Skip to content

Instantly share code, notes, and snippets.

@ergoz

ergoz/Import-PfxCertificate.ps1

Forked from smaglio81/New-LetsEncryptCertificateInIisCentralCertificateStore.ps1
Last active October 29, 2024 01:15
Show Gist options
  • Save ergoz/2d8f2e8b14281bbf04ed6d182b285ad6 to your computer and use it in GitHub Desktop.
Save ergoz/2d8f2e8b14281bbf04ed6d182b285ad6 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Import-PfxCertificate.ps1
<#
.SYNOPSIS
Imports a .pfx certificate onto a server
http://www.orcsweb.com/blog/james/powershell-ing-on-windows-server-how-to-import-certificates-using-powershell/
Use the given certificate information to load up and import a pfx certificate. This
should be execute on the server that the certificate is going to be imported into.
.PARAMETER CertPath
The physical to a certificate file
.PARAMETER CertRootStore
[Default CurrentUser]
The root certificate store to save th certificate in. The possible options are 'CurrentUser' or 'LocalMachine'.
.PARAMETER CertStore
[Default My]
The certificate store to save the certificate in. There are alot of options. Generally this is either
'My' or 'Root'.
.PARAMETER PfxPass
[Defualt $null]
The password needed to use a given certificate (.pfx).
.EXAMPLE
#>
Function Import-PfxCertificate {
Param(
[Parameter(Mandatory = $true)]
[String]$CertPath,
[ValidateSet("CurrentUser","LocalMachine")]
[String]$CertRootStore = "LocalMachine",
[String]$CertStore = "My",
$PfxPass = $null
)
Process {
$pfx = new-object System.Security.Cryptography.X509Certificates.X509Certificate2
if ($pfxPass -eq $null) {$pfxPass = read-host "Enter the pfx password" -assecurestring}
$pfx.import($certPath,$pfxPass,"Exportable,PersistKeySet")
$store = new-object System.Security.Cryptography.X509Certificates.X509Store($certStore,$certRootStore)
$serverName = [System.Net.Dns]::GetHostName();
Write-Warning ("Adding certificate " + $pfx.FriendlyName + " to $CertRootStore/$CertStore on $serverName. Thumbprint = " + $pfx.Thumbprint)
$store.open("MaxAllowed")
$store.add($pfx)
$store.close()
Write-Host ("Added certificate " + $pfx.FriendlyName + " to $CertRootStore/$CertStore on $serverName. Thumbprint = " + $pfx.Thumbprint)
}
}
Raw
ImportADFS.ps1
<#
.SYNOPSIS
Imports a cert from WACS renewal into Active Directory Federation Services
.DESCRIPTION
Note that this script is intended to be run via the install script plugin from win-acme via the batch script wrapper. As such, we use positional parameters to avoid issues with using a dash in the cmd line.
Note that this script only works on the primary ADFS farm server; you need to make sure to copy the certificates over yourself.
Proper information should be available here
https://github.com/PKISharp/win-acme/wiki/Install-Script
or more generally, here
https://github.com/PKISharp/win-acme/wiki/Example-Scripts
.PARAMETER NewCertThumbprint
The exact thumbprint of the cert to be imported. The script will copy this cert to the Personal store if not already there.
