Solved

Checking multiple servers for a saved SSL certificate

Posted on 2014-07-22
4
311 Views
Last Modified: 2014-07-22
I'm looking for a command that I can use to remotely connect to multiple servers (using Powershell or PSEXEC) and search for an installed SSL certificate.

I'd be using a domain admin account so authentication shouldn't be an issue, but I'm not sure how to search the SSL Certificate Store via command line / remotely.  Possibly installed SSL certificates are also in the Registry and if so searching the registry would also work if possible,

Any ideas?  I should add that I'm a terrible coder unfortunately so if you have any kind of sample script you've used in the past to do something similar it would be very much appreciated.

Thanks
0
Comment
Question by:Vas
  • 2
  • 2
4 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 40211851
This should work:

The example below checks by thumbprint, but you can change to search by other criteria:
e.g. subject, serialnumber etc.
$_.thumbprint -like <thumbprint>
$_.subject -like  *<subject>*


function Get-Cert( $computer){
    $ro=[System.Security.Cryptography.X509Certificates.OpenFlags]"ReadOnly"
    $lm=[System.Security.Cryptography.X509Certificates.StoreLocation]"LocalMachine"
    $store=new-object System.Security.Cryptography.X509Certificates.X509Store("\\$computer\root",$lm)
    $store.Open($ro)
    $store.Certificates
                                                     }
gc  C:\serverlist.txt | % {
Get-Cert $_ | ?{$computer=$_;$_.thumbprint -like <thumbprint>; $report += "$computer, $_.thumbprint, $_.Subject" }
                                           }
write-host $report

Open in new window

0
 
LVL 1

Author Comment

by:Vas
ID: 40212381
Thanks for the script -  so I tried it by changing this line since I want to search on Subject:

Get-Cert $_ | ?{$computer=$_;$_.subject -like "xxxxx"; $report += "$computer, $_.thumbprint, $_.Subject" }

(xxxx was a unique part of the hostname I'm looking for)



The script output every single SSL cert on all the servers it looks like (it output thousands of lines).  This wouldn't be terrible as I could always then paste the output in a text file and search for the hostname that way but the problem was that the computer name was not output so it would not show me which server it found it on, and also it's not showing any hostnames, not sure if it's not outputting this but it looks more like it's mostly outputting the root or intermediate certs rather than the "Personal Certificates"



Here is an example part of the output if it helps:



[Subject]
  CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

[Issuer]
  CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE

[Serial Number]
  2766EE56EB49F38EABD770A2FC84DE22

[Not Before]
  5/30/2000 6:48:38 AM

[Not After]
  5/30/2020 6:48:38 AM

[Thumbprint]
  F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0
, [Subject]
  CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

[Issuer]
  CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE

[Serial Number]
  2766EE56EB49F38EABD770A2FC84DE22

[Not Before]
  5/30/2000 6:48:38 AM

[Not After]
  5/30/2020 6:48:38 AM

[Thumbprint]
  F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0
.thumbprint, [Subject]
  CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

[Issuer]
  CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE

[Serial Number]
  2766EE56EB49F38EABD770A2FC84DE22

[Not Before]
  5/30/2000 6:48:38 AM

[Not After]
  5/30/2020 6:48:38 AM

[Thumbprint]
  F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0
.Subject[Subject]
  CN=Microsoft Root Certificate Authority, DC=microsoft, DC=com

[Issuer]
  CN=Microsoft Root Certificate Authority, DC=microsoft, DC=com

[Serial Number]
  79AD16A14AA0A5AD4C7358F407132E65

[Not Before]
  5/9/2001 7:19:22 PM

[Not After]
  5/9/2021 7:28:13 PM






Thanks
0
 
LVL 29

Accepted Solution

by:
becraig earned 500 total points
ID: 40212455
My bad, see updated script:
function Get-Cert( $computer){
    $ro=[System.Security.Cryptography.X509Certificates.OpenFlags]"ReadOnly"
    $lm=[System.Security.Cryptography.X509Certificates.StoreLocation]"LocalMachine"
    $store=new-object System.Security.Cryptography.X509Certificates.X509Store("\\$computer\My",$lm)
    $store.Open($ro)
    $store.Certificates

}
gc c:\serverlist.txt | % {
$computer=$_;
Get-Cert $_ | ?{
$_.subject -like "*domain.domain.com*";

} | % {

$sub = $_.subject;$report += "$computer, $sub`n" }

}
$report | out-file C:\certreport.csv

Open in new window

0
 
LVL 1

Author Closing Comment

by:Vas
ID: 40212750
YOU ROCK!

That script worked like a charm and saved me countless hours of tracking this cert down, thank you so much for that.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Utilizing an array to gracefully append to a list of EmailAddresses
The Nano Server Image Builder helps you create a custom Nano Server image and bootable USB media with the aid of a graphical interface. Based on the inputs you provide, it generates images for deployment and creates reusable PowerShell scripts that …
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question