#Requires -RunAsAdministrator
<#
.SYNOPSIS
    Importiert das SSL-Zertifikat einer Starface-Anlage in den Windows-Zertifikatspeicher.
.DESCRIPTION
    Verbindet sich per SSL/TLS zur angegebenen Starface-Anlage, extrahiert das
    Zertifikat und importiert es als vertrauenswuerdig. Danach kann das Outlook
    Add-in die Starface REST-API ueber HTTPS erreichen.
.EXAMPLE
    .\import-cert.ps1 -StarfaceHost 192.168.1.100
.EXAMPLE
    .\import-cert.ps1 -StarfaceHost pbx.firma.local -Port 8443
#>

param(
    [Parameter(Mandatory = $true)]
    [string]$StarfaceHost,

    [int]$Port = 443
)

$ErrorActionPreference = "Stop"

Write-Host ""
Write-Host "============================================================" -ForegroundColor Cyan
Write-Host "  Starface-Zertifikat importieren" -ForegroundColor Cyan
Write-Host "============================================================" -ForegroundColor Cyan
Write-Host ""

Write-Host "  [OK] Verbinde mit ${StarfaceHost}:${Port} ..." -ForegroundColor Green

try {
    $tcpClient = New-Object System.Net.Sockets.TcpClient
    $tcpClient.Connect($StarfaceHost, $Port)
    $sslStream = New-Object System.Net.Security.SslStream(
        $tcpClient.GetStream(),
        $false,
        { $true }  # Alle Zertifikate akzeptieren fuer den Abruf
    )
    $sslStream.AuthenticateAsClient($StarfaceHost)

    $remoteCert = $sslStream.RemoteCertificate
    $x509Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($remoteCert)

    $sslStream.Close()
    $tcpClient.Close()

    Write-Host "  Zertifikat erhalten:" -ForegroundColor Green
    Write-Host "    Subject:    $($x509Cert.Subject)" -ForegroundColor White
    Write-Host "    Aussteller: $($x509Cert.Issuer)" -ForegroundColor White
    Write-Host "    Gueltig bis: $($x509Cert.NotAfter)" -ForegroundColor White
    Write-Host "    Thumbprint: $($x509Cert.Thumbprint)" -ForegroundColor White
    Write-Host ""

    # Pruefen ob bereits vorhanden
    $rootStore = New-Object System.Security.Cryptography.X509Certificates.X509Store(
        [System.Security.Cryptography.X509Certificates.StoreName]::Root,
        [System.Security.Cryptography.X509Certificates.StoreLocation]::LocalMachine
    )
    $rootStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadOnly)
    $existing = $rootStore.Certificates | Where-Object { $_.Thumbprint -eq $x509Cert.Thumbprint }
    $rootStore.Close()

    if ($existing) {
        Write-Host "  Zertifikat ist bereits als vertrauenswuerdig gespeichert." -ForegroundColor Yellow
    } else {
        $rootStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
        $rootStore.Add($x509Cert)
        $rootStore.Close()
        Write-Host "  [OK] Zertifikat erfolgreich als vertrauenswuerdig importiert!" -ForegroundColor Green
    }

} catch {
    Write-Host "  [X] Fehler: $_" -ForegroundColor Red
    Write-Host ""
    Write-Host "  Moegliche Ursachen:" -ForegroundColor Yellow
    Write-Host "    - Starface nicht erreichbar (IP/Hostname pruefen)" -ForegroundColor Yellow
    Write-Host "    - Falscher Port (Standard: 443)" -ForegroundColor Yellow
    Write-Host "    - Firewall blockiert die Verbindung" -ForegroundColor Yellow
    exit 1
}

Write-Host ""
Read-Host "Eingabetaste zum Beenden"