Solved

Checking multiple servers for a saved SSL certificate

Posted on 2014-07-22
4
307 Views
Last Modified: 2014-07-22
I'm looking for a command that I can use to remotely connect to multiple servers (using Powershell or PSEXEC) and search for an installed SSL certificate.

I'd be using a domain admin account so authentication shouldn't be an issue, but I'm not sure how to search the SSL Certificate Store via command line / remotely.  Possibly installed SSL certificates are also in the Registry and if so searching the registry would also work if possible,

Any ideas?  I should add that I'm a terrible coder unfortunately so if you have any kind of sample script you've used in the past to do something similar it would be very much appreciated.

Thanks
0
Comment
Question by:Vas
  • 2
  • 2
4 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 40211851
This should work:

The example below checks by thumbprint, but you can change to search by other criteria:
e.g. subject, serialnumber etc.
$_.thumbprint -like <thumbprint>
$_.subject -like  *<subject>*


function Get-Cert( $computer){
    $ro=[System.Security.Cryptography.X509Certificates.OpenFlags]"ReadOnly"
    $lm=[System.Security.Cryptography.X509Certificates.StoreLocation]"LocalMachine"
    $store=new-object System.Security.Cryptography.X509Certificates.X509Store("\\$computer\root",$lm)
    $store.Open($ro)
    $store.Certificates
                                                     }
gc  C:\serverlist.txt | % {
Get-Cert $_ | ?{$computer=$_;$_.thumbprint -like <thumbprint>; $report += "$computer, $_.thumbprint, $_.Subject" }
                                           }
write-host $report

Open in new window

0
 
LVL 1

Author Comment

by:Vas
ID: 40212381
Thanks for the script -  so I tried it by changing this line since I want to search on Subject:

Get-Cert $_ | ?{$computer=$_;$_.subject -like "xxxxx"; $report += "$computer, $_.thumbprint, $_.Subject" }

(xxxx was a unique part of the hostname I'm looking for)



The script output every single SSL cert on all the servers it looks like (it output thousands of lines).  This wouldn't be terrible as I could always then paste the output in a text file and search for the hostname that way but the problem was that the computer name was not output so it would not show me which server it found it on, and also it's not showing any hostnames, not sure if it's not outputting this but it looks more like it's mostly outputting the root or intermediate certs rather than the "Personal Certificates"



Here is an example part of the output if it helps:



[Subject]
  CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

[Issuer]
  CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE

[Serial Number]
  2766EE56EB49F38EABD770A2FC84DE22

[Not Before]
  5/30/2000 6:48:38 AM

[Not After]
  5/30/2020 6:48:38 AM

[Thumbprint]
  F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0
, [Subject]
  CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

[Issuer]
  CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE

[Serial Number]
  2766EE56EB49F38EABD770A2FC84DE22

[Not Before]
  5/30/2000 6:48:38 AM

[Not After]
  5/30/2020 6:48:38 AM

[Thumbprint]
  F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0
.thumbprint, [Subject]
  CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

[Issuer]
  CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE

[Serial Number]
  2766EE56EB49F38EABD770A2FC84DE22

[Not Before]
  5/30/2000 6:48:38 AM

[Not After]
  5/30/2020 6:48:38 AM

[Thumbprint]
  F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0
.Subject[Subject]
  CN=Microsoft Root Certificate Authority, DC=microsoft, DC=com

[Issuer]
  CN=Microsoft Root Certificate Authority, DC=microsoft, DC=com

[Serial Number]
  79AD16A14AA0A5AD4C7358F407132E65

[Not Before]
  5/9/2001 7:19:22 PM

[Not After]
  5/9/2021 7:28:13 PM






Thanks
0
 
LVL 29

Accepted Solution

by:
becraig earned 500 total points
ID: 40212455
My bad, see updated script:
function Get-Cert( $computer){
    $ro=[System.Security.Cryptography.X509Certificates.OpenFlags]"ReadOnly"
    $lm=[System.Security.Cryptography.X509Certificates.StoreLocation]"LocalMachine"
    $store=new-object System.Security.Cryptography.X509Certificates.X509Store("\\$computer\My",$lm)
    $store.Open($ro)
    $store.Certificates

}
gc c:\serverlist.txt | % {
$computer=$_;
Get-Cert $_ | ?{
$_.subject -like "*domain.domain.com*";

} | % {

$sub = $_.subject;$report += "$computer, $sub`n" }

}
$report | out-file C:\certreport.csv

Open in new window

0
 
LVL 1

Author Closing Comment

by:Vas
ID: 40212750
YOU ROCK!

That script worked like a charm and saved me countless hours of tracking this cert down, thank you so much for that.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

"Migrate" an SMTP relay receive connector to a new server using info from an old server.
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question