#generate new certificate and key

$VCInstallHome = [System.Environment]::ExpandEnvironmentVariables("%VMWARE_CIS_HOME%")
$VCConfigHome = [System.Environment]::ExpandEnvironmentVariables("%VMWARE_CFG_DIR%")
$VCJavaHome = [System.Environment]::ExpandEnvironmentVariables("%VMWARE_JAVA_HOME%")
$VCJavaHome = $VCJavaHome.TrimEnd('\')
$VCLogHome = [System.Environment]::ExpandEnvironmentVariables("%VMWARE_LOG_DIR%")
$VCDataHome = [System.Environment]::ExpandEnvironmentVariables("%VMWARE_DATA_DIR%")
$VCRuntimeDataHome = [System.Environment]::ExpandEnvironmentVariables("%VMWARE_RUNTIME_DATA_DIR%")
$VMWARE_IDENTITY_SERVICES_HOME = "$VCInstallHome\VMware Identity Services"
$VMWARE_STS_SERVICES_HOME = "$VCRuntimeDataHome\VMwareSTSService\webapps\ROOT\WEB-INF\lib"

[int]$VCWinBuild = (Get-ItemProperty -Path "HKLM:\SOFTWARE\VMware, Inc.\vCenter Server" -name BuildNumber).BuildNumber
$VCWinProduct = (Get-ItemProperty -Path "HKLM:\SOFTWARE\VMware, Inc.\vCenter Server" -name ProductVersion).ProductVersion
$DeploymentType = (Get-ItemProperty -Path "HKLM:\SOFTWARE\VMware, Inc.\vCenter Server" -name INSTALL_TYPE).INSTALL_TYPE

$VMCAReplaced = $false
$ScriptPath = $PSScriptRoot

if ($DeploymentType -eq "management")
{
    Write-Host "This vCenter Server is installed as $($DeploymentType) Node, please execute the script on Platform Service Controller or Embedded PSC Node, exiting.."
    Exit
}

$PNID = & "$VCInstallHome\vmafdd\vmafd-cli" get-pnid --server-name localhost

$CRT = New-Object System.Security.Cryptography.X509Certificates.X509Certificate
$CRT.Import("$VCDataHome\vmca\root.cer")
$expdate = ($CRT.GetExpirationDateString() | get-date)
if ($expdate -lt $(get-date))
{
    Write-Host "VMCA Root Cert is Expired, replacing Root Certificate"
    & "$VCInstallHome\vmcad\certool.exe" --genselfcacert --outprivkey "C:\Windows\temp\vmcacert.key" --outcert "C:\windows\temp\vmcacert.crt" --config="$VCInstallHome\vmcad\certool.cfg" --Name="VMCA" --Hostname=$PNID
    & "$VCInstallHome\vmcad\certool.exe" --rootca --privkey "C:\Windows\temp\vmcacert.key" --cert "C:\windows\temp\vmcacert.crt"
    $VMCAReplaced = $True
}

Write-Host "Generating New STS Certificate"
& "$VCInstallHome\vmcad\certool.exe" --genkey --privkey="C:\Windows\temp\new-ssoserverSign.key" --pubkey="C:\Windows\temp\new-ssoserverSign.pub"
& "$VCInstallHome\vmcad\certool.exe" --gencert --priv="C:\Windows\temp\new-ssoserverSign.key" --Name="ssoserverSign" --cert="C:\Windows\temp\new-ssoserverSign.crt" --config="$VCInstallHome\vmcad\certool.cfg" --Hostname=$PNID --server="localhost"


#Load the assemblies
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices.Protocols")
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Net")


#Connects to myopenldap.mikesblog.lan using SSL on a non-standard port
$connection = New-Object System.DirectoryServices.Protocols.LdapConnection "localhost:389"
          
#Set session options
$connection.SessionOptions.SecureSocketLayer = $false
$connection.SessionOptions.ProtocolVersion = 3

# Pick Authentication type:
# Anonymous, Basic, Digest, DPA (Distributed Password Authentication),
# External, Kerberos, Msn, Negotiate, Ntlm, Sicily
$connection.AuthType = [System.DirectoryServices.Protocols.AuthType]::Basic
# Gets username and password.


