c233f39d48d44d85cfb60L188-R188)
*
[`src/modules/SdnDiag.Common.psm1`](diffhunk://#diff-9ab71f66f6e21719dc9527f01ea738656003bbbe631f4f1bd85ab1ab8a746f24R1326-R1331):
Added parameters `Subject`, `Thumbprint`, and `NetworkControllerOid` to
`Get-SdnCertificate` to enhance certificate search capabilities.
[[1]](diffhunk://#diff-9ab71f66f6e21719dc9527f01ea738656003bbbe631f4f1bd85ab1ab8a746f24R1326-R1331)
[[2]](diffhunk://#diff-9ab71f66f6e21719dc9527f01ea738656003bbbe631f4f1bd85ab1ab8a746f24L1350-L1369)

Consistent administrative checks:

* `src/SdnDiagnostics.psm1`, `src/modules/SdnDiag.LoadBalancerMux.psm1`,
`src/modules/SdnDiag.NetworkController.psm1`,
`src/modules/SdnDiag.Server.psm1`: Replaced inline administrator checks
with calls to `Confirm-IsAdmin` for consistency.
[[1]](diffhunk://#diff-490865628c61b2e97c50f45b37d7086647c70b2444cbfb9c60cc8c682801356eL278-R278)
[[2]](diffhunk://#diff-8b1f41eba916fc0a86f95c4ab4e5c8c23ce217faa05f9aef2f3564bb60577c2cL391-R391)
[[3]](diffhunk://#diff-26f7a08ead3e5bf8f7eb9bc916e1240653352463c34fb7321d570202143203f8L2541-R2541)
[[4]](diffhunk://#diff-11217f20b55d3b4ea34c8c217794c81d65acc4852dff9bf4295e5cc4d6dfaeedL2643-R2643)

These changes streamline the certificate management process and ensure
consistent administrative privilege checks across the module.

# Change type
- [ ] Bug fix (non-breaking change)
- [ ] Code style update (formatting, local variables)
- [x] New Feature (non-breaking change that adds new functionality
without impacting existing)
- [ ] Breaking change (fix or feature that may cause functionality
impact)
- [ ] Other

# Checklist:
- [x] My code follows the style and contribution guidelines of this
project.
- [x] I have tested and validated my code changes.

Author: arudell

src/SdnDiagnostics.psd1

@@ -123,7 +123,7 @@
         'Invoke-SdnResourceDump',
         'Invoke-SdnServiceFabricCommand',
         'Move-SdnServiceFabricReplica',
-        'New-SdnCertificate',
+        'New-SdnSelfSignedCertificate',
         'New-SdnCertificateRotationConfig',
         'New-SdnExpressBgpHost',
         'New-SdnMuxCertificate',

src/SdnDiagnostics.psm1

@@ -275,10 +275,7 @@ function Start-SdnCertificateRotation {
     }
 
     # ensure that the module is running as local administrator
-    $elevated = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
-    if (-NOT $elevated) {
-        throw New-Object System.Exception("This function requires elevated permissions. Run PowerShell as an Administrator and import the module again.")
-    }
+    Confirm-IsAdmin
 
     if ($Global:SdnDiagnostics.EnvironmentInfo.ClusterConfigType -ine 'ServiceFabric') {
         throw New-Object System.NotSupportedException("This function is only supported on Service Fabric clusters.")
@@ -290,16 +287,6 @@ function Start-SdnCertificateRotation {
         throw New-Object System.NotSupportedException("The current machine is not a NetworkController, run this on NetworkController.")
     }
 
