Mark Minasi's Tech Forum
Register Calendar Latest Topics
 
 
 


Reply
  Author   Comment  
jsclmedave

Administrator
Registered:
Posts: 446
Reply with quote  #1 
I need to be able to -

  1. Audit an IIS Server
  2. Pull back ALL Certificates and their expiration dates
  3. For Each WebSite specify what Certificate (if any) is being used.

The check is going to trigger off of the Target Server being an IIS Server.  If that condition is met then that is where I need to come in and pull those items.  Once that has been gathered it will go into our tracking tool (SVCNow) which will determine if a WebSite Owner needs to be notified for an expiring certificate or not.

I just need to save it all as a variable.

Ive been reading Google Sites all morning and have come away empty with a LOT of bad advise...



__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 246
Reply with quote  #2 
Hi,

here's as a starting point:
Code:

[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.Web.Administration") 
$iis = [Microsoft.Web.Administration.ServerManager]::OpenRemote("DBLABWS01")
$iis.Sites | foreach { $_.Bindings }

This will give you the config and the hashes + stores of all certs used. Then you can use the Cert PSProvider or whatever technique you are confident with to get at the certs themselves and their expiration dates.

HTH

__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
jsclmedave

Administrator
Registered:
Posts: 446
Reply with quote  #3 
Quote:
Originally Posted by cj_berlin
Hi,

here's as a starting point:
Code:
 [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.Web.Administration") $iis = [Microsoft.Web.Administration.ServerManager]::OpenRemote("DBLABWS01") $iis.Sites | foreach { $_.Bindings } 

This will give you the config and the hashes + stores of all certs used. Then you can use the Cert PSProvider or whatever technique you are confident with to get at the certs themselves and their expiration dates.

HTH


Getting the certs I'm using something like this -


Code:

 

function Get-Cert( $computer=$env:computername ){

$ro=[System.Security.Cryptography.X509Certificates.OpenFlags]"ReadOnly"

$lm=[System.Security.Cryptography.X509Certificates.StoreLocation]"LocalMachine"

$store=new-object System.Security.Cryptography.X509Certificates.X509Store("\\$computer\root",$lm)

$store.Open($ro)

$store.Certificates

}

}



Then -

Code:

$computer = "SomeServer"
Get-Cert "SomeServer" | fl -property FriendlyName,IssuerName,Subject



 Its the IIS Server Audit and finding what -  or IF a - Cert is being used by a Web Site on that IIS Server so that I they can determine IF it is about to expire...

__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 836
Reply with quote  #4 
So I popped in for a look and thought...

Quote:
Originally Posted by cj_berlin

This will give you the config and the hashes + stores of all certs used. Then you can use the Cert PSProvider or whatever technique you ...

HTH


Yeah I can help in a powershell question and then I see this

Quote:
Originally Posted by jsclmedave

Getting the certs I'm using something like this 

functionGet-Cert( $computer=$env:computername ){

$ro=[System.Security.Cryptography.X509Certificates.OpenFlags]"ReadOnly"

$lm=[System.Security.Cryptography.X509Certificates.StoreLocation]"LocalMachine"

$store=new-objectSystem.Security.Cryptography.X509Certificates.X509Store("\\$computer\root",$lm)

$store.Open($ro)

$store.Certificates

}

}


Then - 
$computer = "SomeServer"
Get-Cert "SomeServer" | fl -property FriendlyName,IssuerName,Subject



So I went back to drinking whiskey!

Then I looked at it

And I saw you had a spelling mistake...

Yeah...

So I went back to drinking whiskey!

Cheers

__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
jsclmedave

Administrator
Registered:
Posts: 446
Reply with quote  #5 
I think I am missing something or not explaining correctly.

The Cert on the IIS Server does not have the information in it to tell me if a Web Site is binded to it.  Is that a correct statement..?

I "thought" the only way to see what Cert is being used by a Web Site, hosted on an IIS  Server, is to go into IIS itself.

CJ is THIS what is hitting the IIS Server and pulling Certs in use..?

Code:

$iis = [Microsoft.Web.Administration.ServerManager]::OpenRemote("DBLABWS01") $iis.Sites | foreach { $_.Bindings }
I will give this a shot today once I find a good test IIS Server to hit.

__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 246
Reply with quote  #6 
Quote:
Originally Posted by jsclmedave

CJ is THIS what is hitting the IIS Server and pulling Certs in use..?
Code:
$iis = [Microsoft.Web.Administration.ServerManager]::OpenRemote("DBLABWS01") $iis.Sites | foreach { $_.Bindings }
I will give this a shot today once I find a good test IIS Server to hit.


Sorry, was away a couple of days. Yes, with this you can manage IIS remotely and programmatically. Did you find a server to test this? How did it go?

__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
jsclmedave

Administrator
Registered:
Posts: 446
Reply with quote  #7 
Quote:
Originally Posted by cj_berlin


Sorry, was away a couple of days. Yes, with this you can manage IIS remotely and programmatically. Did you find a server to test this? How did it go?


We had another issue pop up and this has been set aside for now...  I will get back to this especially since I "thought" it was going to be so easy.

Regardless of work requirements I will figure this one out...

__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.