$sso_domain = &"$Env:VMWARE_CIS_HOME\vmafdd\vmafd-cli.exe" get-domain-name --server-name localhost
$sso_domain_DN = $sso_domain -replace "\.",",dc="

# Gets username and password.
$credential_prompt = Get-Credential -Message "Enter the Password for the Single Sign-On Administrator account: " -UserName "administrator@$sso_domain"
if ($VCWinProduct -like "6.5.*")
{
    $STSReplaceCMD = '& "$VCJavaHome\bin\java.exe" -cp "$VCInstallHome\VMware Identity Services\*;$VCInstallHome\vmware-sso\commonlib\*;.;*" "-Dvmware.log.dir=$VCLogHome\sso\" -XX:ErrorFile=$VCLogHome\sso\hs_err_stsinstaller_pid%p.log -XX:HeapDumpPath=$VCLogHome\sso\ com.vmware.identity.installer.STSInstaller --install --root-cert-path "$VCDataHome\vmca\root.cer" --cert-path "C:\Windows\temp\new-ssoserverSign.crt" --private-key-path "C:\windows\temp\new-ssoserverSign.key" --retry-count 10 --retry-interval 30'
}
elseif ($VCWinProduct -like "6.7.*")
{
    get-content "C:\Windows\temp\new-ssoserverSign.crt", "$VCDataHome\vmca\root.cer", "C:\Windows\temp\new-ssoserverSign.key" | set-content "C:\Windows\temp\newsts.pem"

if ($VCWinBuild -ge 16046470)
{
    $STSReplaceCMD = '& "$VCInstallHome\VMware Identity Services\sso-config.bat" -set_signing_cert -t $sso_domain C:\Windows\temp\newsts.pem'
}
else
{
    if (Test-Path $VMWARE_IDENTITY_SERVICES_HOME\vmware-identity-sso-config67u3g.jar)
        {
            $STSReplaceCMD = '& "$VCJavaHome\bin\java" -cp "$VMWARE_IDENTITY_SERVICES_HOME\vmware-identity-sso-config67u3g.jar;$VMWARE_IDENTITY_SERVICES_HOME\*;$VMWARE_STS_SERVICES_HOME\*;$VCInstallHome\vmware-sso\commonlib\commons-cli-1.2.jar" "-Dlog4j.configurationFile=file://$VMWARE_IDENTITY_SERVICES_HOME\ssoconfig.log4j2.xml" "-Dvmware.log.dir=$VCLogHome\sso\" com.vmware.identity.ssoconfig.SsoConfig -set_signing_cert -t $sso_domain C:\Windows\temp\newsts.pem'
        }
    elseif (Test-Path $ScriptPath\vmware-identity-sso-config67u3g.jar)
        {
            $STSReplaceCMD = '& "$VCJavaHome\bin\java" -cp "$ScriptPath\vmware-identity-sso-config67u3g.jar;$VMWARE_IDENTITY_SERVICES_HOME\*;$VMWARE_STS_SERVICES_HOME\*;$VCInstallHome\vmware-sso\commonlib\commons-cli-1.2.jar" "-Dlog4j.configurationFile=file://$VMWARE_IDENTITY_SERVICES_HOME\ssoconfig.log4j2.xml" "-Dvmware.log.dir=$VCLogHome\sso\" com.vmware.identity.ssoconfig.SsoConfig -set_signing_cert -t $sso_domain C:\Windows\temp\newsts.pem'
        }
    else
        {
            Write-Host "JAR file # vmware-identity-sso-config67u3g.jar # does not exist in the script path or in # $($VCInstallHome)\VMware Identity Services #, please copy the file attached in the KB to any of these locations and retry.."
            Exit
        }
}

