Jaa


Windows PowerShell Script for Detecting Expired Certificates That Are Used by WCF/WF Services

The configuration for specifying the certificate to be used by WCF/WF services looks like the following:

    <system.serviceModel>
      <behaviors>
        <serviceBehaviors>
          <behavior name="MyBehavior">
            <serviceCredentials>
              <serviceCertificate findValue="86F9D16EAF13CF2E7C1744AD8DB4F04BEF55833B" storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" />
            </serviceCredentials>
          </behavior>
        </serviceBehaviors>
      </behaviors>
    </system.serviceModel>

The configuration is a query string to the operating system’s certificate store. It is not a straightforward task to map the query from the service configuration to the actual certificate and to validate information like the expiration date.

This sample demonstrates how to write a Windows PowerShell script that:

  • Executes certificate queries, based on the service configuration information returned by the AppFabric configuration cmdlets.

  • Performs a validation on the queried certificates and returns the list of certificates that have expired.

Note

Samples are provided for educational purposes only. They are not intended to be used in a production environment and have not been tested in a production environment. Microsoft does not provide technical support for these samples.

Prerequisites

Users should be familiar with Windows PowerShell scripting and AppFabric cmdlets.

The sample has the following prerequisites:

  • Windows PowerShell v2 is installed.

  • A default AppFabric installation has been performed.

Sample Location and Files

The sample files include the following:

  • Readme.mhtml

  • Code\detectExpiredCertificates.ps1

Setting Up and Running This Sample

  1. The following example shows how to run the script:

    PS> cd <samples>\Samples\Management\DetectExpiredCertificate\Code
    PS> .\detectExpiredCertificates.ps1 "Default Web Site" /MyApp
    Thumbprint                                   Subject           NotBefore                                NotAfter                                               
    ----------                                   -------           ---------                                --------                                               
    2E99C509D371836647EA1A0D4CE4756F21B1CD2C                       1/5/2009 12:27:22 AM                     1/5/2010 12:27:22 AM    
    

    Note

    You may need to change the execution policy from Restricted to RemoteSigned for the sample to work. See help Set-ExecutionPolicy for more information.

    Note

    The two parameters specify the scope of the detection, in a site name and virtual path combination. In the example above, every service under the “MyApp” application will be examined for an expired certificate. These parameters are optional; server scope will be used if they are not specified. If no certificates are configured under the specified scope or no certificates are expired, the script will not display any output.

  2. You can use the Windows PowerShell Certificate provider to navigate through the available certificates in the certificate stores. This can help you to configure your service with a valid certificate. More details about how to use the Windows PowerShell Certificate provider can be found at Certificate Provider (https://go.microsoft.com/fwlink/?LinkId=194421).

    PS cd cert:\LocalMachine\My
    PS cert:\LocalMachine\My> dir | select *
    <results omitted>
    

Removing This Sample

  1. Simply close the Windows PowerShell session. Running this sample does not modify any resources on the computer.

Demonstrates

This sample’s script has three sections:

Initialization

The first part of the script ensures that the AppFabric cmdlet module is loaded.

if ((Get-Command -Module ApplicationServer) -eq $null)
{
    Import-Module ApplicationServer
}

Main script

The main script first retrieves the list of WCF/WF services under a given scope by calling the AppFabric Get-ASAppService cmdlet. It then pipes the service list to the Get-ASAppServiceCertificate cmdlet to read the service certificate configuration. Note that all the $null properties returned by the cmdlet are replaced by the actual runtime default values.

The script then retrieves the certificate information from the operating system’s certificate store based on the queries specified in the configuration. The managed code System.Security.Cryptography.X509Certificates API is used for the query.

Finally, the script validates the certificate NotBefore and NotAfter properties against the current time, and formats the output.

Helper Functions

  • ResolveDefaultValue - Resolve runtime default values for the config properties returned by the Get-ASAppServiceCertificate cmdlet.

  • FindCertificates - Query the certificate stores by using the System.Security.Cryptography.X509Certificates API.