dashcaddy/ca/scripts/install.ps1

#Requires -RunAsAdministrator

<#
.SYNOPSIS
    Installs the Sami Home Network Root CA certificate to the Trusted Root Certification Authorities store.

.DESCRIPTION
    This script downloads the root CA certificate from ca.sami, verifies its fingerprint,
    and installs it to the local machine's trusted root store. This allows all *.sami domains
    to be trusted system-wide without browser warnings.

.NOTES
    Requires Administrator privileges.
    For use with DashCA - https://ca.sami
#>

$ErrorActionPreference = "Stop"

# Configuration
$CertUrl = "https://ca.sami/root.crt"
$ExpectedFingerprint = "0898A563F5A1A2585F02D7A8A25487E6BC33969F9B5DB053622 07FAF9621290E"
$TempFile = "$env:TEMP\sami-root-ca.crt"

# Colors
$Red = [System.ConsoleColor]::Red
$Green = [System.ConsoleColor]::Green
$Cyan = [System.ConsoleColor]::Cyan
$Yellow = [System.ConsoleColor]::Yellow

Write-Host ""
Write-Host "========================================" -ForegroundColor $Cyan
Write-Host " DashCA Installer" -ForegroundColor $Cyan
Write-Host " Sami Home Network Root CA" -ForegroundColor $Cyan
Write-Host "========================================" -ForegroundColor $Cyan
Write-Host ""

# Step 1: Download certificate
Write-Host "[1/4] Downloading certificate from $CertUrl..." -ForegroundColor $Cyan
try {
    $ProgressPreference = 'SilentlyContinue' # Disable progress bar for faster download
    Invoke-WebRequest -Uri $CertUrl -OutFile $TempFile -UseBasicParsing -ErrorAction Stop
    Write-Host "      ✓ Certificate downloaded" -ForegroundColor $Green
} catch {
    Write-Host "      ✗ Failed to download certificate" -ForegroundColor $Red
    Write-Host "        Error: $_" -ForegroundColor $Red
    Write-Host ""
    Write-Host "Troubleshooting:" -ForegroundColor $Yellow
    Write-Host "  - Ensure you are on the Tailnet/network where ca.sami is accessible" -ForegroundColor $Yellow
    Write-Host "  - Try accessing https://ca.sami in your browser first" -ForegroundColor $Yellow
    exit 1
}

# Step 2: Verify fingerprint
Write-Host "[2/4] Verifying certificate fingerprint..." -ForegroundColor $Cyan
try {
    $Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($TempFile)
    $Fingerprint = $Cert.Thumbprint

    $NormalizedExpected = $ExpectedFingerprint -replace '[:\s]', ''
    $NormalizedActual = $Fingerprint -replace '[:\s]', ''

    if ($NormalizedActual -ne $NormalizedExpected) {
        Write-Host "      ✗ Fingerprint mismatch!" -ForegroundColor $Red
        Write-Host "        Expected: $ExpectedFingerprint" -ForegroundColor $Yellow
        Write-Host "        Got:      $Fingerprint" -ForegroundColor $Red
        Remove-Item $TempFile -Force
        Write-Host ""
        Write-Host "SECURITY WARNING: The downloaded certificate does not match the expected fingerprint." -ForegroundColor $Red
        Write-Host "This could indicate a man-in-the-middle attack or certificate renewal." -ForegroundColor $Red
        Write-Host "Please verify with your network administrator before proceeding." -ForegroundColor $Red
        exit 1
    }

    Write-Host "      ✓ Fingerprint verified: $Fingerprint" -ForegroundColor $Green
} catch {
    Write-Host "      ✗ Failed to verify fingerprint" -ForegroundColor $Red
    Write-Host "        Error: $_" -ForegroundColor $Red
    Remove-Item $TempFile -Force -ErrorAction SilentlyContinue
    exit 1
}

# Step 3: Check if already installed
Write-Host "[3/4] Checking for existing certificate..." -ForegroundColor $Cyan
$ExistingCert = Get-ChildItem -Path Cert:\LocalMachine\Root | Where-Object { $_.Thumbprint -eq $Fingerprint }
if ($ExistingCert) {
    Write-Host "      ℹ Certificate already installed" -ForegroundColor $Yellow
    Write-Host "        Subject: $($ExistingCert.Subject)" -ForegroundColor $Yellow
    Write-Host "        Not After: $($ExistingCert.NotAfter)" -ForegroundColor $Yellow
    Remove-Item $TempFile -Force
    Write-Host ""
    Write-Host "The Sami Home Network Root CA is already trusted on this system." -ForegroundColor $Green
    Write-Host "No further action needed!" -ForegroundColor $Green
    Write-Host ""
    exit 0
}
Write-Host "      ✓ Certificate not yet installed, proceeding..." -ForegroundColor $Green

# Step 4: Install certificate
Write-Host "[4/4] Installing certificate to Trusted Root store..." -ForegroundColor $Cyan
try {
    $ImportedCert = Import-Certificate -FilePath $TempFile -CertStoreLocation Cert:\LocalMachine\Root -ErrorAction Stop
    Write-Host "      ✓ Certificate installed successfully" -ForegroundColor $Green
    Write-Host "        Subject: $($ImportedCert.Subject)" -ForegroundColor $Green
    Write-Host "        Thumbprint: $($ImportedCert.Thumbprint)" -ForegroundColor $Green
} catch {
    Write-Host "      ✗ Failed to install certificate" -ForegroundColor $Red
    Write-Host "        Error: $_" -ForegroundColor $Red
    Remove-Item $TempFile -Force -ErrorAction SilentlyContinue
    Write-Host ""
    Write-Host "Installation failed. Please ensure you are running as Administrator." -ForegroundColor $Red
    exit 1
}

# Cleanup
Remove-Item $TempFile -Force -ErrorAction SilentlyContinue

Write-Host ""
Write-Host "========================================" -ForegroundColor $Green
Write-Host " SUCCESS!" -ForegroundColor $Green
Write-Host "========================================" -ForegroundColor $Green
Write-Host ""
Write-Host "The Sami Home Network Root CA has been installed to your Trusted Root store." -ForegroundColor $Green
Write-Host ""
Write-Host "What's next:" -ForegroundColor $Cyan
Write-Host "  ✓ All *.sami domains will now be trusted system-wide" -ForegroundColor $Green
Write-Host "  ✓ Browsers (Edge, Chrome, Firefox) will no longer show security warnings" -ForegroundColor $Green
Write-Host "  ✓ Applications will trust HTTPS connections to your local services" -ForegroundColor $Green
Write-Host ""
Write-Host "Test it out:" -ForegroundColor $Cyan
Write-Host "  Visit https://status.sami or any other *.sami service" -ForegroundColor $Yellow
Write-Host "  The connection should show as secure with no warnings" -ForegroundColor $Yellow
Write-Host ""