Solved

Checking multiple servers for a saved SSL certificate

Posted on 2014-07-22
4
302 Views
Last Modified: 2014-07-22
I'm looking for a command that I can use to remotely connect to multiple servers (using Powershell or PSEXEC) and search for an installed SSL certificate.

I'd be using a domain admin account so authentication shouldn't be an issue, but I'm not sure how to search the SSL Certificate Store via command line / remotely.  Possibly installed SSL certificates are also in the Registry and if so searching the registry would also work if possible,

Any ideas?  I should add that I'm a terrible coder unfortunately so if you have any kind of sample script you've used in the past to do something similar it would be very much appreciated.

Thanks
0
Comment
Question by:Vas
  • 2
  • 2
4 Comments
 
LVL 28

Expert Comment

by:becraig
ID: 40211851
This should work:

The example below checks by thumbprint, but you can change to search by other criteria:
e.g. subject, serialnumber etc.
$_.thumbprint -like <thumbprint>
$_.subject -like  *<subject>*


function Get-Cert( $computer){
    $ro=[System.Security.Cryptography.X509Certificates.OpenFlags]"ReadOnly"
    $lm=[System.Security.Cryptography.X509Certificates.StoreLocation]"LocalMachine"
    $store=new-object System.Security.Cryptography.X509Certificates.X509Store("\\$computer\root",$lm)
    $store.Open($ro)
    $store.Certificates
                                                     }
gc  C:\serverlist.txt | % {
Get-Cert $_ | ?{$computer=$_;$_.thumbprint -like <thumbprint>; $report += "$computer, $_.thumbprint, $_.Subject" }
                                           }
write-host $report

Open in new window

0
 
LVL 1

Author Comment

by:Vas
ID: 40212381
Thanks for the script -  so I tried it by changing this line since I want to search on Subject:

Get-Cert $_ | ?{$computer=$_;$_.subject -like "xxxxx"; $report += "$computer, $_.thumbprint, $_.Subject" }

(xxxx was a unique part of the hostname I'm looking for)



The script output every single SSL cert on all the servers it looks like (it output thousands of lines).  This wouldn't be terrible as I could always then paste the output in a text file and search for the hostname that way but the problem was that the computer name was not output so it would not show me which server it found it on, and also it's not showing any hostnames, not sure if it's not outputting this but it looks more like it's mostly outputting the root or intermediate certs rather than the "Personal Certificates"



Here is an example part of the output if it helps:



[Subject]
  CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

[Issuer]
  CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE

[Serial Number]
  2766EE56EB49F38EABD770A2FC84DE22

[Not Before]
  5/30/2000 6:48:38 AM

[Not After]
  5/30/2020 6:48:38 AM

[Thumbprint]
  F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0
, [Subject]
  CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

[Issuer]
  CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE

[Serial Number]
  2766EE56EB49F38EABD770A2FC84DE22

[Not Before]
  5/30/2000 6:48:38 AM

[Not After]
  5/30/2020 6:48:38 AM

[Thumbprint]
  F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0
.thumbprint, [Subject]
  CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

[Issuer]
  CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE

[Serial Number]
  2766EE56EB49F38EABD770A2FC84DE22

[Not Before]
  5/30/2000 6:48:38 AM

[Not After]
  5/30/2020 6:48:38 AM

[Thumbprint]
  F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0
.Subject[Subject]
  CN=Microsoft Root Certificate Authority, DC=microsoft, DC=com

[Issuer]
  CN=Microsoft Root Certificate Authority, DC=microsoft, DC=com

[Serial Number]
  79AD16A14AA0A5AD4C7358F407132E65

[Not Before]
  5/9/2001 7:19:22 PM

[Not After]
  5/9/2021 7:28:13 PM






Thanks
0
 
LVL 28

Accepted Solution

by:
becraig earned 500 total points
ID: 40212455
My bad, see updated script:
function Get-Cert( $computer){
    $ro=[System.Security.Cryptography.X509Certificates.OpenFlags]"ReadOnly"
    $lm=[System.Security.Cryptography.X509Certificates.StoreLocation]"LocalMachine"
    $store=new-object System.Security.Cryptography.X509Certificates.X509Store("\\$computer\My",$lm)
    $store.Open($ro)
    $store.Certificates

}
gc c:\serverlist.txt | % {
$computer=$_;
Get-Cert $_ | ?{
$_.subject -like "*domain.domain.com*";

} | % {

$sub = $_.subject;$report += "$computer, $sub`n" }

}
$report | out-file C:\certreport.csv

Open in new window

0
 
LVL 1

Author Closing Comment

by:Vas
ID: 40212750
YOU ROCK!

That script worked like a charm and saved me countless hours of tracking this cert down, thank you so much for that.
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

I thought I'd write this up for anyone who has a request to create an anonymous whistle-blower-type submission form created using SharePoint 2010 (this would probably work the same for 2013). It's not 100% fool-proof but it's as close as you can get…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now