.EXAMPLE
ImportADFS.ps1 <certThumbprint>
./wacs.exe --target manual --host hostname.example.com,adfs.example.com,sts.example.com --installation iis,script --installationsiteid 1 --script ".\Scripts\ImportADFS.ps1" --scriptparameters "'{CertThumbprint}'" --certificatestore My
.NOTES
#>
param(
[Parameter(Position=0,Mandatory=$true)]
[string]$NewCertThumbprint
)
$CertInStore = Get-ChildItem -Path Cert:\LocalMachine -Recurse | Where-Object {$_.thumbprint -eq $NewCertThumbprint} | Sort-Object -Descending | Select-Object -f 1
if($CertInStore){
try{
# Cert must exist in the personal store of machine to bind to ADFS
if($CertInStore.PSPath -notlike "*LocalMachine\My\*"){
$SourceStoreScope = 'LocalMachine'
$SourceStorename = $CertInStore.PSParentPath.split("\")[-1]
$SourceStore = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Store -ArgumentList $SourceStorename, $SourceStoreScope
$SourceStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadOnly)
$cert = $SourceStore.Certificates | Where-Object {$_.thumbprint -eq $CertInStore.Thumbprint}
$DestStoreScope = 'LocalMachine'
$DestStoreName = 'My'
$DestStore = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Store -ArgumentList $DestStoreName, $DestStoreScope
$DestStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
$DestStore.Add($cert)
$SourceStore.Close()
$DestStore.Close()
$CertInStore = Get-ChildItem -Path Cert:\LocalMachine\My -Recurse | Where-Object {$_.thumbprint -eq $NewCertThumbprint} | Sort-Object -Descending | Select-Object -f 1
}
Set-AdfsCertificate -CertificateType Service-Communications -Thumbprint $CertInStore.Thumbprint -ErrorAction Stop
Set-AdfsSslCertificate -Thumbprint $CertInStore.Thumbprint -ErrorAction Stop
Restart-Service adfssrv -Force -ErrorAction Stop
"Cert thumbprint set to ADFS and service restarted"
}catch{
"Cert thumbprint was not set successfully"
"Error: $($Error[0])"
}
}else{
"Cert thumbprint not found in the cert store... which is strange because it should be there."
}
Raw
ImportExchange.ps1
<#
.SYNOPSIS
Imports a cert from WASC renewal into Exchange services.
.DESCRIPTION
Note that this script is intended to be run via the install script plugin from WASC via the batch script wrapper. As such, we use positional parameters to avoid issues with using a dash in the cmd line.
THIS SCRIPT IS INCOMPLETE AND *mostly* UNTESTED (some modifications have come in from people using it successfully)
Documentation referenced from https://technet.microsoft.com/en-us/library/aa997231(v=exchg.160).aspx
Proper information should be available here
https://github.com/PKISharp/win-acme/wiki/Install-Script
or more generally, here
https://github.com/PKISharp/win-acme/wiki/Example-Scripts
.PARAMETER NewCertThumbprint
The exact thumbprint of the cert to be imported. The script will copy this cert to the Personal store if not already there.
.PARAMETER ExchangeServices
a comma-separated string (no spaces) of all exchange services to import the cert into. Full list of possibilities can be found here:
https://technet.microsoft.com/en-us/library/aa997231(v=exchg.160).aspx
.PARAMETER LeaveOldExchangeCerts
A bool (as an int, since bools are difficult to pass through as parameters) to determine if old exchange certs with the same CN should be deleted.
1 - Leaves old Exchange certs
0 - Deletes old Exchange certs
.PARAMETER RenewalId
(Central Certificate Store) Id of the WASC renewal, used to determine the file name in the CertificatePath.
.PARAMETER CertificatePath
(Central Certificate Store) Path to the WACS certificate directory. The certificate that is imported will be "$(RenewalId)-all.pfx" from this directory.
.PARAMETER PfxPassword
(Central Certificate Store) Password of the .pfx file.
.PARAMETER FriendlyName
(Central Certificate Store) Friendly name to use when importing the .pfx file.
