Created
February 12, 2018 15:30
-
-
Save jabez007/b3a2c3aa626523cb4a0ef9cfec736678 to your computer and use it in GitHub Desktop.
A PowerShell Script for enabling client certifcate negotiation on Windows Server 2008 and 2012 while not presenting a trusted issuers list
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| param ( | |
| [string]$ipPort = "0.0.0.0:443" | |
| ) | |
| # Make sure we are running as Admin | |
| If (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")){ | |
| $arguments = "& '" + $myinvocation.mycommand.definition + "'" | |
| Start-Process powershell -Verb runAs -ArgumentList $arguments | |
| Break | |
| } | |
| $netShow = netsh http show sslcert ipport=$ipPort | Out-String | |
| $netShow | Out-File "netshow.txt" | |
| # Check if negoation is already enabled | |
| $negotiation = $netShow | Select-String 'Negotiate Client Certificate\s*: (Enabled)' | |
| if ($negotiation) { | |
| Write-Host "Client Certificate Negotiation enabled" | |
| Write-Host $netShow | |
| } | |
| else { | |
| # Enable negotiation if it's not already | |
| Write-Host "Enabling Client Certificate Negotiation" | |
| $sslCert = $netShow | Select-String 'Certificate Hash\s*: ([0-9a-f]+)' # hexadecimal | |
| if ($sslCert) { | |
| $certHash = $sslCert.Matches[0].Groups[1].Value.Trim() | |
| netsh http delete sslcert ipport=$ipPort | |
| netsh http add sslcert ipport=$ipPort certhash=$certHash appid='{4dc3e181-e14b-4a21-b022-59fc669b0914}' certstorename=MY verifyclientcertrevocation=Enable VerifyRevocationWithCachedClientCertOnly=Disable UsageCheck=Enable clientcertnegotiation=Enable | |
| netsh http show sslcert | |
| } | |
| } | |
| # Explicity disable sending a list of acceptable client CA's in the handshake | |
| # HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\SendTrustedIssuerList=0 | |
| Write-Host "Disabling SendTrustedIssuerList" | |
| $registryPath = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" | |
| $name = "SendTrustedIssuerList" | |
| $value = "0" | |
| # Make sure we have the registry path. Why would we not have SCHANNEL? | |
| if (!(Test-Path $registryPath)) { | |
| New-Item -Path $registryPath -Force | Out-Null | |
| } | |
| # use the New-ItemProperty cmdlet to create OR update registry key property value | |
| New-ItemProperty -Path $registryPath -Name $name -PropertyType DWORD -Value $value -Force | Out-Null | |
| Write-Host "A restart is required for these changes to take complete effect" | |
| Read-Host "Press enter to continue..." | |
| Exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment