Public/Set-RDSHCertificate.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
function Set-RDSHCertificate {
    [CmdletBinding()]
    param(
        [Parameter(Mandatory,Position=0,ValueFromPipelineByPropertyName)]
        [Alias('Thumbprint')]
        [string]$CertThumbprint,
        [Parameter(Position=1,ValueFromPipelineByPropertyName)]
        [string]$PfxFile,
        [Parameter(Position=2,ValueFromPipelineByPropertyName)]
        [securestring]$PfxPass,
        [string]$TerminalName='RDP-tcp',
        [switch]$RemoveOldCert
    )

    Process {

        # install the cert if necessary
        if (!(Test-CertInstalled $CertThumbprint)) {
            if ($PfxFile) {
                $PfxFile = $ExecutionContext.SessionState.Path.GetUnresolvedProviderPathFromPSPath($PfxFile)
                Import-PfxCertInternal $PfxFile -PfxPass $PfxPass
            } else {
                throw "Certificate thumbprint not found and PfxFile not specified."
            }
        }

        # get a reference to the RDP config
        $cimParams = @{
            ClassName = 'Win32_TSGeneralSetting'
            Namespace = 'root\cimv2\terminalservices'
            Filter = "TerminalName='$TerminalName'"
        }
        $ts = Get-CimInstance @cimParams

        # update the cert thumbprint if it's different
        if ($CertThumbprint -ne $ts.SSLCertificateSHA1Hash) {

            # save the old thumbprint
            $oldThumb = $ts.SSLCertificateSHA1Hash

            # set the new one
            Write-Verbose "Setting $TerminalName certificate thumbprint to $CertThumbprint"
            $ts.SSLCertificateSHA1Hash = $CertThumbprint
            $ts | Set-CimInstance -EA Stop

            # remove the old cert if specified
            if ($RemoveOldCert) { Remove-OldCert $oldThumb }

        } else {
            Write-Warning "Specified certificate is already configured for RDP terminal $TerminalName"
        }

    }





    <#
    .SYNOPSIS
        Configure RD Session Host service to use the specified certificate.
 
    .DESCRIPTION
        Intended to be used with the output from Posh-ACME's New-PACertificate or Submit-Renewal.
 
    .PARAMETER CertThumbprint
        Thumbprint/Fingerprint for the certificate to configure.
 
    .PARAMETER PfxFile
        Path to a PFX containing a certificate and private key. Not required if the certificate is already in the local system's Personal certificate store.
 
    .PARAMETER PfxPass
        The export password for the specified PfxFile parameter. Not required if the Pfx does not require an export password.
 
    .PARAMETER TerminalName
        The name of the RDP terminal to configure. Defaults to 'RDP-Tcp'.
 
    .PARAMETER RemoveOldCert
        If specified, the old certificate associated with RDP will be deleted from the local system's Personal certificate store. Ignored if the old certificate has already been removed or otherwise can't be found.
 
    .EXAMPLE
        New-PACertificate site1.example.com | Set-RDSHCertificate
 
        Create a new certificate and configure it for RD Session Host on this system.
 
    .EXAMPLE
        Submit-Renewal site1.example.com | Set-RDSHCertificate
 
        Renew a certificate and configure it for RD Session Host on this system.
 
    .LINK
        Project: https://github.com/rmbolger/Posh-ACME.Deploy
 
    #>

}