I wrote this function a while back that may get you started. This is set to
remove the a particular cert but can be easily changed to what you may need.
Function Remove-Certs
{ [CmdletBinding()]
param (
[Parameter(Position=0, Mandatory=$true)]
[ValidateNotNullOrEmpty()][string]$computername,
[Parameter(Position=1, Mandatory=$true)]
[ValidateNotNullOrEmpty()][string]$SerialNum,
[ValidateSet("LocalMachine","LocalUser")][Parameter(Position=2,
Mandatory=$true)]
[ValidateNotNullOrEmpty()][string][string]$LocalStore
)
$computerstore = ("\\$computername\Root")
If (Test-Connection -ComputerName $computername)
{
Try{$store = New-Object
system.security.cryptography.X509Certificates.X509Store
$computerstore,$LocalStore #LocalMachine could also be LocalUser
$store.Open('ReadWrite') #To do the removal, this method need read/write.
for info Read can be used.
$certs = $store.Certificates
Write-Host ""
Write-Host "************* Removing Certs with $SerialNum from Host
$computername ****************************" -ForegroundColor Cyan
Write-Host ""
foreach ($cert in $certs) {
$certDate = $cert.Notbefore.ToShortDateString() #converting Date to sort
date and string to do comparinson
$CertSerial = $cert.SerialNumber
If ($CertSerial -eq $SerialNum)
{
Write-Host "Serial Number Matches Matches.. DELETING CERT" -BackgroundColor
Red
Write-Host "Subject: "$cert.Subject " Serial: "$cert.SerialNumber " Issue
Date:" $cert.Notbefore " Expiration Date:" $cert.NotAfter -ForegroundColor
Red
#$store.Remove($cert) #Deleting the cert that matches. Uncomment this line
to do the actual removal
}
Else
{
Write-Host "Serial Number Matches OK.. KEEPING CERT" -BackgroundColor Green
#Writing out information of other certs. May be useful to see.
Write-Host "Subject: "$cert.Subject " Serial: "$cert.SerialNumber " Issue
Date:" $cert.Notbefore " Expiration Date:" $cert.NotAfter -ForegroundColor
blue
}
}
$store.Close()
Write-Host ""
Write-Host "************* Removed Certs with $SerialNum from Host
$computername ****************************" -ForegroundColor Cyan
}
Catch
{
Write-host $_.Exception.Message -NoNewline -BackgroundColor Red
}
} Else {Write-Host "$computername - Failed: No Ping return."
-ForegroundColor Red }
}
Get-Content C:\temp\RemoveCerts\1.txt | foreach {Remove-Certs -computername
$_ -SerialNum xxxxxxxxxxxxxxx -LocalStore LocalMachine }
On Tue, Apr 1, 2014 at 10:26 AM, Kurt Buff <[email protected]> wrote:
> Guess I'll have to look at some scripting.
> On Mar 31, 2014 6:15 PM, "Ken Schaefer" <[email protected]> wrote:
>
>>
>>
>> -----Original Message-----
>> From: [email protected] [mailto:
>> [email protected]] On Behalf Of Kurt Buff
>> Sent: Tuesday, 1 April 2014 11:55 AM
>> To: [email protected]
>> Subject: Re: [NTSysADM] IIS certs expiration and autorenewal from a
>> Windows CA
>>
>> > I am of the opinion that there shouldn't be any reason why these web
>> sites don't autorenew their certs, once installed.
>>
>> Auto-renewal isn't a process that looks at the details in the existing
>> cert and says to the CA "give me a new cert with the same properties,
>> except extend the expiry date"
>>
>> Auto-renewal is a process that's says "based on my user/computer
>> properties, give me a cert with said properties"
>>
>> The issue you have is that certs you've issued for your services are not
>> tied to the user or computer properties per se - they have arbitrary Common
>> Names (for starters).
>>
>> That's not to say you can't setup an automated process that, once a
>> pending cert expiry is detected, creates an appropriate CSR and submits it
>> to your CA, and your CA can be configured to auto-issue the cert.
>>
>> > I'm willing to be schooled on that, but after thinking about it for a
>> while I can't see any objections -
>> > except perhaps "It can't be done."
>>
>> I don't think it can be done with the built-in auto-renewal process in
>> Windows, because it doesn't do what you think/want it to do.
>>
>> > Asset management - that's a spreadsheet on which assets are tracked,
>> right? :)
>>
>> Not ideal.
>>
>> But you could improve on the idea: e.g. create some formulas that
>> colour-code or highlight the contracts or assets that are reaching EoL.
>> Write a VBScript that queries it every day, and generates an email with
>> things that need to be renewed or a helpdesk ticket, or whatever.
>> Downside to Excel is it might be hard to model different types of items
>> without using different tabs, and you don't get any real referential
>> integrity, and version control is a PITA etc.
>>
>> Cheers
>> Ken
>>
>>
>>
>> > Cheers
>> > Ken
>> >
>> > -----Original Message-----
>> > From: [email protected]
>> > [mailto:[email protected]] On Behalf Of Kurt Buff
>> > Sent: Tuesday, 1 April 2014 10:03 AM
>> > To: [email protected]
>> > Subject: [NTSysADM] IIS certs expiration and autorenewal from a
>> > Windows CA
>> >
>> > All,
>> >
>> > We had a bit of a scramble when an IIS SSL cert generated by our
>> internal CA expired, and didn't autorenew.
>> >
>> > Now that I've fixed it, I'm wondering how to set up autorenewal,
>> >
>> > From my reading so far, it looks like I need to set up an SPN for the
>> web site on the machine account, vis:
>> > http://social.technet.microsoft.com/Forums/windowsserver/en-US/0b43513
>> > 5-5a90-4957-9bcc-a92b4c519fda/autoenrollment-for-web-server-certificat
>> > es
>> >
>> > and
>> >
>> > http://support.microsoft.com/kb/929650
>> >
>> > Is this correct, and sufficient? Or do I need to dig a little deeper?
>> >
>> > Kurt
>> >
>> >
>>
>>
>>
