?
Solved

How can I obtain the thumbprint of a certificate issued with a specific template on Server 2008 R2 via PowerShell?

Posted on 2015-01-20
4
Medium Priority
?
1,033 Views
Last Modified: 2015-01-27
Greetings folks -

I'd like someone to help me craft a PowerShell script to obtain the thumbprint of a certificate issued with a specific template name on a server running Windows Server 2008 R2.  Either using the certificate name or the EKU string for Server Authentication (1.3.6.1.5.5.7.3.1) would be sufficient.

My problem is that I've figured out how to do this very easily on Server 2012 R2 because Microsoft has added providers into PowerShell.  It's as simple as running:

Get-ChildItem -Path Cert:\LocalMachine\My -SSLServerAuthentication | Sort-Object -Property NotAfter | Select-Object -Last 1 -ExpandProperty Thumbprint

Open in new window


However, the -SSLServerAuthentication property and the -EKU property that you could specify the usage string (1.3.6.xxx) on, do not exist on Server 2008 R2.

So... what I know is that I have a template named "PKI-Server Authentication".  I know that each of my servers will have ONE certificate issued with this autoenrollment template.

What I'd like to do is find the thumbprint of the certificate that was issued with that template.  As the template's name is part of the cert, I would think this is possible via PowerShell - somehow.

Please advise.  Thank you in advance.
0
Comment
Question by:amendala
  • 3
4 Comments
 
LVL 85

Expert Comment

by:David Johnson, CD, MVP
ID: 40561047
Easiest solution update powershell to version 4
http://www.microsoft.com/en-ca/download/details.aspx?id=40855
0
 

Author Comment

by:amendala
ID: 40561252
Unfortunately, not a correct solution, though I will agree that upgrading to WMF 4.0 is easy - and I've already done that.

Running version 4.0 of the shell does not mean the appropriate providers (and therefore their exposed parameters) are present to provide the necessary functionality.  Two identical versions of WMF, running on different operating systems, can have wildly different capabilities.  This is why I said
However, the -SSLServerAuthentication property and the -EKU property that you could specify the usage string (1.3.6.xxx) on, do not exist on Server 2008 R2.

Microsoft's documentation substantiates this here:

Get-ChildItem for Certificate

Within, they say the following:

The new dynamic parameters work in Windows PowerShell 3.0 and newer releases of Windows PowerShell, running on Windows 8, Windows Server 2012 and newer releases of the Windows operating system.

As my goal as originally stated is to target Server 2008 R2, the absence of these parameters really makes the situation more difficult than it should be.

I am very close to having a solution finished and tested for this that I will share here when done, if someone else don't already have one or posts one sooner.

Thank you for your reply.
0
 

Accepted Solution

by:
amendala earned 0 total points
ID: 40564725
The following code will do what I asked originally.  It works on Server 2008 R2 or Server 2012 R2, both on WMF 4.0, regardless of provider set.

The initial PowerShell function is responsible for parsing and transforming the X509 certificate to expose the Template property for use in the Get-ChildItem command.

All you need to do is swap the "template name text" for a partial name of a template your PKI is issuing with and the thumbprint of the latest certificate issued by that template will be returned.

If you're curious what this is all for, it can be every useful for configuring WinRM instances to ensure the HTTPS listener is always tied to the newest certificate thumbprint.  So if you configure PKI to issue certs to your servers with a template named "WinRM-Server Authentication", all you would need to do is swap in that template name text and the command will return the thumbprint.  You can then feed that thumbprint into Set-WSManInstance to configure the HTTPS listener.  Otherwise, an expired certificate will result in WinRM secure sessions failing when the certificate expires or is renewed at the half-life (as the thumbprint will change).

Function ReadX509
{
	[CmdletBinding()]
    Param
	(
		[Parameter(Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)]
		[Security.Cryptography.X509Certificates.X509Certificate2]$cert
	)
    Process
	{
		$temp = $cert.Extensions | ?{$_.Oid.Value -eq "1.3.6.1.4.1.311.20.2"}
		if (!$temp)
		{
			$temp = $cert.Extensions | ?{$_.Oid.Value -eq "1.3.6.1.4.1.311.21.7"}
		}
        $cert | Add-Member -Name Template -MemberType NoteProperty -Value $temp.Format(1) -PassThru
	}
}

Get-ChildItem cert:\localmachine\my | ReadX509 | Sort-Object -Property NotAfter | Where Template -like "*template name text*" | Select-Object -Last 1 -ExpandProperty Thumbprint

Open in new window

0
 

Author Closing Comment

by:amendala
ID: 40572393
I created the only correct solution to the question.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Understanding the various editions available is vital when you decide to purchase Windows Server 2012. You need to have a basic understanding of the features and limitations in each edition in order to make a well-informed decision that best suits …
Windows Server 2003 introduced persistent Volume Shadow Copies and made 2003 a must-do upgrade.  Since then, it's been a must-implement feature for all servers doing any kind of file sharing.
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Suggested Courses

592 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question