.PARAMETER DebugOn
Include this switch parameter to write debug outputs for troubleshooting
.EXAMPLE
ImportExchange.ps1 <certThumbprint> IIS,SMTP,IMAP
If not using central certificate store, the script can be executed as either
.EXAMPLE
ImportExchange.ps1 <certThumbprint> IIS,SMTP,IMAP 0
to remove old certs
.EXAMPLE
ImportExchange.ps1 <certThumbprint> IIS,SMTP,IMAP 1 <renewalId> <certificatePath> <pfxPassword> <friendlyName>
If using central certificate store, WASC will place the certificate in that path named after the id
.NOTES
#>
param(
[Parameter(Position=0,Mandatory=$true)]
[string]
$NewCertThumbprint,
[Parameter(Position=1,Mandatory=$true)]
[string]
$ExchangeServices,
[Parameter(Position=2,Mandatory=$false)]
[int]
$LeaveOldExchangeCerts = 1,
[Parameter(Position=4,Mandatory=$false)]
[string]
$CacheFile,
[Parameter(Position=5,Mandatory=$false)]
[string]
$PfxPassword,
[Parameter(Position=6,Mandatory=$false)]
[string]
$FriendlyName,
[switch]$DebugOn
)
if($DebugOn){
$DebugPreference = "Continue"
}
If($OSVersion -eq "Windows Server 2008 R2 Standard" -and $PSVersionTable.PSVersion.Major -lt 5)
{
Write-Error "Please upgrade Powershell version. See this URL for details: https://github.com/PKISharp/win-acme/issues/1104"
exit
}
# Print debugging info to make sure the parameters arrived
Write-Host "NewCertThumbprint: $NewCertThumbprint"
Write-Host "ExchangeServices: $ExchangeServices"
Write-Host "LeaveOldExchangeCerts: $LeaveOldExchangeCerts"
Write-Host "RenewalId: $RenewalId"
Write-Host "CacheFile: $CacheFile"
Write-Host "FriendlyName: $FriendlyName"
# Load Powershell snapin
# Should work with Exchange 2007 and higher
# https://hkeylocalmachine.com/?p=180
Write-Host "Searching for Exchange snapin..."
Get-PSSnapin -Registered `
| Where-Object {
$_.Name -match "Microsoft.Exchange.Management.PowerShell" `
-and (
$_.Name -match "Admin" -or
$_.Name -match "E2010" -or
$_.Name -match "SnapIn"
)
} `
| Add-PSSnapin -ErrorAction SilentlyContinue -PassThru `
| Write-Host
# Test if the Cmdlet is there now
$Command = Get-Command "Enable-ExchangeCertificate" -errorAction SilentlyContinue
if ($Command -eq $null)
{
Write-Error "Exchange Management Tools for Powershell not installed"
return
}
# Following lines might be needed for SBS2011/Exchange 2010
# ."C:\Program Files\Microsoft\Exchange Server\V14\bin\RemoteExchange.ps1"
# Connect-ExchangeServer -auto
Write-Host "Checking if certificate can be found in the right store..."
$Certificate = `
Get-ChildItem -Path Cert:\LocalMachine -Recurse `
| Where-Object {$_.thumbprint -eq $NewCertThumbprint} `
| Sort-Object -Descending `
| Select-Object -f 1
try
{
# Load certificate from file if its not found or not in the right store
if ($Certificate -eq $null -or `
$Certificate.PSPath -notlike "*LocalMachine\My\*")
{
Write-Host "Certificate not found where its supposed to be, try to load from file"
$Password = ConvertTo-SecureString $PfxPassword -AsPlainText -Force
$importExchangeCertificateParameters = @{
FileData = ([System.IO.File]::ReadAllBytes("$CacheFile"))
FriendlyName = $FriendlyName
PrivateKeyExportable = $True
Password = $Password
}
try
{
Import-ExchangeCertificate @importExchangeCertificateParameters -ErrorAction Stop | Out-Null
Write-Host "Certificate imported for use in Exchange"
}
catch
{
Write-Error "Error in Import-ExchangeCertificate"
throw
}
}
# Attempt to get cert again directly from Personal Store
$Certificate = Get-ChildItem -Path Cert:\LocalMachine\My\ -Recurse `
| Where-Object {$_.thumbprint -eq $NewCertThumbprint} `
| Select-Object -f 1
# Make sure variable is defined
Get-ChildItem $Certificate.PSPath -ErrorAction Stop | Out-Null
# This command actually updates Exchange
try
{
Write-Host "Updating Exchange services..."
Enable-ExchangeCertificate -Services $ExchangeServices -Thumbprint $Certificate.Thumbprint -Force -ErrorAction Stop
Write-Host "Certificate set for the following services: $ExchangeServices"
}
catch
{
Write-Error "Error in Enable-ExchangeCertificate"
throw
}
if ($LeaveOldExchangeCerts -ne 1)
{
Write-Host "Old Exchange certificates being cleaned up"
try
{
Get-ExchangeCertificate -DomainName $Certificate.Subject.split("=")[1] `
| Where-Object -FilterScript {
$_.Thumbprint -ne $NewCertThumbprint
} `
| Remove-ExchangeCertificate -Confirm:$false
}
catch
{
Write-Error "Error cleaning up old certificates Get-ExchangeCertificate/Remove-ExchangeCertificate"
}
}
}
catch
{
Write-Error "Script hasn't completed."