-    # add disclaimer that this feature is currently under preview
-    if (!$Force) {
-        "This feature is currently under preview. Please report any issues to https://github.com/microsoft/SdnDiagnostics/issues so we can accurately track any issues and help unblock your cert rotation." | Trace-Output -Level:Warning
-        $confirm = Confirm-UserInput -Message "Do you want to proceed with certificate rotation? [Y/N]:"
-        if (-NOT $confirm) {
-            "User has opted to abort the operation. Terminating operation" | Trace-Output -Level:Warning
-            return
-        }
-    }
-
     try {
         "Starting certificate rotation" | Trace-Output
 

src/modules/SdnDiag.Common.psm1

@@ -155,7 +155,7 @@ function Copy-CertificateToFabric {
             foreach ($controller in $FabricDetails.NetworkController) {
                 # if the certificate being passed is self-signed, we will need to copy the certificate to the other controller nodes
                 # within the fabric and install under localmachine\root as appropriate
-                if ($certData.Subject -ieq $certData.Issuer) {
+                if (Confirm-IsCertSelfSigned -Certificate $certData) {
                     "Importing certificate [Subject: {0} Thumbprint:{1}] to {2}" -f `
                     $certData.Subject, $certData.Thumbprint, $controller | Trace-Output
 
@@ -241,7 +241,7 @@ function Copy-CertificateToFabric {
 
                 # if the certificate being passed is self-signed, we will need to copy the certificate to the other controller nodes
                 # within the fabric and install under localmachine\root as appropriate
-                if ($certData.Subject -ieq $certData.Issuer) {
+                if (Confirm-IsCertSelfSigned -Certificate $certData) {
                     "Importing certificate [Subject: {0} Thumbprint:{1}] to {2}" -f `
                     $certData.Subject, $certData.Thumbprint, $controller | Trace-Output
 
@@ -273,7 +273,7 @@ function Copy-CertificateToFabric {
             foreach ($controller in $FabricDetails.NetworkController) {
                 # if the certificate being passed is self-signed, we will need to copy the certificate to the other controller nodes
                 # within the fabric and install under localmachine\root as appropriate
-                if ($certData.Subject -ieq $certData.Issuer) {
+                if (Confirm-IsCertSelfSigned -Certificate $certData) {
                     "Importing certificate [Subject: {0} Thumbprint:{1}] to {2}" -f `
                     $certData.Subject, $certData.Thumbprint, $controller | Trace-Output
 
@@ -365,7 +365,7 @@ function Copy-UserProvidedCertificateToFabric {
             $certificateConfig.RestCert = $restCertificate.pfxData.EndEntityCertificates.Thumbprint
         }
 
-        if ($cert.pfxdata.EndEntityCertificates.Subject -ieq $cert.pfxdata.EndEntityCertificates.Issuer) {
+        if (Confirm-IsCertSelfSigned -Certificate $cert.pfxdata.EndEntityCertificates) {
             $cert.SelfSigned = $true
         }
     }
@@ -1323,6 +1323,12 @@ function Get-SdnCertificate {
             Returns a list of the certificates within the given certificate store.
         .PARAMETER Path
             Defines the path within the certificate store. Path is expected to start with cert:\.
+        .PARAMETER Subject
+            Specifies the subject of the certificate to search for.
+        .PARAMETER Thumbprint
+            Specifies the thumbprint of the certificate to search for.
+        .PARAMETER NetworkControllerOid
+            Optional parameter that filters the certificates based on the Network Controller OID.
         .EXAMPLE
             PS> Get-SdnCertificate -Path "Cert:\LocalMachine\My"
     #>
@@ -1347,26 +1353,53 @@ function Get-SdnCertificate {
 
         [Parameter(Mandatory = $false, ParameterSetName = 'Thumbprint')]
         [ValidateNotNullorEmpty()]
-        [System.String]$Thumbprint
+        [System.String]$Thumbprint,
+
+        [Parameter(Mandatory = $false, ParameterSetName = 'Default')]
+        [Parameter(Mandatory = $false, ParameterSetName = 'Subject')]
+        [Parameter(Mandatory = $false, ParameterSetName = 'Thumbprint')]
+        [switch]$NetworkControllerOid
     )
 
