# Ensure this script runs as an administrator
if (-Not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
    throw "Run this script as Administrator!"
}

# change this to the actual name of your Certificate
$PemFileName = "ca.pem"

# Define the path to the PEM file
$CurrentDir = Split-Path -Parent $MyInvocation.MyCommand.Path
$PemFilePath = Join-Path -Path $CurrentDir -ChildPath $PemFileName

# Function to check if CA is already installed
function Check-CAInstalled {
    $caExists = Get-CertificateAuthority -ErrorAction SilentlyContinue
    if ($caExists) {
        Write-Host "A Certificate Authority is already installed:" -ForegroundColor Yellow
        $caExists | Format-Table -Property CAName, CAType, CADuration
        return $true
    }
    return $false
}

# Check if a CA is already installed
if (Check-CAInstalled) {
    Write-Host "Exiting script as CA installation is not required." -ForegroundColor Green
    exit
}

# Check if PEM file exists
if (-Not (Test-Path $PemFilePath)) {
    throw "CA PEM file not found at path: $PemFilePath"
}

# Install the AD Certificate Services role if it’s not installed
Install-WindowsFeature -Name AD-Certificate -IncludeManagementTools

# Import the CA from PEM file using certutil
Write-Host "Importing the Certificate Authority from PEM file..." -ForegroundColor Cyan

certutil -addstore -f "ROOT" $PemFilePath

# Verify that the CA was imported successfully
$importedCA = Get-ChildItem Cert:\LocalMachine\Root | Where-Object { $_.Subject -like "*CN=*" }
if ($importedCA) {
    Write-Host "Successfully imported CA from PEM file:" -ForegroundColor Green
    $importedCA | Format-Table -Property Subject, Thumbprint
} else {
    Write-Host "Failed to import CA from PEM file." -ForegroundColor Red
}