}
Raw
ImportExchange.v2.ps1
<#
.SYNOPSIS
Imports a cert from WASC renewal into Exchange services.
.DESCRIPTION
Note that this script is intended to be run via the install script plugin from WASC via the batch script wrapper. As such, we use positional parameters to avoid issues with using a dash in the cmd line.
THIS SCRIPT IS INCOMPLETE AND *mostly* UNTESTED (some modifications have come in from people using it successfully)
Documentation referenced from https://technet.microsoft.com/en-us/library/aa997231(v=exchg.160).aspx
Proper information should be available here
https://github.com/PKISharp/win-acme/wiki/Install-Script
or more generally, here
https://github.com/PKISharp/win-acme/wiki/Example-Scripts
.PARAMETER NewCertThumbprint
The exact thumbprint of the cert to be imported. The script will copy this cert to the Personal store if not already there.
.PARAMETER ExchangeServices
a comma-separated string (no spaces) of all exchange services to import the cert into. Full list of possibilities can be found here:
https://technet.microsoft.com/en-us/library/aa997231(v=exchg.160).aspx
.PARAMETER LeaveOldExchangeCerts
A bool (as an int, since bools are difficult to pass through as parameters) to determine if old exchange certs with the same CN should be deleted.
1 - Leaves old Exchange certs
0 - Deletes old Exchange certs
.PARAMETER RenewalId
(Central Certificate Store) Id of the WASC renewal, used to determine the file name in the CertificatePath.
.PARAMETER CertificatePath
(Central Certificate Store) Path to the WACS certificate directory. The certificate that is imported will be "$(RenewalId)-all.pfx" from this directory.
.PARAMETER PfxPassword
(Central Certificate Store) Password of the .pfx file.
.PARAMETER FriendlyName
(Central Certificate Store) Friendly name to use when importing the .pfx file.
.PARAMETER DebugOn
Include this switch parameter to write debug outputs for troubleshooting
.EXAMPLE
ImportExchange.ps1 <certThumbprint> IIS,SMTP,IMAP
If not using central certificate store, the script can be executed as either
.EXAMPLE
ImportExchange.ps1 <certThumbprint> IIS,SMTP,IMAP 0
to remove old certs
.EXAMPLE
ImportExchange.ps1 <certThumbprint> IIS,SMTP,IMAP 1 <renewalId> <certificatePath> <pfxPassword> <friendlyName>
If using central certificate store, WASC will place the certificate in that path named after the id
.NOTES
#>
param(
[Parameter(Position=0,Mandatory=$true)]
[string]
$NewCertThumbprint,
[Parameter(Position=1,Mandatory=$true)]
[string]
$ExchangeServices,
[Parameter(Position=2,Mandatory=$false)]
[int]
$LeaveOldExchangeCerts = 1,
[Parameter(Position=4,Mandatory=$false)]
[string]
$CacheFile,
[Parameter(Position=5,Mandatory=$false)]
[string]
$PfxPassword,
[Parameter(Position=6,Mandatory=$false)]
[string]
$FriendlyName,
[switch]$DebugOn
)
if($DebugOn){
$DebugPreference = "Continue"
}
If($OSVersion -eq "Windows Server 2008 R2 Standard" -and $PSVersionTable.PSVersion.Major -lt 5)
{
Write-Error "Please upgrade Powershell version. See this URL for details: https://github.com/PKISharp/win-acme/issues/1104"
exit
}
# Print debugging info to make sure the parameters arrived
Write-Host "NewCertThumbprint: $NewCertThumbprint"
Write-Host "ExchangeServices: $ExchangeServices"
Write-Host "LeaveOldExchangeCerts: $LeaveOldExchangeCerts"
Write-Host "RenewalId: $RenewalId"
Write-Host "CacheFile: $CacheFile"
Write-Host "FriendlyName: $FriendlyName"
# Load Exchange Management shell
# https://github.com/win-acme/win-acme/issues/1372
$ServerFQDN = ([System.Net.Dns]::GetHostByName(($env:computerName))).Hostname
$ConnectionUri = "http://$ServerFQDN/PowerShell/"
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri $ConnectionUri
Import-PSSession $Session
# Test if the Cmdlet is there now
$Command = Get-Command "Enable-ExchangeCertificate" -errorAction SilentlyContinue
if ($Command -eq $null)
{
Write-Error "Exchange Management Tools for Powershell not installed"
return
}
try
{
# Load certificate
Write-Host "Checking if certificate can be found in the right store..."
