bitwarden · Hinton · Feb 4, 2026 · Feb 4, 2026 · Feb 4, 2026 · Feb 4, 2026
diff --git a/dev/helpers/Get-CertificateThumbprint.ps1 b/dev/helpers/Get-CertificateThumbprint.ps1
@@ -0,0 +1,76 @@
+#!/usr/bin/env pwsh
+
+<#
+.SYNOPSIS
+    Get the thumbprint of the Bitwarden development certificate.
+
+.DESCRIPTION
+    Retrieves the SHA1 thumbprint of the Identity Server development certificate.
+    Works on both Windows (from certificate store) and Unix (from certificate files).
+
+.EXAMPLE
+    ./Get-CertificateThumbprint.ps1
+    Returns the certificate thumbprint
+
+.OUTPUTS
+    System.String
+    The certificate thumbprint formatted with spaces (e.g., "AB CD EF ...")
+#>
+
+[CmdletBinding()]
+param()
+
+$ErrorActionPreference = "Stop"
+
+# Get the dev directory (parent of helpers)
+$DevDir = Split-Path -Parent $PSScriptRoot
+Set-Location $DevDir
+
+# Helper function to format thumbprint
+function Format-Thumbprint {
+    param([string]$Thumbprint)
+    $clean = $Thumbprint -replace '[^0-9A-Fa-f]', ''
+    $formatted = $clean.ToUpper() -replace '(.{2})', '$1 '
+    return $formatted.Trim()
+}
+
+try {
+    if ($IsWindows) {
+        # Windows: Get from certificate store
+        $cert = Get-ChildItem -Path Cert:\CurrentUser\My |
+                Where-Object { $_.Subject -eq "CN=Bitwarden Identity Server Dev" } |
+                Select-Object -First 1
+
+        if (-not $cert) {
+            Write-Error "Development certificate not found in certificate store. Please create it first."
+            exit 1
+        }
+
+        $rawThumbprint = $cert.Thumbprint
+    } else {
+        # Unix: Get from certificate file
+        if (-not (Test-Path identity_server_dev.crt)) {
+            Write-Error "Development certificate file not found. Please create it first."
+            exit 1
+        }
+
+        if (-not (Get-Command openssl -ErrorAction SilentlyContinue)) {
+            Write-Error "OpenSSL is required but not found. Please install OpenSSL."
+            exit 1
+        }
+
+        $thumbprintOutput = openssl x509 -in identity_server_dev.crt -outform der 2>$null | openssl dgst -sha1 2>$null
+
+        if ($thumbprintOutput -match '([0-9A-Fa-f]{40})') {
+            $rawThumbprint = $matches[1]
+        } else {
+            Write-Error "Failed to extract certificate thumbprint"
+            exit 1
+        }
+    }
+
+    return Format-Thumbprint -Thumbprint $rawThumbprint
+} catch {
+    Write-Error "Failed to retrieve certificate thumbprint: $_"
+    exit 1
+}
diff --git a/dev/helpers/New-DevelopmentCertificate.ps1 b/dev/helpers/New-DevelopmentCertificate.ps1
@@ -0,0 +1,102 @@
+#!/usr/bin/env pwsh
+
+<#
+.SYNOPSIS
+    Create development certificates for Bitwarden server.
+
+.DESCRIPTION
+    Creates self-signed development certificates for Identity Server and Data Protection.
+    The certificates are valid for 10 years and stored in the dev directory.
+
+    This script works across Windows, macOS, and Linux by calling platform-specific
+    certificate creation scripts.
+
+.PARAMETER Force
+    Force recreation of certificates even if they already exist.
+
+.EXAMPLE
+    ./New-DevelopmentCertificate.ps1
+    Creates certificates if they don't exist and returns the thumbprint
+
+.EXAMPLE
+    ./New-DevelopmentCertificate.ps1 -Force
+    Force recreate certificates and return the thumbprint
+
+.EXAMPLE
+    $thumbprint = ./New-DevelopmentCertificate.ps1
+    Store the certificate thumbprint in a variable
+
+.OUTPUTS
+    System.String
+    The certificate thumbprint (SHA1 hash) formatted with spaces
+#>
+
+[CmdletBinding()]
+param(
+    [Parameter()]
+    [switch]$Force
+)
+
+$ErrorActionPreference = "Stop"
+
+# Get the dev directory (parent of helpers)
+$DevDir = Split-Path -Parent $PSScriptRoot
+Set-Location $DevDir
+
+# Check if certificates already exist
+if ($IsWindows) {
+    $existingCert = Get-ChildItem -Path Cert:\CurrentUser\My |
+                    Where-Object { $_.Subject -eq "CN=Bitwarden Identity Server Dev" } |
+                    Select-Object -First 1
+    $certificatesExist = $null -ne $existingCert
+} else {
+    $certificatesExist = (Test-Path identity_server_dev.crt) -and
+                        (Test-Path identity_server_dev.key)
+}
+
+# If certificates exist and not forcing recreation, return existing thumbprint
+if ($certificatesExist -and -not $Force) {
+    return & "$PSScriptRoot/Get-CertificateThumbprint.ps1"
+}
+
+# Create certificates using platform-specific scripts
+if ($IsWindows) {
+    if ($Force -and $existingCert) {
+        Remove-Item -Path "Cert:\CurrentUser\My\$($existingCert.Thumbprint)" -Force
+    }
+
+    & "$PSScriptRoot/create_certificates_windows.ps1"
+
+    if ($LASTEXITCODE -ne 0) {
+        Write-Error "Failed to create certificates"
+        exit 1
+    }
+} elseif ($IsMacOS) {
+    if ($Force) {