+    [string]$objectIdentifier = @('1.3.6.1.4.1.311.95.1.1.1') # this is a custom OID used for Network Controller
+    $array = @()
+
     try {
         $certificateList = Get-ChildItem -Path $Path -Recurse | Where-Object {$_.PSISContainer -eq $false} -ErrorAction Stop
+        if ($null -eq $certificateList) {
+            throw New-Object System.NullReferenceException("No certificates found $Path")
+        }
+
+        if ($NetworkControllerOid) {
+            $certificateList | ForEach-Object {
+                if ($objectIdentifier -iin $_.EnhancedKeyUsageList.ObjectId) {
+                    $array += $_
+                }
+            }
+
+            # if no certificates are found based on the OID, search based on other criteria
+            if ($null -eq $array) {
+                "Unable to locate certificates that match Network Controller OID: {0}." -f $objectIdentifier | Trace-Output -Level:Warning
+                $array = $certificateList
+            }
+        }
+        else {
+            $array = $certificateList
+        }
 
         switch ($PSCmdlet.ParameterSetName) {
             'Subject' {
-                $filteredCert = $certificateList | Where-Object {$_.Subject -ieq $Subject}
+                $filteredCert = $array | Where-Object {$_.Subject -ieq $Subject}
             }
             'Thumbprint' {
-                $filteredCert = $certificateList | Where-Object {$_.Thumbprint -ieq $Thumbprint}
+                $filteredCert = $array | Where-Object {$_.Thumbprint -ieq $Thumbprint}
             }
             default {
-                return $certificateList
+                return $array
             }
         }
 
         if ($null -eq $filteredCert) {
-            "Unable to locate certificate using {0}" -f $PSCmdlet.ParameterSetName | Trace-Output -Level:Warning
             return $null
         }
 
@@ -1690,8 +1723,7 @@ function Import-SdnCertificate {
     }
 
     # determine if the certificates being used are self signed
-    if ($certObject.CertInfo.Subject -ieq $certObject.CertInfo.Issuer) {
-        "Detected the certificate subject and issuer are the same. Setting SelfSigned to true" | Trace-Output -Level:Verbose
+    if (Confirm-IsCertSelfSigned -Certificate $certObject.CertInfo) {
         $certObject.SelfSigned = $true
 
         # check to see if we installed to root store with above operation
@@ -1808,7 +1840,7 @@ function Invoke-SdnGetNetView {
     }
 }
 
-function New-SdnCertificate {
+function New-SdnSelfSignedCertificate {
     <#
     .SYNOPSIS
         Creates a new self-signed certificate for use with SDN fabric.
@@ -1819,7 +1851,7 @@ function New-SdnCertificate {
     .PARAMETER NotAfter
         Specifies the date and time, as a DateTime object, that the certificate expires. To obtain a DateTime object, use the Get-Date cmdlet. The default value for this parameter is one year after the certificate was created.
     .EXAMPLE
-        PS> New-SdnCertificate -Subject rest.sdn.contoso -CertStoreLocation Cert:\LocalMachine\My
+        PS> New-SdnSelfSignedCertificate -Subject rest.sdn.contoso -CertStoreLocation Cert:\LocalMachine\My
     #>
 
     [CmdletBinding()]
@@ -1844,6 +1876,10 @@ function New-SdnCertificate {
     try {
         "Generating certificate with subject {0} under {1}" -f $Subject, $CertStoreLocation | Trace-Output
 
+        # create new self signed certificate with the following EnhancedKeyUsageList
+        # 1.3.6.1.5.5.7.3.1 - Server Authentication OID
+        # 1.3.6.1.5.5.7.3.2 - Client Authentication OID
+        # 1.3.6.1.4.1.311.95.1.1.1 - Network Controller OID
         $selfSignedCert = New-SelfSignedCertificate -Type Custom -KeySpec KeyExchange -Subject $Subject `
             -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 `
             -CertStoreLocation $CertStoreLocation -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2,1.3.6.1.4.1.311.95.1.1.1") `
@@ -2248,3 +2284,17 @@ function Stop-SdnNetshTrace {
     }
 }
 
