#Requires -RunAsAdministrator

param(
    [string]$CACommonName = "Shopfloor WinRM CA",
    [string]$OutputPath = ".",
    [int]$ValidityYears = 10,
    [SecureString]$ExportPassword
)

Write-Host ""
Write-Host "=== Certificate Authority Creation for WinRM HTTPS ===" -ForegroundColor Cyan
Write-Host ""

# Prompt for password if not provided
if (-not $ExportPassword) {
    Write-Host "Enter a strong password to protect the CA private key:" -ForegroundColor Yellow
    $ExportPassword = Read-Host "CA Password" -AsSecureString
    $ExportPassword2 = Read-Host "Confirm Password" -AsSecureString

    $pass1 = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($ExportPassword))
    $pass2 = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($ExportPassword2))

    if ($pass1 -ne $pass2) {
        Write-Host "Passwords do not match!" -ForegroundColor Red
        exit 1
    }
}

# Create output directory
if (-not (Test-Path $OutputPath)) {
    New-Item -ItemType Directory -Path $OutputPath -Force | Out-Null
}

Write-Host "Creating Certificate Authority..." -ForegroundColor Yellow
Write-Host "  Common Name: $CACommonName"
Write-Host "  Valid for: $ValidityYears years"
Write-Host ""

try {
    $notAfter = (Get-Date).AddYears($ValidityYears)

    $caCert = New-SelfSignedCertificate `
        -Subject "CN=$CACommonName" `
        -KeyExportPolicy Exportable `
        -KeyUsage CertSign,CRLSign,DigitalSignature `
        -KeyUsageProperty All `
        -KeyLength 4096 `
        -KeyAlgorithm RSA `
        -HashAlgorithm SHA256 `
        -CertStoreLocation 'Cert:\LocalMachine\My' `
        -NotAfter $notAfter `
        -Type Custom `
        -TextExtension '2.5.29.19={text}CA=1&pathlength=0','2.5.29.37={text}1.3.6.1.5.5.7.3.1'

    Write-Host "[OK] Certificate Authority created successfully" -ForegroundColor Green
    Write-Host ""
    Write-Host "Certificate Details:"
    Write-Host "  Subject:     $($caCert.Subject)"
    Write-Host "  Thumbprint:  $($caCert.Thumbprint)"
    Write-Host "  Valid Until: $($caCert.NotAfter)"
    Write-Host ""

} catch {
    Write-Host "[ERROR] Failed to create CA certificate: $($_.Exception.Message)" -ForegroundColor Red
    exit 1
}

# Export PFX
$timestamp = Get-Date -Format "yyyyMMdd"
$caFileNameBase = $CACommonName -replace '[^a-zA-Z0-9]', '-'
$pfxPath = Join-Path $OutputPath "$caFileNameBase-$timestamp.pfx"

Write-Host "Exporting CA certificate with private key..."
Write-Host "  File: $pfxPath"

try {
    Export-PfxCertificate -Cert $caCert -FilePath $pfxPath -Password $ExportPassword | Out-Null
    Write-Host "[OK] CA certificate exported (with private key)" -ForegroundColor Green
    Write-Host ""
    Write-Host "WARNING: Protect this file - it contains the CA private key!" -ForegroundColor Yellow
    Write-Host ""
} catch {
    Write-Host "[ERROR] Failed to export PFX: $($_.Exception.Message)" -ForegroundColor Red
    exit 1
}

# Export CER
$cerPath = Join-Path $OutputPath "$caFileNameBase-$timestamp.cer"

Write-Host "Exporting CA public certificate..."
Write-Host "  File: $cerPath"

try {
    Export-Certificate -Cert $caCert -FilePath $cerPath | Out-Null
    Write-Host "[OK] CA public certificate exported" -ForegroundColor Green
    Write-Host ""
    Write-Host "Install this certificate on all management computers"
    Write-Host ""
} catch {
    Write-Host "[ERROR] Failed to export CER: $($_.Exception.Message)" -ForegroundColor Red
    exit 1
}

# Create info file
$infoPath = Join-Path $OutputPath "CA-INFO-$timestamp.txt"
$infoContent = @"
Certificate Authority Information
==================================

Created: $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')

CA Details:
  Common Name: $CACommonName
  Thumbprint:  $($caCert.Thumbprint)
  Valid Until: $($caCert.NotAfter)

Files Created:
  1. $pfxPath
     - CA with private key (KEEP SECURE!)

  2. $cerPath
     - CA public certificate (Install on management computers)

Next Steps:
  1. Install CA on YOUR computer:
     Import-Certificate -FilePath '$cerPath' -CertStoreLocation Cert:\LocalMachine\Root

  2. Sign PC certificates:
     .\Sign-BulkCertificates.ps1 -HostnameFile shopfloor-hostnames.txt -CAPfxPath '$pfxPath'
"@

$infoContent | Out-File -FilePath $infoPath -Encoding UTF8

# Summary
Write-Host "=== CERTIFICATE AUTHORITY CREATED ===" -ForegroundColor Green
Write-Host ""
Write-Host "Files Created:"
Write-Host "  1. $pfxPath"
Write-Host "     (CA with private key - KEEP SECURE!)"
Write-Host ""
Write-Host "  2. $cerPath"
Write-Host "     (CA public certificate - Install on management computers)"
Write-Host ""
Write-Host "  3. $infoPath"
Write-Host "     (Information file)"
Write-Host ""
Write-Host "CA Thumbprint: $($caCert.Thumbprint)" -ForegroundColor Yellow
Write-Host ""
Write-Host "Next Steps:"
Write-Host "  1. Install CA on YOUR computer:"
Write-Host "     Import-Certificate -FilePath '$cerPath' -CertStoreLocation Cert:\LocalMachine\Root"
Write-Host ""
Write-Host "  2. Sign PC certificates:"
Write-Host "     .\Sign-BulkCertificates.ps1 -HostnameFile shopfloor-hostnames.txt -CAPfxPath '$pfxPath'"
Write-Host ""