Solved

How can I obtain the thumbprint of a certificate issued with a specific template on Server 2008 R2 via PowerShell?

Posted on 2015-01-20
4
683 Views
Last Modified: 2015-01-27
Greetings folks -

I'd like someone to help me craft a PowerShell script to obtain the thumbprint of a certificate issued with a specific template name on a server running Windows Server 2008 R2.  Either using the certificate name or the EKU string for Server Authentication (1.3.6.1.5.5.7.3.1) would be sufficient.

My problem is that I've figured out how to do this very easily on Server 2012 R2 because Microsoft has added providers into PowerShell.  It's as simple as running:

Get-ChildItem -Path Cert:\LocalMachine\My -SSLServerAuthentication | Sort-Object -Property NotAfter | Select-Object -Last 1 -ExpandProperty Thumbprint

Open in new window


However, the -SSLServerAuthentication property and the -EKU property that you could specify the usage string (1.3.6.xxx) on, do not exist on Server 2008 R2.

So... what I know is that I have a template named "PKI-Server Authentication".  I know that each of my servers will have ONE certificate issued with this autoenrollment template.

What I'd like to do is find the thumbprint of the certificate that was issued with that template.  As the template's name is part of the cert, I would think this is possible via PowerShell - somehow.

Please advise.  Thank you in advance.
0
Comment
Question by:amendala
  • 3
4 Comments
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 40561047
Easiest solution update powershell to version 4
http://www.microsoft.com/en-ca/download/details.aspx?id=40855
0
 

Author Comment

by:amendala
ID: 40561252
Unfortunately, not a correct solution, though I will agree that upgrading to WMF 4.0 is easy - and I've already done that.

Running version 4.0 of the shell does not mean the appropriate providers (and therefore their exposed parameters) are present to provide the necessary functionality.  Two identical versions of WMF, running on different operating systems, can have wildly different capabilities.  This is why I said
However, the -SSLServerAuthentication property and the -EKU property that you could specify the usage string (1.3.6.xxx) on, do not exist on Server 2008 R2.

Microsoft's documentation substantiates this here:

Get-ChildItem for Certificate

Within, they say the following:

The new dynamic parameters work in Windows PowerShell 3.0 and newer releases of Windows PowerShell, running on Windows 8, Windows Server 2012 and newer releases of the Windows operating system.

As my goal as originally stated is to target Server 2008 R2, the absence of these parameters really makes the situation more difficult than it should be.

I am very close to having a solution finished and tested for this that I will share here when done, if someone else don't already have one or posts one sooner.

Thank you for your reply.
0
 

Accepted Solution

by:
amendala earned 0 total points
ID: 40564725
The following code will do what I asked originally.  It works on Server 2008 R2 or Server 2012 R2, both on WMF 4.0, regardless of provider set.

The initial PowerShell function is responsible for parsing and transforming the X509 certificate to expose the Template property for use in the Get-ChildItem command.

All you need to do is swap the "template name text" for a partial name of a template your PKI is issuing with and the thumbprint of the latest certificate issued by that template will be returned.

If you're curious what this is all for, it can be every useful for configuring WinRM instances to ensure the HTTPS listener is always tied to the newest certificate thumbprint.  So if you configure PKI to issue certs to your servers with a template named "WinRM-Server Authentication", all you would need to do is swap in that template name text and the command will return the thumbprint.  You can then feed that thumbprint into Set-WSManInstance to configure the HTTPS listener.  Otherwise, an expired certificate will result in WinRM secure sessions failing when the certificate expires or is renewed at the half-life (as the thumbprint will change).

Function ReadX509
{
	[CmdletBinding()]
    Param
	(
		[Parameter(Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)]
		[Security.Cryptography.X509Certificates.X509Certificate2]$cert
	)
    Process
	{
		$temp = $cert.Extensions | ?{$_.Oid.Value -eq "1.3.6.1.4.1.311.20.2"}
		if (!$temp)
		{
			$temp = $cert.Extensions | ?{$_.Oid.Value -eq "1.3.6.1.4.1.311.21.7"}
		}
        $cert | Add-Member -Name Template -MemberType NoteProperty -Value $temp.Format(1) -PassThru
	}
}

Get-ChildItem cert:\localmachine\my | ReadX509 | Sort-Object -Property NotAfter | Where Template -like "*template name text*" | Select-Object -Last 1 -ExpandProperty Thumbprint

Open in new window

0
 

Author Closing Comment

by:amendala
ID: 40572393
I created the only correct solution to the question.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
I don't know if many of you have made the great mistake of using the Cisco Thin Client model with the management software VXC. If you have then you are probably more then familiar with the incredibly clunky interface, the numerous work arounds, and …
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now