+function Confirm-IsCertSelfSigned {
+    [CmdletBinding()]
+    param (
+        [Parameter(Mandatory = $true)]
+        [System.Security.Cryptography.X509Certificates.X509Certificate2]$Certificate
+    )
+
+    if ($Certificate.Issuer -eq $Certificate.Subject) {
+        "Detected the certificate subject and issuer are the same. Setting SelfSigned to true" | Trace-Output -Level:Verbose
+        return $true
+    }
+
+    return $false
+}

src/modules/SdnDiag.Health.psm1

@@ -185,7 +185,7 @@ function Test-HostRootStoreNonRootCert {
             $nonRootCerts = @()
             $rootCerts = Get-ChildItem Cert:LocalMachine\Root
             foreach ($rootCert in $rootCerts) {
-                if ($rootCert.Subject -ne $rootCert.Issuer) {
+                if (-NOT (Confirm-IsCertSelfSigned -Certificate $rootCert)) {
                     $certInfo = [PSCustomObject]@{
                         Thumbprint = $rootCert.Thumbprint
                         Subject    = $rootCert.Subject

src/modules/SdnDiag.LoadBalancerMux.psm1

@@ -95,7 +95,7 @@ function Get-SdnMuxCertificate {
     try {
         $muxCert = Get-ItemPropertyValue -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\SlbMux' -Name 'MuxCert'
         $subjectName = "CN={0}" -f $muxCert
-        $certificate = Get-SdnCertificate -Subject $subjectName -Path 'Cert:\LocalMachine\My'
+        $certificate = Get-SdnCertificate -Subject $subjectName -Path 'Cert:\LocalMachine\My' -NetworkControllerOid
         return $certificate
     }
     catch {
@@ -388,10 +388,7 @@ function New-SdnMuxCertificate {
     }
 
     # ensure that the module is running as local administrator
-    $elevated = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
-    if (-NOT $elevated) {
-        throw New-Object System.Exception("This function requires elevated permissions. Run PowerShell as an Administrator and import the module again.")
-    }
+    Confirm-IsAdmin
 
     try {
         if (-NOT (Test-Path -Path $Path -PathType Container)) {
@@ -404,7 +401,7 @@ function New-SdnMuxCertificate {
 
         $muxCert = Get-ItemPropertyValue -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\SlbMux' -Name 'MuxCert'
         $subjectName = "CN={0}" -f $muxCert
-        $certificate = New-SdnCertificate -Subject $subjectName -NotAfter $NotAfter
+        $certificate = New-SdnSelfSignedCertificate -Subject $subjectName -NotAfter $NotAfter
 
         # after the certificate has been generated, we want to export the certificate and save the file to directory
         # This allows the rest of the function to pick up these files and perform the steps as normal
@@ -508,20 +505,7 @@ function Start-SdnMuxCertificateRotation {
     }
 
     # ensure that the module is running as local administrator
-    $elevated = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
-    if (-NOT $elevated) {
-        throw New-Object System.Exception("This function requires elevated permissions. Run PowerShell as an Administrator and import the module again.")
-    }
-
-    # add disclaimer that this feature is currently under preview
-    if (!$Force) {
-        "This feature is currently under preview. Please report any issues to https://github.com/microsoft/SdnDiagnostics/issues so we can accurately track any issues and help unblock your cert rotation." | Trace-Output -Level:Warning
-        $confirm = Confirm-UserInput -Message "Do you want to proceed with certificate rotation? [Y/N]:"
-        if (-NOT $confirm) {
-            "User has opted to abort the operation. Terminating operation" | Trace-Output -Level:Warning
-            return
-        }
-    }
+    Confirm-IsAdmin
 
     $array = @()
     $ncRestParams = @{

src/modules/SdnDiag.NetworkController.psm1

@@ -2538,10 +2538,7 @@ function New-SdnNetworkControllerNodeCertificate {
     }
 
     # ensure that the module is running as local administrator
-    $elevated = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
-    if (-NOT $elevated) {
-        throw New-Object System.Exception("This function requires elevated permissions. Run PowerShell as an Administrator and import the module again.")
-    }
+    Confirm-IsAdmin
 
     try {
         if ($null -eq $FabricDetails) {
@@ -2560,7 +2557,7 @@ function New-SdnNetworkControllerNodeCertificate {
 
