Solved

How can I obtain the thumbprint of a certificate issued with a specific template on Server 2008 R2 via PowerShell?

Posted on 2015-01-20
4
818 Views
Last Modified: 2015-01-27
Greetings folks -

I'd like someone to help me craft a PowerShell script to obtain the thumbprint of a certificate issued with a specific template name on a server running Windows Server 2008 R2.  Either using the certificate name or the EKU string for Server Authentication (1.3.6.1.5.5.7.3.1) would be sufficient.

My problem is that I've figured out how to do this very easily on Server 2012 R2 because Microsoft has added providers into PowerShell.  It's as simple as running:

Get-ChildItem -Path Cert:\LocalMachine\My -SSLServerAuthentication | Sort-Object -Property NotAfter | Select-Object -Last 1 -ExpandProperty Thumbprint

Open in new window


However, the -SSLServerAuthentication property and the -EKU property that you could specify the usage string (1.3.6.xxx) on, do not exist on Server 2008 R2.

So... what I know is that I have a template named "PKI-Server Authentication".  I know that each of my servers will have ONE certificate issued with this autoenrollment template.

What I'd like to do is find the thumbprint of the certificate that was issued with that template.  As the template's name is part of the cert, I would think this is possible via PowerShell - somehow.

Please advise.  Thank you in advance.
0
Comment
Question by:amendala
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 40561047
Easiest solution update powershell to version 4
http://www.microsoft.com/en-ca/download/details.aspx?id=40855
0
 

Author Comment

by:amendala
ID: 40561252
Unfortunately, not a correct solution, though I will agree that upgrading to WMF 4.0 is easy - and I've already done that.

Running version 4.0 of the shell does not mean the appropriate providers (and therefore their exposed parameters) are present to provide the necessary functionality.  Two identical versions of WMF, running on different operating systems, can have wildly different capabilities.  This is why I said
However, the -SSLServerAuthentication property and the -EKU property that you could specify the usage string (1.3.6.xxx) on, do not exist on Server 2008 R2.

Microsoft's documentation substantiates this here:

Get-ChildItem for Certificate

Within, they say the following:

The new dynamic parameters work in Windows PowerShell 3.0 and newer releases of Windows PowerShell, running on Windows 8, Windows Server 2012 and newer releases of the Windows operating system.

As my goal as originally stated is to target Server 2008 R2, the absence of these parameters really makes the situation more difficult than it should be.

I am very close to having a solution finished and tested for this that I will share here when done, if someone else don't already have one or posts one sooner.

Thank you for your reply.
0
 

Accepted Solution

by:
amendala earned 0 total points
ID: 40564725
The following code will do what I asked originally.  It works on Server 2008 R2 or Server 2012 R2, both on WMF 4.0, regardless of provider set.

The initial PowerShell function is responsible for parsing and transforming the X509 certificate to expose the Template property for use in the Get-ChildItem command.

All you need to do is swap the "template name text" for a partial name of a template your PKI is issuing with and the thumbprint of the latest certificate issued by that template will be returned.

If you're curious what this is all for, it can be every useful for configuring WinRM instances to ensure the HTTPS listener is always tied to the newest certificate thumbprint.  So if you configure PKI to issue certs to your servers with a template named "WinRM-Server Authentication", all you would need to do is swap in that template name text and the command will return the thumbprint.  You can then feed that thumbprint into Set-WSManInstance to configure the HTTPS listener.  Otherwise, an expired certificate will result in WinRM secure sessions failing when the certificate expires or is renewed at the half-life (as the thumbprint will change).

Function ReadX509
{
	[CmdletBinding()]
    Param
	(
		[Parameter(Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)]
		[Security.Cryptography.X509Certificates.X509Certificate2]$cert
	)
    Process
	{
		$temp = $cert.Extensions | ?{$_.Oid.Value -eq "1.3.6.1.4.1.311.20.2"}
		if (!$temp)
		{
			$temp = $cert.Extensions | ?{$_.Oid.Value -eq "1.3.6.1.4.1.311.21.7"}
		}
        $cert | Add-Member -Name Template -MemberType NoteProperty -Value $temp.Format(1) -PassThru
	}
}

Get-ChildItem cert:\localmachine\my | ReadX509 | Sort-Object -Property NotAfter | Where Template -like "*template name text*" | Select-Object -Last 1 -ExpandProperty Thumbprint

Open in new window

0
 

Author Closing Comment

by:amendala
ID: 40572393
I created the only correct solution to the question.
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OfficeMate Freezes on login or does not load after login credentials are input.
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question