}
else
{
    write-host "This Script is not supported on this vCenter Server Version $VCWinProduct Build $VCWinBuild, exiting.."
    exit
}

if($credential_prompt) {
   $user = $credential_prompt.Username.split('@')[0]
   $username = "cn=$user,cn=users,dc=$sso_domain_DN"
   Write-Host "User DN is: $username"
   #$password = [System.Net.NetworkCredential]::new("", $credential_prompt.Password).Password
   $password = $credential_prompt.GetNetworkCredential().password
   $credentials = New-Object "System.Net.NetworkCredential" -ArgumentList $username,$password

   # Bind with the network credentials. Depending on the type of server,
   # the username will take different forms. Authentication type is controlled
   # above with the AuthType
   $connection.Bind($credentials)

   $search_DN = "cn=$sso_domain,cn=Tenants,cn=IdentityManager,cn=Services,dc=$sso_domain_DN"
   $search_filter = "(|(objectclass=vmwSTSTenantCredential)(objectclass=vmwSTSTenantTrustedCertificateChain))"
   $search_scope = [System.DirectoryServices.Protocols.SearchScope]::Subtree
   $search_attribute = @('*')

   $search_request = New-Object System.DirectoryServices.Protocols.SearchRequest -ArgumentList $search_DN,$search_filter,$search_scope,$search_attribute

   #Actually process the request through the server
   $search_request_result = $connection.SendRequest($search_request)

   if ($search_request_result.ResultCode -ne [System.directoryServices.Protocols.ResultCode]::Success) {
      Write-Host "Failed!"
      Write-Host ("ResultCode: " + $search_request_result.ResultCode)
      Write-Host ("Message: " + $search_request_result.ErrorMessage)
   } else {
      $delete_success = $true
      $search_results = @{}
      foreach ($branch in $search_request_result.Entries) {
         $result_DN = $branch.DistinguishedName
         [regex]$regex = 'cn='
         $CN_count = $regex.matches($result_DN).count

         if (! $search_results.ContainsKey($CN_count) ) {
            $search_results[$CN_count] = @()
         }

         $search_results[$CN_count] += $branch.DistinguishedName
      }

      foreach ($CN_counter in $search_results.GetEnumerator()) {         
         foreach ($dn in $($CN_counter.Value)) {
            $delete_request = New-Object System.DirectoryServices.Protocols.DeleteRequest
            $delete_request.DistinguishedName = $dn

            $delete_request_result = $connection.SendRequest($delete_request)

            if($delete_request_result.ResultCode -ne [System.directoryServices.Protocols.ResultCode]::Success) {
               Write-Host "Failed!"
               Write-Host ("ResultCode: " + $delete_request_result.ResultCode)
               Write-Host ("Message: " + $delete_request_result.ErrorMessage)
               $delete_success = $false
            } else {
               Write-Host "Successfully deleted $dn"
            }
         }
      }
      if($delete_success) {
         Write-Host "vCenter Server Version is $($VCWinProduct) Build $($VCWinBuild)"
         Write-Host "All STS Tenant branches deleted!"
         Write-Host "`nRe-creating STS tenant"
         $ErrorActionPreference = 'SilentlyContinue'
         $result = Invoke-Expression $STSReplaceCMD
         if ( ($result -like "*Successfully installed*") -or ($result -eq $null) )
         {
            Write-Host "STS Certificate Replaced Successfully!!, please restart the services"
         }
         elseif($result)
         {
            Write-Host "STS Certificate Replacement Failed!!, with error - $result"
         }
         if($VMCAReplaced)
         {
            Write-Host "VMCA Certificate is replaced by the script, please follow https://kb.vmware.com/s/article/2097936 to replace Machine SSL and Solution User Certificates if those are expired"
         }
         Write-host "Since the STS certificate has been replaced, you may need to re-register external solutions (SRM, NSX, etc.)"
      }
   }
}