$Certificate = `
Get-ChildItem -Path Cert:\LocalMachine -Recurse `
| Where-Object {$_.thumbprint -eq $NewCertThumbprint} `
| Sort-Object -Descending `
| Select-Object -f 1
# Make sure variable is defined
Get-ChildItem $Certificate.PSPath -ErrorAction Stop | Out-Null
# This command actually updates Exchange
try
{
Write-Host "Updating Exchange services..."
Enable-ExchangeCertificate -Services $ExchangeServices -Thumbprint $Certificate.Thumbprint -Force -ErrorAction Stop
Write-Host "Certificate set for the following services: $ExchangeServices"
}
catch
{
Write-Error "Error in Enable-ExchangeCertificate"
throw
}
if ($LeaveOldExchangeCerts -ne 1)
{
Write-Host "Old Exchange certificates being cleaned up"
try
{
Get-ExchangeCertificate -DomainName $Certificate.Subject.split("=")[1] `
| Where-Object -FilterScript {
$_.Thumbprint -ne $NewCertThumbprint
} `
| Remove-ExchangeCertificate -Confirm:$false
}
catch
{
Write-Error "Error cleaning up old certificates Get-ExchangeCertificate/Remove-ExchangeCertificate"
}
}
}
catch
{
Write-Error "Script hasn't completed."
}
Raw
ImportWindowsAdminCenter.ps1
<#
.SYNOPSIS
Imports a cert from WACS renewal into Windows Admin Center.
.DESCRIPTION
Note that this script is intended to be run via the install script plugin from win-acme via the
batch script wrapper. As such, we use positional parameters to avoid issues with using a dash in the
cmd line.
Proper information should be available here
https://github.com/PKISharp/win-acme/wiki/Install-Script
or more generally, here
https://github.com/PKISharp/win-acme/wiki/Example-Scripts
.PARAMETER NewCertThumbprint
The exact thumbprint of the cert to be imported. The script will copy this cert to the Personal
store if not already there.
.EXAMPLE
ImportWindowsAdminCenter.ps1 <certThumbprint>
.NOTES
#>
param(
[Parameter(Position=0,Mandatory=$true)]
[string]$NewCertThumbprint
)
$CertInStore = Get-ChildItem -Path Cert:\LocalMachine -Recurse | Where-Object {$_.Thumbprint -eq $NewCertThumbprint} | Sort-Object -Descending | Select-Object -First 1
if($CertInStore){
try{
# Cert must exist in the personal store of machine
if($CertInStore.PSPath -notlike "*LocalMachine\My\*"){
$SourceStoreScope = 'LocalMachine'
$SourceStorename = $CertInStore.PSParentPath.split("\")[-1]
$SourceStore = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Store -ArgumentList $SourceStorename, $SourceStoreScope
$SourceStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadOnly)
$cert = $SourceStore.Certificates | Where-Object {$_.thumbprint -eq $CertInStore.Thumbprint}
$DestStoreScope = 'LocalMachine'
$DestStoreName = 'My'
$DestStore = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Store -ArgumentList $DestStoreName, $DestStoreScope
$DestStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
$DestStore.Add($cert)
$SourceStore.Close()
$DestStore.Close()
$CertInStore = Get-ChildItem -Path Cert:\LocalMachine\My -Recurse | Where-Object {$_.thumbprint -eq $NewCertThumbprint} | Sort-Object -Descending | Select-Object -f 1
}
# Get the Object GUID for use with msiexec
$installedWmiObject=Get-WmiObject Win32_Product | Where-Object Name -eq "Windows Admin Center"
$productCodeGUID=$installedWmiObject.IdentifyingNumber
$msiParams = @{
"FilePath" = "$Env:SystemRoot\system32\msiexec.exe"
"ArgumentList" = @(
"/i"
"$($productCodeGUID)"
"/qn"
"SME_THUMBPRINT=$($CertInStore.Thumbprint)"
"SSL_CERTIFICATE_OPTION=installed"
)
"Verb" = "runas"
"PassThru" = $true
}
# Run as a process and wait for exit
$msiProcess = Start-Process @msiParams
$msiProcess.WaitForExit()
Restart-Service ServerManagementGateway -Force -ErrorAction Stop
"Windows Admin Center was been reconfigured with the new certificate, and the service was restarted."
