Reading a Certificate off a remote SSL Server for Troubleshooting with Powershell!
By no means is this a unique idea but here is my version…. :)
The problem is trying to validate a certificate on a secure port which you cannot browse to!
For example Lync services can run on port 5061 and you will not be able to browse to that … at least I never was able to :)
anyway here is a quick powershell script to do it for you and give you some information on the certificate back
Copy and paste from here
param([parameter(Mandatory=$true)][string]$computername,[parameter(Mandatory=$true)][int]$port)
#Create a TCP Socket to the computer and a port number
$tcpsocket = New-Object Net.Sockets.TcpClient($computerName, $port)
#test if the socket got connected
if(!$tcpsocket)
{
Write-Error "Error Opening Connection: $port on $computername Unreachable"
exit 1
}
else
{
#Socket Got connected get the tcp stream ready to read the certificate
write-host "Successfully Connected to $computername on $port" -ForegroundColor Green -BackgroundColor Black
$tcpstream = $tcpsocket.GetStream()
Write-host "Reading SSL Certificate...." -ForegroundColor Yellow -BackgroundColor Black
#Create an SSL Connection
$sslStream = New-Object System.Net.Security.SslStream($tcpstream,$false)
#Force the SSL Connection to send us the certificate
$sslStream.AuthenticateAsClient($computerName)
#Read the certificate
$certinfo = New-Object system.security.cryptography.x509certificates.x509certificate2($sslStream.RemoteCertificate)
}
$returnobj = new-object psobject
$returnobj |Add-Member -MemberType NoteProperty -Name "FriendlyName" -Value $certinfo.FriendlyName
$returnobj |Add-Member -MemberType NoteProperty -Name "SubjectName" -Value $certinfo.SubjectName
$returnobj |Add-Member -MemberType NoteProperty -Name "HasPrivateKey" -Value $certinfo.HasPrivateKey
$returnobj |Add-Member -MemberType NoteProperty -Name "EnhancedKeyUsageList" -Value $certinfo.EnhancedKeyUsageList
$returnobj |Add-Member -MemberType NoteProperty -Name "DnsNameList" -Value $certinfo.DnsNameList
$returnobj |Add-Member -MemberType NoteProperty -Name "SerialNumber" -Value $certinfo.SerialNumber
$returnobj |Add-Member -MemberType NoteProperty -Name "Thumbprint" -Value $certinfo.Thumbprint
$returnobj
Comments
- Anonymous
January 01, 2003
absolutely correct :) - Anonymous
January 01, 2003
sorry you can now :) - Anonymous
June 26, 2014
Would be nice if we could copy or download the script. - Anonymous
June 26, 2014
You can completely skip creating $returnedobj and just return $Certinfo. This saves you like 8 lines of code:
return $Certinfo | Select-Object friendlyname,subjectname,hasprivatekey,EnhancedKeyUsageList,DnsNameList,SerialNumber,Thumbprint - Anonymous
December 19, 2014
This script will fail if you try to download an untrusted certificate (eg. sef-signed). Using a different SslStream constructor will fix this issue:
$sslStream = New-Object System.Net.Security.SslStream($tcpstream,$false, {
param($sender, $certificate, $chain, $sslPolicyErrors)
return $true
}) - Anonymous
August 21, 2015
Thanks!! In case the name of the SSL cert doesn't match the server name, I added an extra parameter for you to provide the CN name of the cert:
param([parameter(Mandatory=$true)][string]$computername,[parameter(Mandatory=$true)][int]$port,[parameter(Mandatory=$true)][string]$CNname
Then changed
$sslStream.AuthenticateAsClient($computername) to
$sslStream.AuthenticateAsClient($cnName) - Anonymous
November 05, 2015
I took this and converted it into a script function with Pipeline support so you can feed it a whole mess of names.
https://github.com/JustinGrote/Scripts/blob/master/Get-SSLCertificate.ps1 - Anonymous
February 08, 2016
Not a biggy but may be a good idea to close of the socket as well. I believe there is a dispose() method. - Anonymous
February 10, 2016
thanks for the info. with the comments I manage to get this going. (before PS crashed with self sign Cert of WAS) - Anonymous
February 10, 2016
any tip on how to get the root one?