Solved

How can I obtain the thumbprint of a certificate issued with a specific template on Server 2008 R2 via PowerShell?

Posted on 2015-01-20
4
754 Views
Last Modified: 2015-01-27
Greetings folks -

I'd like someone to help me craft a PowerShell script to obtain the thumbprint of a certificate issued with a specific template name on a server running Windows Server 2008 R2.  Either using the certificate name or the EKU string for Server Authentication (1.3.6.1.5.5.7.3.1) would be sufficient.

My problem is that I've figured out how to do this very easily on Server 2012 R2 because Microsoft has added providers into PowerShell.  It's as simple as running:

Get-ChildItem -Path Cert:\LocalMachine\My -SSLServerAuthentication | Sort-Object -Property NotAfter | Select-Object -Last 1 -ExpandProperty Thumbprint

Open in new window


However, the -SSLServerAuthentication property and the -EKU property that you could specify the usage string (1.3.6.xxx) on, do not exist on Server 2008 R2.

So... what I know is that I have a template named "PKI-Server Authentication".  I know that each of my servers will have ONE certificate issued with this autoenrollment template.

What I'd like to do is find the thumbprint of the certificate that was issued with that template.  As the template's name is part of the cert, I would think this is possible via PowerShell - somehow.

Please advise.  Thank you in advance.
0
Comment
Question by:amendala
  • 3
4 Comments
 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 40561047
Easiest solution update powershell to version 4
http://www.microsoft.com/en-ca/download/details.aspx?id=40855
0
 

Author Comment

by:amendala
ID: 40561252
Unfortunately, not a correct solution, though I will agree that upgrading to WMF 4.0 is easy - and I've already done that.

Running version 4.0 of the shell does not mean the appropriate providers (and therefore their exposed parameters) are present to provide the necessary functionality.  Two identical versions of WMF, running on different operating systems, can have wildly different capabilities.  This is why I said
However, the -SSLServerAuthentication property and the -EKU property that you could specify the usage string (1.3.6.xxx) on, do not exist on Server 2008 R2.

Microsoft's documentation substantiates this here:

Get-ChildItem for Certificate

Within, they say the following:

The new dynamic parameters work in Windows PowerShell 3.0 and newer releases of Windows PowerShell, running on Windows 8, Windows Server 2012 and newer releases of the Windows operating system.

As my goal as originally stated is to target Server 2008 R2, the absence of these parameters really makes the situation more difficult than it should be.

I am very close to having a solution finished and tested for this that I will share here when done, if someone else don't already have one or posts one sooner.

Thank you for your reply.
0
 

Accepted Solution

by:
amendala earned 0 total points
ID: 40564725
The following code will do what I asked originally.  It works on Server 2008 R2 or Server 2012 R2, both on WMF 4.0, regardless of provider set.

The initial PowerShell function is responsible for parsing and transforming the X509 certificate to expose the Template property for use in the Get-ChildItem command.

All you need to do is swap the "template name text" for a partial name of a template your PKI is issuing with and the thumbprint of the latest certificate issued by that template will be returned.

If you're curious what this is all for, it can be every useful for configuring WinRM instances to ensure the HTTPS listener is always tied to the newest certificate thumbprint.  So if you configure PKI to issue certs to your servers with a template named "WinRM-Server Authentication", all you would need to do is swap in that template name text and the command will return the thumbprint.  You can then feed that thumbprint into Set-WSManInstance to configure the HTTPS listener.  Otherwise, an expired certificate will result in WinRM secure sessions failing when the certificate expires or is renewed at the half-life (as the thumbprint will change).

Function ReadX509
{
	[CmdletBinding()]
    Param
	(
		[Parameter(Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)]
		[Security.Cryptography.X509Certificates.X509Certificate2]$cert
	)
    Process
	{
		$temp = $cert.Extensions | ?{$_.Oid.Value -eq "1.3.6.1.4.1.311.20.2"}
		if (!$temp)
		{
			$temp = $cert.Extensions | ?{$_.Oid.Value -eq "1.3.6.1.4.1.311.21.7"}
		}
        $cert | Add-Member -Name Template -MemberType NoteProperty -Value $temp.Format(1) -PassThru
	}
}

Get-ChildItem cert:\localmachine\my | ReadX509 | Sort-Object -Property NotAfter | Where Template -like "*template name text*" | Select-Object -Last 1 -ExpandProperty Thumbprint

Open in new window

0
 

Author Closing Comment

by:amendala
ID: 40572393
I created the only correct solution to the question.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question