-
Notifications
You must be signed in to change notification settings - Fork 0
/
LetsEncryptCertUpdate.ps1
executable file
·129 lines (98 loc) · 5 KB
/
LetsEncryptCertUpdate.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
<#
.SYNOPSIS
Import certificate for use with RDP
.DESCRIPTION
Import certificate for use with RDP
.NOTES
Created by Jauder Ho
Last modified 11/1/2019
BSD License
Pull requests are welcome.
TODO: Incorporate ACMESharp capability
.LINK
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-tls-enforcement
#>
# Elevate as needed
# https://superuser.com/questions/108207/how-to-run-a-powershell-script-as-administrator
param([switch]$Elevated)
function Test-Admin {
$currentUser = New-Object Security.Principal.WindowsPrincipal $([Security.Principal.WindowsIdentity]::GetCurrent())
$currentUser.IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)
}
if ((Test-Admin) -eq $false) {
if ($elevated) {
# tried to elevate, did not work, aborting
}
else {
Start-Process powershell.exe -Verb RunAs -ArgumentList ('-noprofile -noexit -file "{0}" -elevated' -f ($myinvocation.MyCommand.Definition))
}
exit
}
Write-Output 'Running with full privileges...'
# Make sure that WinRM is running
Get-Service -Name winRM | Set-Service -Status Running
# https://jrich523.wordpress.com/2011/07/01/powershell-working-with-strings/
#
# USE THIS
#
# POSH script to import PFX cert for use with RDP (in this case a Let's Encrypt cert)
# Once this is done, RDP will no longer complain about the hostname when connecting.
# Creation and renewal of cert is left as an exercise for the user. ACMESharp could potentially be used
# as part of an overall solution.
#
# Create a config.json file in the same directory and define values for "srcDir" and "domain"
#
# Get the path of the config file
#$configPath = Join-Path -Path $PSScriptRoot -ChildPath 'config.json'
# import the configuration from the JSON file
#$config = Get-Content -Path $configPath | ConvertFrom-Json
#$config = Get-Content -Path '.\config.json' | ConvertFrom-Json
# get the directory where the script is located
$scriptDirectory = Split-Path -Parent $MyInvocation.MyCommand.Path
# check if the config.json file exists in the script directory
$configPath = Join-Path -Path $scriptDirectory -ChildPath "config.json"
if (-not (Test-Path $configPath)) {
Write-Host "config.json file not found in the script directory."
Exit
}
# read the config.json file
$config = Get-Content -Path $configPath | ConvertFrom-Json
# define where the certificate is located. Make sure to include trailing \ in path
$srcdir = $config.srcDir
$nic = $config.domain
# there does not seem to be a good way to get the FQDN. start by figuring out the associated DNS domain
#$nic = Get-WmiObject -Class Win32_NetworkAdapterConfiguration -Filter IPEnabled=TRUE -ComputerName . | Select-Object -Property DNSDomain
#$nic = Get-CimInstance -Class Win32_NetworkAdapterConfiguration -Filter IPEnabled=TRUE -ComputerName . | Select-Object -Property DNSDomain
#
# this works. more testing needed
# [System.Net.Dns]::GetHostByAddress([System.Net.Dns]::GetHostByName($env:computerName).AddressList[0]).HostName
# FQDN assemble! Also, trim any extraneous space
#$fqdn = $fqdn + "." + $nic.DNSDomain
$fqdn = $env:computername + "." + $nic
$fqdn = $fqdn.trim()
#$fqdn = "$env:COMPUTERNAME.$nic".Trim()
#$fqdn = [System.Net.Dns]::GetHostByAddress([System.Net.Dns]::GetHostByName($env:computerName).AddressList[0]).HostName
# full path to PFX file. PFX filename should be <FQDN>.pfx
$pfxfile = $fqdn + ".pfx"
$pfxfile = join-path $srcdir $pfxfile
#$pfxfile = Join-Path -Path $srcdir -ChildPath "$fqdn.pfx"
# run if PFX exists
if (Test-Path $pfxfile) {
# import and obtain the thumbprint from the PFX file
$thumbprint = (Import-PfxCertificate -CertStoreLocation cert:\LocalMachine\my -FilePath $pfxfile).thumbprint
# configure RDP to use the right cert
#$path = (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").__path
#Set-WmiInstance -Path $path -argument @{SSLCertificateSHA1Hash="$thumbprint"}
# configure RDP to use the right cert
# https://serverfault.com/questions/1025992/cant-write-to-root-cimv2-terminalservices-via-powershell
$RDPInstance = Get-CimInstance -ClassName Win32_TSGeneralSetting -Namespace ROOT\CIMV2\TerminalServices
Set-CimInstance -CimInstance $RDPInstance -Property @{SSLCertificateSHA1Hash = "$thumbprint" } -PassThru
# cleanup on aisle 9. PFX file is no longer needed once imported
Remove-Item $pfxfile
# remove expired/old certs matching hostname
Get-ChildItem -Path "cert:\LocalMachine\my" -SSLServerAuthentication -ExpiringInDays 0 -DnsName *$env:computername* | Remove-Item
Get-ChildItem -Path "cert:\LocalMachine\Remote Desktop" -SSLServerAuthentication -ExpiringInDays 0 -DnsName *$env:computername* | Remove-Item
}
Write-Output 'Certificate has been updated'
# check cert
# Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'"