Solved

How can I obtain the thumbprint of a certificate issued with a specific template on Server 2008 R2 via PowerShell?

Posted on 2015-01-20
4
778 Views
Last Modified: 2015-01-27
Greetings folks -

I'd like someone to help me craft a PowerShell script to obtain the thumbprint of a certificate issued with a specific template name on a server running Windows Server 2008 R2.  Either using the certificate name or the EKU string for Server Authentication (1.3.6.1.5.5.7.3.1) would be sufficient.

My problem is that I've figured out how to do this very easily on Server 2012 R2 because Microsoft has added providers into PowerShell.  It's as simple as running:

Get-ChildItem -Path Cert:\LocalMachine\My -SSLServerAuthentication | Sort-Object -Property NotAfter | Select-Object -Last 1 -ExpandProperty Thumbprint

Open in new window


However, the -SSLServerAuthentication property and the -EKU property that you could specify the usage string (1.3.6.xxx) on, do not exist on Server 2008 R2.

So... what I know is that I have a template named "PKI-Server Authentication".  I know that each of my servers will have ONE certificate issued with this autoenrollment template.

What I'd like to do is find the thumbprint of the certificate that was issued with that template.  As the template's name is part of the cert, I would think this is possible via PowerShell - somehow.

Please advise.  Thank you in advance.
0
Comment
Question by:amendala
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 40561047
Easiest solution update powershell to version 4
http://www.microsoft.com/en-ca/download/details.aspx?id=40855
0
 

Author Comment

by:amendala
ID: 40561252
Unfortunately, not a correct solution, though I will agree that upgrading to WMF 4.0 is easy - and I've already done that.

Running version 4.0 of the shell does not mean the appropriate providers (and therefore their exposed parameters) are present to provide the necessary functionality.  Two identical versions of WMF, running on different operating systems, can have wildly different capabilities.  This is why I said
However, the -SSLServerAuthentication property and the -EKU property that you could specify the usage string (1.3.6.xxx) on, do not exist on Server 2008 R2.

Microsoft's documentation substantiates this here:

Get-ChildItem for Certificate

Within, they say the following:

The new dynamic parameters work in Windows PowerShell 3.0 and newer releases of Windows PowerShell, running on Windows 8, Windows Server 2012 and newer releases of the Windows operating system.

As my goal as originally stated is to target Server 2008 R2, the absence of these parameters really makes the situation more difficult than it should be.

I am very close to having a solution finished and tested for this that I will share here when done, if someone else don't already have one or posts one sooner.

Thank you for your reply.
0
 

Accepted Solution

by:
amendala earned 0 total points
ID: 40564725
The following code will do what I asked originally.  It works on Server 2008 R2 or Server 2012 R2, both on WMF 4.0, regardless of provider set.

The initial PowerShell function is responsible for parsing and transforming the X509 certificate to expose the Template property for use in the Get-ChildItem command.

All you need to do is swap the "template name text" for a partial name of a template your PKI is issuing with and the thumbprint of the latest certificate issued by that template will be returned.

If you're curious what this is all for, it can be every useful for configuring WinRM instances to ensure the HTTPS listener is always tied to the newest certificate thumbprint.  So if you configure PKI to issue certs to your servers with a template named "WinRM-Server Authentication", all you would need to do is swap in that template name text and the command will return the thumbprint.  You can then feed that thumbprint into Set-WSManInstance to configure the HTTPS listener.  Otherwise, an expired certificate will result in WinRM secure sessions failing when the certificate expires or is renewed at the half-life (as the thumbprint will change).

Function ReadX509
{
	[CmdletBinding()]
    Param
	(
		[Parameter(Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)]
		[Security.Cryptography.X509Certificates.X509Certificate2]$cert
	)
    Process
	{
		$temp = $cert.Extensions | ?{$_.Oid.Value -eq "1.3.6.1.4.1.311.20.2"}
		if (!$temp)
		{
			$temp = $cert.Extensions | ?{$_.Oid.Value -eq "1.3.6.1.4.1.311.21.7"}
		}
        $cert | Add-Member -Name Template -MemberType NoteProperty -Value $temp.Format(1) -PassThru
	}
}

Get-ChildItem cert:\localmachine\my | ReadX509 | Sort-Object -Property NotAfter | Where Template -like "*template name text*" | Select-Object -Last 1 -ExpandProperty Thumbprint

Open in new window

0
 

Author Closing Comment

by:amendala
ID: 40572393
I created the only correct solution to the question.
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

OfficeMate Freezes on login or does not load after login credentials are input.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question