Open Mrkuff opened 5 years ago
PlagueHO
commented
5 years ago Hi @Mrkuff - thank you! I'm glad it is useful!
I'm definitely keen to incorporate your changes. I'm happy to accept a Pull Request or I can make them an republish the script. Either is good!
Thank you again for your feedback! FWIW, there are still a few 2008R2 servers floating around with me too - so I understand the need to keep them running ;)
Mrkuff
commented
5 years ago Hello there! I've did the pull request and change the script, but I’m not sure if I had to do something else to "publish" it on your side...
I got 1 question about the script. When the certificate expire, will he auto-renew the listener? I mean, at the start of the script, we check if there's an active listener. When the certificate expire, will the listener return false to the “Get-WSManInstance” check and then re-initiate it with the new certificate thumbprint?
Thank again for your help
Mrkuff
commented
5 years ago Hello! I think I’ve found a way. Since the auto enroll is configured to delete the old certificate, I’m checking if the thumbprint of the current listener is still there on the machine. If not, delete the listener and “throw” a terminating error:
try
{
# if the listener dont exist, exit and continue at the catch part
$CertificateThumbprint = (Get-WSManInstance `
-ResourceURI winrm/config/Listener `
-SelectorSet @{Address='*';Transport='HTTPS'}).CertificateThumbprint
$Message = 'An HTTPS WinRM Listener already exists for this computer. Checking if Thumbprint is good'
Write-Verbose -Message $Message
# The listener exist, check if the certificate is still on the machine
$cert = Get-ChildItem -path cert:\LocalMachine\My -Recurse | foreach { $_.thumbprint }
if (!$cert.Contains($CertificateThumbprint)) #if thumbprint is on the machine, exit. if not, go to catch
{
$Message = 'Thumbprint is NOT good'
Write-Verbose -Message $Message
winrm delete winrm/config/Listener?Address=*+Transport=HTTPS
throw $Message
}
}Hi @Mrkuff - sorry for not getting back to you sooner! I've been distracted by other projects (the DSC Resource Kit mainly). I'll take a look over this over the weekend when I have some spare time! Thank you again for putting all this time on.
Mrkuff
commented
2 years ago Hey hello! it's me again! 3 years later! I've change the script again because it your version you're always taking the first one with the prerequisite with Select-Object -First 1. For exemple :
$Thumbprint = (get-childitem -Path Cert:\localmachine\my | Where-Object { ($.Extensions.EnhancedKeyUsages.Value -match '1.3.6.1.5.5.7.3.1') -and ($.IssuerName.Name -eq $Issuer) -and ($_.Subject -eq "CN=$HostName") } | Select-Object -First 1 ).Thumbprint
I've change it for checking for the name of the template instead! Here, i've create a "WinRM" template and im refering it kind of like that :
$templateName = "WinRM" $Thumbprint = (get-childitem -Path Cert:\localmachine\my | Where-Object { ($.Extensions.EnhancedKeyUsages.Value -match '1.3.6.1.5.5.7.3.1') -and ($.IssuerName.Name -eq $Issuer) -and ($.Subject -eq "CN=$HostName") -and ($.Extensions | Where-Object{ ($.Oid.FriendlyName -eq 'Certificate Template Information') -and ($.Format(0) -match $templateName) })} ).Thumbprint
But here again I'm getting the same language problem then the last time calling for "Certificate Template Information" friendly name extension. (MY kind of problem) So... I've put the french name too in a -or comparaison :
$templateName = "WinRM" $Thumbprint = get-childitem -Path Cert:\localmachine\my | Where-Object { ($.Extensions.EnhancedKeyUsages.Value -match '1.3.6.1.5.5.7.3.1') -and ($.IssuerName.Name -eq $Issuer) -and ($.Subject -eq "CN=$HostName") -and ($.Extensions | Where-Object{ (($.Oid.FriendlyName -eq 'Certificate Template Information') -and ($.Format(0) -match $templateName) -or ($.Oid.FriendlyName -eq 'Informations du modèle de certificat') -and ($.Format(0) -match $templateName)) })}
I guess this may be usefull for someone somewhere..
Thx again!
Mrkuff
commented
2 years ago That is because I want to control which Certificate template I'm using, and not any cert with 'Server auth' from this $Issuer and with Subject -eq "CN=$HostName". Why checking for all the paramèter than instead of just looking at the "template name" since this must get all the pre-requisite, right? Well , nope. I can't trust that the next template gonna be configured correctly...
Mrkuff
commented
2 months ago Greating!! Been 2 mores years!! Eeheh and i'm revisiting the script again.
Thing I've add:
[String] $templateName = "WinRM"
$Thumbprint = (get-childitem -Path Cert:\localmachine\my | Where-Object { ($.Extensions.EnhancedKeyUsages.Value -match '1.3.6.1.5.5.7.3.1') -and # 1.3.6.1.5.5.7.3.1 is the IOD for 'Server Authentication' ($.IssuerName.Name -eq $Issuer) -and ($.DNSNameList.Unicode -contains $HostName) -and ($.NotAfter -ge $Now) -and # Check if the cert is still good ($_.Subject -eq "CN=$HostName") -and
($_.Extensions | Where-Object{ ($_.Oid.Value -eq '1.3.6.1.4.1.311.21.7') -and ($_.Format(0) -match $templateName) })} | Select-Object -First 1
).Thumbprint
Hi, thank again for this great script! I really appreciate the work. But since i'm french, i had to modify it a little.
Since it's looking for ($_.Extensions.EnhancedKeyUsages.FriendlyName -contains 'Server Authentication') of course our french server (yeah don't ask me why we got those!!) had the .FriendlyName to 'Authentification du serveur' !! So we changed it for the Value instead of the FriendlyName
($_.Extensions.EnhancedKeyUsages.Value -match '1.3.6.1.5.5.7.3.1')
I guess these never change !
Another change we had to do is to make it available for server with PowerShell 2.0 (Those 2008R2 with dark purpose!) I've asked for a PS update but.. well..
So i had to update all the "-in" operator to "-contains" as well.
Ex: ($DNSNameType -in 'Both','FQDN') to ('Both','FQDN' -contains $DNSNameType)
or ($HostName -in $.DNSNameList.Unicode) to ($.DNSNameList.Unicode -contains $HostName)
Thank again, I would have never use a script like this without your initial sharing.