         # if we return multiple certificates, we want to select the first one as the subject should be the same
         $nodeCertSubject = (Get-SdnNetworkControllerNodeCertificate)[0].Subject
-        $certificate = New-SdnCertificate -Subject $nodeCertSubject -NotAfter $NotAfter
+        $certificate = New-SdnSelfSignedCertificate -Subject $nodeCertSubject -NotAfter $NotAfter
 
         # after the certificate has been generated, we want to export the certificate using the $CertPassword provided by the operator
         # and save the file to directory. This allows the rest of the function to pick up these files and perform the steps as normal
@@ -2626,10 +2623,7 @@ function New-SdnNetworkControllerRestCertificate {
     }
 
     # ensure that the module is running as local administrator
-    $elevated = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
-    if (-NOT $elevated) {
-        throw New-Object System.Exception("This function requires elevated permissions. Run PowerShell as an Administrator and import the module again.")
-    }
+    Confirm-IsAdmin
 
     try {
         if ($FabricDetails) {
@@ -2657,7 +2651,7 @@ function New-SdnNetworkControllerRestCertificate {
         }
 
         [System.String]$formattedSubject = "CN={0}" -f $RestName.Trim()
-        $certificate = New-SdnCertificate -Subject $formattedSubject -NotAfter $NotAfter
+        $certificate = New-SdnSelfSignedCertificate -Subject $formattedSubject -NotAfter $NotAfter
 
         # after the certificate has been generated, we want to export the certificate using the $CertPassword provided by the operator
         # and save the file to directory. This allows the rest of the function to pick up these files and perform the steps as normal

src/modules/SdnDiag.Server.psm1

@@ -2067,7 +2067,7 @@ function Get-SdnServerCertificate {
     try {
         $serverCert = Get-ItemPropertyValue -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters' -Name 'HostAgentCertificateCName'
         $subjectName = "CN={0}" -f $serverCert
-        $certificate = Get-SdnCertificate -Subject $subjectName -Path 'Cert:\LocalMachine\My'
+        $certificate = Get-SdnCertificate -Subject $subjectName -Path 'Cert:\LocalMachine\My' -NetworkControllerOid
         return $certificate
     }
     catch {
@@ -2640,10 +2640,7 @@ function New-SdnServerCertificate {
     }
 
     # ensure that the module is running as local administrator
-    $elevated = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
-    if (-NOT $elevated) {
-        throw New-Object System.Exception("This function requires elevated permissions. Run PowerShell as an Administrator and import the module again.")
-    }
+    Confirm-IsAdmin
 
     try {
         if (-NOT (Test-Path -Path $Path -PathType Container)) {
@@ -2656,7 +2653,7 @@ function New-SdnServerCertificate {
 
         $serverCert = Get-ItemPropertyValue -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\NcHostAgent\Parameters' -Name 'HostAgentCertificateCName'
         $subjectName = "CN={0}" -f $serverCert
-        $certificate = New-SdnCertificate -Subject $subjectName -NotAfter $NotAfter
+        $certificate = New-SdnSelfSignedCertificate -Subject $subjectName -NotAfter $NotAfter
 
         # after the certificate has been generated, we want to export the certificate and save the file to directory
         # This allows the rest of the function to pick up these files and perform the steps as normal
@@ -2980,20 +2977,7 @@ function Start-SdnServerCertificateRotation {
     }
 
     # ensure that the module is running as local administrator
-    $elevated = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
-    if (-NOT $elevated) {
-        throw New-Object System.Exception("This function requires elevated permissions. Run PowerShell as an Administrator and import the module again.")
-    }
-
-    # add disclaimer that this feature is currently under preview
-    if (!$Force) {
-        "This feature is currently under preview. Please report any issues to https://github.com/microsoft/SdnDiagnostics/issues so we can accurately track any issues and help unblock your cert rotation." | Trace-Output -Level:Warning
-        $confirm = Confirm-UserInput -Message "Do you want to proceed with certificate rotation? [Y/N]:"
-        if (-NOT $confirm) {
-            "User has opted to abort the operation. Terminating operation" | Trace-Output -Level:Warning
-            return
-        }
-    }
+    Confirm-IsAdmin
 
     $array = @()
     $ncRestParams = @{