+        Remove-Item identity_server_dev.pfx, identity_server_dev.crt, identity_server_dev.key -ErrorAction SilentlyContinue
+    }
+
+    bash "$PSScriptRoot/create_certificates_mac.sh"
+
+    if ($LASTEXITCODE -ne 0) {
+        Write-Error "Failed to create certificates"
+        exit 1
+    }
+} elseif ($IsLinux) {
+    if ($Force) {
+        Remove-Item identity_server_dev.crt, identity_server_dev.key -ErrorAction SilentlyContinue
+    }
+
+    bash "$PSScriptRoot/create_certificates_linux.sh"
+
+    if ($LASTEXITCODE -ne 0) {
+        Write-Error "Failed to create certificates"
+        exit 1
+    }
+} else {
+    Write-Error "Unsupported operating system"
+    exit 1
+}
+
+# Return the certificate thumbprint
+return & "$PSScriptRoot/Get-CertificateThumbprint.ps1"
diff --git a/dev/helpers/New-RandomPassword.ps1 b/dev/helpers/New-RandomPassword.ps1
@@ -0,0 +1,106 @@
+#!/usr/bin/env pwsh
+
+<#
+.SYNOPSIS
+    Generate a strong random password.
+
+.DESCRIPTION
+    Generates a random password with configurable character requirements:
+    - Latin uppercase letters (A through Z)
+    - Latin lowercase letters (a through z)
+    - Base 10 digits (0 through 9)
+    - Non-alphanumeric characters: !, $, #, %
+
+    By default, the password includes at least one character from each category.
+
+.PARAMETER Length
+    The length of the password to generate. Default is 20 characters. Minimum is 4.
+
+.PARAMETER RequireUppercase
+    Require at least one uppercase letter. Default is true.
+
+.PARAMETER RequireLowercase
+    Require at least one lowercase letter. Default is true.
+
+.PARAMETER RequireDigits
+    Require at least one digit. Default is true.
+
+.PARAMETER RequireSpecial
+    Require at least one special character. Default is true.
+
+.EXAMPLE
+    ./New-RandomPassword.ps1
+    Generates a 20-character random password with all character types
+
+.EXAMPLE
+    ./New-RandomPassword.ps1 -Length 12 -RequireSpecial:$false
+    Generates a 12-character random password without special characters
+
+.OUTPUTS
+    System.String
+    A randomly generated password string
+#>
+
+[CmdletBinding()]
+param(
+    [Parameter(Position = 0)]
+    [ValidateRange(4, 128)]
+    [int]$Length = 20,
+
+    [Parameter()]
+    [bool]$RequireUppercase = $true,
+
+    [Parameter()]
+    [bool]$RequireLowercase = $true,
+
+    [Parameter()]
+    [bool]$RequireDigits = $true,
+
+    [Parameter()]
+    [bool]$RequireSpecial = $true
+)
+
+# Define character sets
+$uppercase = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+$lowercase = 'abcdefghijklmnopqrstuvwxyz'
+$digits = '0123456789'
+$special = '!$#%'
+
+# All characters are always available for random selection
+$allChars = $uppercase + $lowercase + $digits + $special
+
+# Build password ensuring required characters
+$password = @()
+
+if ($RequireUppercase) {
+    $password += $uppercase[(Get-Random -Maximum $uppercase.Length)]
+}
+
+if ($RequireLowercase) {
+    $password += $lowercase[(Get-Random -Maximum $lowercase.Length)]
+}
+
+if ($RequireDigits) {
+    $password += $digits[(Get-Random -Maximum $digits.Length)]
+}
+
+if ($RequireSpecial) {
+    $password += $special[(Get-Random -Maximum $special.Length)]
+}
+
+# Validate that length is sufficient for required characters
+if ($Length -lt $password.Count) {
+    throw "Length must be at least $($password.Count) to satisfy all requirements"
+}
+
+# Fill the rest with random characters from allowed categories
+for ($i = $password.Count; $i -lt $Length; $i++) {
+    $password += $allChars[(Get-Random -Maximum $allChars.Length)]
+}
+
+# Shuffle the password to avoid predictable patterns
+$shuffled = $password | Sort-Object { Get-Random }
+$result = -join $shuffled
+
+# Output the password
+Write-Output $result
diff --git a/dev/helpers/Write-Log.ps1 b/dev/helpers/Write-Log.ps1
@@ -0,0 +1,34 @@
+#!/usr/bin/env pwsh
+
+<#
+.SYNOPSIS
+    Logging helper functions for Bitwarden development scripts.
+
+.DESCRIPTION
+    Provides colored console output functions for consistent logging across
+    development scripts.
+#>
+
+function Write-InfoLog {
+    param([string]$Message)
+    Write-Host "[INFO] " -ForegroundColor Blue -NoNewline
+    Write-Host $Message
+}
+
+function Write-SuccessLog {
+    param([string]$Message)
+    Write-Host "[SUCCESS] " -ForegroundColor Green -NoNewline
+    Write-Host $Message
+}
+
+function Write-WarningLog {
+    param([string]$Message)
+    Write-Host "[WARNING] " -ForegroundColor Yellow -NoNewline
+    Write-Host $Message
+}
+
+function Write-ErrorLog {
+    param([string]$Message)
+    Write-Host "[ERROR] " -ForegroundColor Red -NoNewline
+    Write-Host $Message
+}
diff --git a/dev/create_certificates_linux.sh → dev/helpers/create_certificates_linux.sh b/dev/create_certificates_linux.sh → dev/helpers/create_certificates_linux.sh
@@ -1,6 +1,12 @@
 #!/usr/bin/env bash
 # Script for generating and installing the Bitwarden development certificates on Linux.
 
