Udostępnij za pośrednictwem


Reading a Certificate off a remote SSL Server for Troubleshooting with Powershell!

 

By no means is this a unique idea but here is my version…. :)

The problem is trying to validate a certificate on a secure port which you cannot browse to!

For example Lync services can run on port 5061 and you will not be able to browse to that … at least I never was able to :)

anyway here is a quick powershell script to do it for you and give you some information on the certificate back

image

Copy and paste from here

 

param([parameter(Mandatory=$true)][string]$computername,[parameter(Mandatory=$true)][int]$port)

#Create a TCP Socket to the computer and a port number
$tcpsocket = New-Object Net.Sockets.TcpClient($computerName, $port)

#test if the socket got connected
if(!$tcpsocket)
{
    Write-Error "Error Opening Connection: $port on $computername Unreachable"
    exit 1
}
else
{
    #Socket Got connected get the tcp stream ready to read the certificate
    write-host "Successfully Connected to $computername on $port" -ForegroundColor Green -BackgroundColor Black
    $tcpstream = $tcpsocket.GetStream()
    Write-host "Reading SSL Certificate...." -ForegroundColor Yellow -BackgroundColor Black
    #Create an SSL Connection
    $sslStream = New-Object System.Net.Security.SslStream($tcpstream,$false)
    #Force the SSL Connection to send us the certificate
    $sslStream.AuthenticateAsClient($computerName)

    #Read the certificate
    $certinfo = New-Object system.security.cryptography.x509certificates.x509certificate2($sslStream.RemoteCertificate)
}

$returnobj = new-object psobject
$returnobj |Add-Member -MemberType NoteProperty -Name "FriendlyName" -Value $certinfo.FriendlyName
$returnobj |Add-Member -MemberType NoteProperty -Name "SubjectName" -Value $certinfo.SubjectName
$returnobj |Add-Member -MemberType NoteProperty -Name "HasPrivateKey" -Value $certinfo.HasPrivateKey
$returnobj |Add-Member -MemberType NoteProperty -Name "EnhancedKeyUsageList" -Value $certinfo.EnhancedKeyUsageList
$returnobj |Add-Member -MemberType NoteProperty -Name "DnsNameList" -Value $certinfo.DnsNameList
$returnobj |Add-Member -MemberType NoteProperty -Name "SerialNumber" -Value $certinfo.SerialNumber
$returnobj |Add-Member -MemberType NoteProperty -Name "Thumbprint" -Value $certinfo.Thumbprint
$returnobj

Comments

  • Anonymous
    January 01, 2003
    absolutely correct :)
  • Anonymous
    January 01, 2003
    sorry you can now :)
  • Anonymous
    June 26, 2014
    Would be nice if we could copy or download the script.
  • Anonymous
    June 26, 2014
    You can completely skip creating $returnedobj and just return $Certinfo. This saves you like 8 lines of code:
    return $Certinfo | Select-Object friendlyname,subjectname,hasprivatekey,EnhancedKeyUsageList,DnsNameList,SerialNumber,Thumbprint
  • Anonymous
    December 19, 2014
    This script will fail if you try to download an untrusted certificate (eg. sef-signed). Using a different SslStream constructor will fix this issue:

    $sslStream = New-Object System.Net.Security.SslStream($tcpstream,$false, {
    param($sender, $certificate, $chain, $sslPolicyErrors)
    return $true
    })
  • Anonymous
    August 21, 2015
    Thanks!! In case the name of the SSL cert doesn't match the server name, I added an extra parameter for you to provide the CN name of the cert:


    param([parameter(Mandatory=$true)][string]$computername,[parameter(Mandatory=$true)][int]$port,[parameter(Mandatory=$true)][string]$CNname


    Then changed

    $sslStream.AuthenticateAsClient($computername) to

    $sslStream.AuthenticateAsClient($cnName)


  • Anonymous
    November 05, 2015
    I took this and converted it into a script function with Pipeline support so you can feed it a whole mess of names.

    https://github.com/JustinGrote/Scripts/blob/master/Get-SSLCertificate.ps1
  • Anonymous
    February 08, 2016
    Not a biggy but may be a good idea to close of the socket as well. I believe there is a dispose() method.
  • Anonymous
    February 10, 2016
    thanks for the info. with the comments I manage to get this going. (before PS crashed with self sign Cert of WAS)
  • Anonymous
    February 10, 2016
    any tip on how to get the root one?