Solved

Checking multiple servers for a saved SSL certificate

Posted on 2014-07-22
4
310 Views
Last Modified: 2014-07-22
I'm looking for a command that I can use to remotely connect to multiple servers (using Powershell or PSEXEC) and search for an installed SSL certificate.

I'd be using a domain admin account so authentication shouldn't be an issue, but I'm not sure how to search the SSL Certificate Store via command line / remotely.  Possibly installed SSL certificates are also in the Registry and if so searching the registry would also work if possible,

Any ideas?  I should add that I'm a terrible coder unfortunately so if you have any kind of sample script you've used in the past to do something similar it would be very much appreciated.

Thanks
0
Comment
Question by:Vas
  • 2
  • 2
4 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 40211851
This should work:

The example below checks by thumbprint, but you can change to search by other criteria:
e.g. subject, serialnumber etc.
$_.thumbprint -like <thumbprint>
$_.subject -like  *<subject>*


function Get-Cert( $computer){
    $ro=[System.Security.Cryptography.X509Certificates.OpenFlags]"ReadOnly"
    $lm=[System.Security.Cryptography.X509Certificates.StoreLocation]"LocalMachine"
    $store=new-object System.Security.Cryptography.X509Certificates.X509Store("\\$computer\root",$lm)
    $store.Open($ro)
    $store.Certificates
                                                     }
gc  C:\serverlist.txt | % {
Get-Cert $_ | ?{$computer=$_;$_.thumbprint -like <thumbprint>; $report += "$computer, $_.thumbprint, $_.Subject" }
                                           }
write-host $report

Open in new window

0
 
LVL 1

Author Comment

by:Vas
ID: 40212381
Thanks for the script -  so I tried it by changing this line since I want to search on Subject:

Get-Cert $_ | ?{$computer=$_;$_.subject -like "xxxxx"; $report += "$computer, $_.thumbprint, $_.Subject" }

(xxxx was a unique part of the hostname I'm looking for)



The script output every single SSL cert on all the servers it looks like (it output thousands of lines).  This wouldn't be terrible as I could always then paste the output in a text file and search for the hostname that way but the problem was that the computer name was not output so it would not show me which server it found it on, and also it's not showing any hostnames, not sure if it's not outputting this but it looks more like it's mostly outputting the root or intermediate certs rather than the "Personal Certificates"



Here is an example part of the output if it helps:



[Subject]
  CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

[Issuer]
  CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE

[Serial Number]
  2766EE56EB49F38EABD770A2FC84DE22

[Not Before]
  5/30/2000 6:48:38 AM

[Not After]
  5/30/2020 6:48:38 AM

[Thumbprint]
  F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0
, [Subject]
  CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

[Issuer]
  CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE

[Serial Number]
  2766EE56EB49F38EABD770A2FC84DE22

[Not Before]
  5/30/2000 6:48:38 AM

[Not After]
  5/30/2020 6:48:38 AM

[Thumbprint]
  F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0
.thumbprint, [Subject]
  CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

[Issuer]
  CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE

[Serial Number]
  2766EE56EB49F38EABD770A2FC84DE22

[Not Before]
  5/30/2000 6:48:38 AM

[Not After]
  5/30/2020 6:48:38 AM

[Thumbprint]
  F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0
.Subject[Subject]
  CN=Microsoft Root Certificate Authority, DC=microsoft, DC=com

[Issuer]
  CN=Microsoft Root Certificate Authority, DC=microsoft, DC=com

[Serial Number]
  79AD16A14AA0A5AD4C7358F407132E65

[Not Before]
  5/9/2001 7:19:22 PM

[Not After]
  5/9/2021 7:28:13 PM






Thanks
0
 
LVL 29

Accepted Solution

by:
becraig earned 500 total points
ID: 40212455
My bad, see updated script:
function Get-Cert( $computer){
    $ro=[System.Security.Cryptography.X509Certificates.OpenFlags]"ReadOnly"
    $lm=[System.Security.Cryptography.X509Certificates.StoreLocation]"LocalMachine"
    $store=new-object System.Security.Cryptography.X509Certificates.X509Store("\\$computer\My",$lm)
    $store.Open($ro)
    $store.Certificates

}
gc c:\serverlist.txt | % {
$computer=$_;
Get-Cert $_ | ?{
$_.subject -like "*domain.domain.com*";

} | % {

$sub = $_.subject;$report += "$computer, $sub`n" }

}
$report | out-file C:\certreport.csv

Open in new window

0
 
LVL 1

Author Closing Comment

by:Vas
ID: 40212750
YOU ROCK!

That script worked like a charm and saved me countless hours of tracking this cert down, thank you so much for that.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to prepare an HTML email signature template file containing dynamic placeholders for users' Azure AD data. Furthermore, it explains how to use this file to remotely set up a department-wide email signature policy in Office …
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question