Thank you! I shall look this over. I'm still in the middle of a ton of projects, so probably won't get to it right away, but this should prove useful.
Kurt On Tue, Apr 1, 2014 at 12:00 PM, elsalvoz <[email protected]> wrote: > I wrote this function a while back that may get you started. This is set to > remove the a particular cert but can be easily changed to what you may need. > > > > Function Remove-Certs > { [CmdletBinding()] > param ( > [Parameter(Position=0, Mandatory=$true)] > [ValidateNotNullOrEmpty()][string]$computername, > [Parameter(Position=1, Mandatory=$true)] > [ValidateNotNullOrEmpty()][string]$SerialNum, > [ValidateSet("LocalMachine","LocalUser")][Parameter(Position=2, > Mandatory=$true)] > [ValidateNotNullOrEmpty()][string][string]$LocalStore > ) > $computerstore = ("\\$computername\Root") > If (Test-Connection -ComputerName $computername) > { > Try{$store = New-Object > system.security.cryptography.X509Certificates.X509Store > $computerstore,$LocalStore #LocalMachine could also be LocalUser > $store.Open('ReadWrite') #To do the removal, this method need read/write. > for info Read can be used. > $certs = $store.Certificates > > Write-Host "" > Write-Host "************* Removing Certs with $SerialNum from Host > $computername ****************************" -ForegroundColor Cyan > Write-Host "" > foreach ($cert in $certs) { > $certDate = $cert.Notbefore.ToShortDateString() #converting Date to sort > date and string to do comparinson > $CertSerial = $cert.SerialNumber > > If ($CertSerial -eq $SerialNum) > { > Write-Host "Serial Number Matches Matches.. DELETING CERT" -BackgroundColor > Red > Write-Host "Subject: "$cert.Subject " Serial: "$cert.SerialNumber " Issue > Date:" $cert.Notbefore " Expiration Date:" $cert.NotAfter -ForegroundColor > Red > #$store.Remove($cert) #Deleting the cert that matches. Uncomment this line > to do the actual removal > } > Else > { > Write-Host "Serial Number Matches OK.. KEEPING CERT" -BackgroundColor Green > #Writing out information of other certs. May be useful to see. > Write-Host "Subject: "$cert.Subject " Serial: "$cert.SerialNumber " Issue > Date:" $cert.Notbefore " Expiration Date:" $cert.NotAfter -ForegroundColor > blue > } > } > $store.Close() > Write-Host "" > Write-Host "************* Removed Certs with $SerialNum from Host > $computername ****************************" -ForegroundColor Cyan > } > Catch > { > Write-host $_.Exception.Message -NoNewline -BackgroundColor Red > } > } Else {Write-Host "$computername - Failed: No Ping return." > -ForegroundColor Red } > } > > Get-Content C:\temp\RemoveCerts\1.txt | foreach {Remove-Certs -computername > $_ -SerialNum xxxxxxxxxxxxxxx -LocalStore LocalMachine } > > > > On Tue, Apr 1, 2014 at 10:26 AM, Kurt Buff <[email protected]> wrote: >> >> Guess I'll have to look at some scripting. >> >> On Mar 31, 2014 6:15 PM, "Ken Schaefer" <[email protected]> wrote: >>> >>> >>> >>> -----Original Message----- >>> From: [email protected] >>> [mailto:[email protected]] On Behalf Of Kurt Buff >>> Sent: Tuesday, 1 April 2014 11:55 AM >>> To: [email protected] >>> Subject: Re: [NTSysADM] IIS certs expiration and autorenewal from a >>> Windows CA >>> >>> > I am of the opinion that there shouldn't be any reason why these web >>> > sites don't autorenew their certs, once installed. >>> >>> Auto-renewal isn't a process that looks at the details in the existing >>> cert and says to the CA "give me a new cert with the same properties, except >>> extend the expiry date" >>> >>> Auto-renewal is a process that’s says "based on my user/computer >>> properties, give me a cert with said properties" >>> >>> The issue you have is that certs you've issued for your services are not >>> tied to the user or computer properties per se - they have arbitrary Common >>> Names (for starters). >>> >>> That's not to say you can't setup an automated process that, once a >>> pending cert expiry is detected, creates an appropriate CSR and submits it >>> to your CA, and your CA can be configured to auto-issue the cert. >>> >>> > I'm willing to be schooled on that, but after thinking about it for a >>> > while I can't see any objections - >>> > except perhaps "It can't be done." >>> >>> I don't think it can be done with the built-in auto-renewal process in >>> Windows, because it doesn't do what you think/want it to do. >>> >>> > Asset management - that's a spreadsheet on which assets are tracked, >>> > right? :) >>> >>> Not ideal. >>> >>> But you could improve on the idea: e.g. create some formulas that >>> colour-code or highlight the contracts or assets that are reaching EoL. >>> Write a VBScript that queries it every day, and generates an email with >>> things that need to be renewed or a helpdesk ticket, or whatever. >>> Downside to Excel is it might be hard to model different types of items >>> without using different tabs, and you don't get any real referential >>> integrity, and version control is a PITA etc. >>> >>> Cheers >>> Ken >>> >>> >>> >>> > Cheers >>> > Ken >>> > >>> > -----Original Message----- >>> > From: [email protected] >>> > [mailto:[email protected]] On Behalf Of Kurt Buff >>> > Sent: Tuesday, 1 April 2014 10:03 AM >>> > To: [email protected] >>> > Subject: [NTSysADM] IIS certs expiration and autorenewal from a >>> > Windows CA >>> > >>> > All, >>> > >>> > We had a bit of a scramble when an IIS SSL cert generated by our >>> > internal CA expired, and didn't autorenew. >>> > >>> > Now that I've fixed it, I'm wondering how to set up autorenewal, >>> > >>> > From my reading so far, it looks like I need to set up an SPN for the >>> > web site on the machine account, vis: >>> > http://social.technet.microsoft.com/Forums/windowsserver/en-US/0b43513 >>> > 5-5a90-4957-9bcc-a92b4c519fda/autoenrollment-for-web-server-certificat >>> > es >>> > >>> > and >>> > >>> > http://support.microsoft.com/kb/929650 >>> > >>> > Is this correct, and sufficient? Or do I need to dig a little deeper? >>> > >>> > Kurt >>> > >>> > >>> >>> >