}catch{
"Cert thumbprint was not set successfully"
"Error: $($Error[0])"
}
}else{
"Cert thumbprint not found in the cert store... which is strange because it should be there."
}
Raw
New-LetsEncryptCertificateInIisCentralCertificateStore.ps1
<#######################
A simple starter for Lets Encrypt using Powershell and IIS Central Certificates Store
Assumptions:
* You have Password Safe Software with an API that is accessible from a Powershell module
* You have IIS already configured with the Central Certificate Store
* You use GoDaddy for DNS
########################>
# 1. Install Posh-ACME (https://github.com/rmbolger/Posh-ACME)
Install-Module Posh-ACME
#Import-Module Posh-ACME
# These are some useful commands to get started with Posh-ACME
# get-command -module Posh-ACME
# get-command -module Posh-ACME *cert*
# 2. Setup your hostname. This host should be registered with GoDaddy.
$hostname = "somesite.yourdomain.com"
# 3. Create an account with ACME.
$accountId = New-PAAccount -Contact [email protected] -KeyLength 4096 -AcceptTOS
Set-PAAccount -ID $accountId # You should store your accountId in a password safe
# 4. Import your Password Safe module
Import-Module SecretServer
# 5. Get GoDaddy API Keys
$goDaddySecret = Get-SecretServerSecret -Filter "Posh-ACME"
$pArgs = @{
GDKey = $goDaddySecret.Username
GDSecret = $goDaddySecret.Password
}
# 6. Create a new Let's Encrypt Certificate with ownership verification using GoDaddy DNS
New-PACertificate -Domain $hostname -AcceptTOS -DnsPlugin GoDaddy -PluginArgs $pArgs
# 7. Retrieve the certificate
$cert = Get-PACertificate -MainDomain $hostname
# 8. Import the certificate into the local machines Certificate Manager
# Import-PfxCertification: https://gist.github.com/smaglio81/19146391f7f94e2449e16d3318be1ef7
Import-Module CertificatesModule
Import-PfxCertificate -CertPath $cert.PfxFullChain -PfxPass $cert.PfxPass
# 9. Pull the certificate password used in the Central Certificate Store from the Password Safe
$sharedSslSecret = Get-SecretServerSecret -Filter "Shared SSL PFX"
$securedSslPassword = ConvertTo-SecureString -String $sharedSslSecret.Password -AsPlainText -Force
# 10. Export the certificate to the Central Certificate Store's shared directory
$sharedPfxFilePath = "D:\AllContent\SharedSSL\Local\$hostname.pfx"
$certPath = "Cert:\LocalMachine\My\$($cert.Thumbprint)"
Export-PfxCertificate -Cert $certPath -ChainOption BuildChain -FilePath $sharedPfxFilePath -Password $securedSslPassword -Force
<# IIS ERROR - BAD DATA
If the Central Certificate Store in IIS is unable to read certificates generated by Let's Encrypt the
problem is most likely that the account which it runs under doesn't have access
to the Let's Encrypt Authority X3 certificate in the mmc.exe's Certificate Registry. (this is middle
certificate in the chain)
Full Description: https://github.com/ridercz/AutoACME/issues/14 (look for Steven Maglio's response)
You will need to open up mmc.exe as the user account that the Central Certificate Store run unders
and import any Let's Encrypt generated certificate into the CurrentUser\My store. This will import
the missing certificate and things should then work.
#>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment