We use smartcards (gemalto) to store certs for VPN authentication.
We have requirement to provision multiple smart cards every month as we hire new staff.
With some help from internet and my PowerShell knowledge I got the following code. Below code read usernames from a text file process each user to enroll a cert for them. The problem is it prompts for PIN number each time to the user (person provisioning the cards). Since default PIN is same for all new smartcards.
I am hoping to include the default PIN in the script itself (so it does not prompt for PIN each time) and then to reset the PIN to a new value by reading from the same text/CVS file. But I am not able to find anything on how to pass or change the PIN via command line.
Code:
Function prov-smartcard ($user){
$PKCS10 = New-Object -ComObject X509Enrollment.CX509CertificateRequestPkcs10
$PKCS10.InitializeFromTemplateName(0x1,"SmartCardEnrollmentTemplate")
$PKCS10.Encode()
$pkcs7 = New-Object -ComObject X509enrollment.CX509CertificateRequestPkcs7
$pkcs7.InitializeFromInnerRequest($pkcs10)
$pkcs7.RequesterName = "ET\$user"
$signer = New-Object -ComObject X509Enrollment.CSignerCertificate
$cert = Get-ChildItem Cert:\CurrentUser\My | Where-Object {$_.Extensions | Where-Object {$_.Oid.Value -eq "2.5.29.37" -and $_.EnhancedKeyUsages["1.3.6.1.4.1.311.20.2.1"]}}
$Base64 = [Convert]::ToBase64String($Cert.RawData)
#$signer = New-Object -ComObject X509Enrollment.CSignerCertificate
$signer.Initialize(0,0,1,$Base64)
$pkcs7.SignerCertificate = $signer
$Request = New-Object -ComObject X509Enrollment.CX509Enrollment
$Request.InitializeFromRequest($pkcs7)
$Request.Enroll()
read-host "Gemalto for $user has been provisioned sucessfully, please unplug it and plug a new one. Press enter when ready"
}
Import-CSV ".\usernames.txt" -Header "username" | % {$username = $_.username
prov-smartcard $username
}