+# Get the dev directory (parent of helpers)
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+DEV_DIR="$(dirname "$SCRIPT_DIR")"
+
+cd "$DEV_DIR"
+
 IDENTITY_SERVER_KEY=identity_server_dev.key
 IDENTITY_SERVER_CERT=identity_server_dev.crt
 IDENTITY_SERVER_CN="Bitwarden Identity Server Dev"
@@ -19,7 +25,6 @@ else
   exit 1
 fi
 
-
 openssl req -x509 -newkey rsa:4096 -sha256 -nodes -days 3650 \
     -keyout $IDENTITY_SERVER_KEY \
     -out $IDENTITY_SERVER_CERT \

diff --git a/dev/create_certificates_mac.sh → dev/helpers/create_certificates_mac.sh b/dev/create_certificates_mac.sh → dev/helpers/create_certificates_mac.sh
@@ -1,11 +1,17 @@
 #!/usr/bin/env bash
 
+# Get the dev directory (parent of helpers)
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+DEV_DIR="$(dirname "$SCRIPT_DIR")"
+
+cd "$DEV_DIR"
+
 openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout identity_server_dev.key -out identity_server_dev.crt \
     -subj "/CN=Bitwarden Identity Server Dev" -days 3650
 openssl pkcs12 -export -legacy -out identity_server_dev.pfx -inkey identity_server_dev.key -in identity_server_dev.crt \
-    -certfile identity_server_dev.crt
+    -certfile identity_server_dev.crt -passout pass:dev
 
-security import ./identity_server_dev.pfx -k ~/Library/Keychains/Login.keychain
+security import ./identity_server_dev.pfx -k ~/Library/Keychains/login.keychain -P "dev"
 
 identity=($(openssl x509 -in identity_server_dev.crt -outform der | shasum -a 1 | tr a-z A-Z));
 

diff --git a/dev/create_certificates_windows.ps1 → dev/helpers/create_certificates_windows.ps1 b/dev/create_certificates_windows.ps1 → dev/helpers/create_certificates_windows.ps1
@@ -1,5 +1,10 @@
+#!/usr/bin/env pwsh
 # Script for generating and installing the Bitwarden development certificates on Windows.
 
+# Get the dev directory (parent of helpers)
+$DevDir = Split-Path -Parent $PSScriptRoot
+Set-Location $DevDir
+
 $params = @{
     'KeyAlgorithm' = 'RSA';
     'KeyLength' = 4096;