functions/Get-DbaComputerCertificate.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
function Get-DbaComputerCertificate {
<#
.SYNOPSIS
Simplifies finding computer certificates that are candidates for using with SQL Server's network encryption
 
.DESCRIPTION
Gets computer certificates on localhost that are candidates for using with SQL Server's network encryption
 
.PARAMETER ComputerName
The target SQL Server - defaults to localhost. If target is a cluster, you must specify the distinct nodes.
 
.PARAMETER Credential
Allows you to login to $ComputerName using alternative credentials.
  
.PARAMETER Store
Certificate store - defaults to LocalMachine
 
.PARAMETER Folder
Certificate folder - defaults to My (Personal)
  
.PARAMETER Thumbprint
Return certificate based on thumbprint
  
.PARAMETER Path
The path to a certificate - basically changes the path into a certificate object
 
.PARAMETER Silent
Use this switch to disable any kind of verbose messages
 
.NOTES
Tags: Certificate
 
Website: https://dbatools.io
Copyright: (C) Chrissy LeMaire, clemaire@gmail.com
License: GNU GPL v3 https://opensource.org/licenses/GPL-3.0
 
.EXAMPLE
Get-DbaComputerCertificate
Gets computer certificates on localhost that are candidates for using with SQL Server's network encryption
 
.EXAMPLE
Get-DbaComputerCertificate -ComputerName sql2016
 
Gets computer certificates on sql2016 that are candidates for using with SQL Server's network encryption
 
.EXAMPLE
Get-DbaComputerCertificate -ComputerName sql2016 -Thumbprint 8123472E32AB412ED4288888B83811DB8F504DED, 04BFF8B3679BB01A986E097868D8D494D70A46D6
 
Gets computer certificates on sql2016 that match thumbprints 8123472E32AB412ED4288888B83811DB8F504DED or 04BFF8B3679BB01A986E097868D8D494D70A46D6
#>

    [CmdletBinding()]
    param (
        [parameter(ValueFromPipeline)]
        [Alias("ServerInstance", "SqlServer", "SqlInstance")]
        [DbaInstanceParameter[]]$ComputerName = $env:COMPUTERNAME,
        [PSCredential]$Credential,
        [string]$Store = "LocalMachine",
        [string]$Folder = "My",
        [string]$Path,
        [string[]]$Thumbprint,
        [switch]$Silent
    )
    
    process {
        foreach ($computer in $computername) {
            $scriptblock = {
                $Thumbprint = $args[0]
                $Store = $args[1]
                $Folder = $args[2]
                $Path = $args[3]
                
                if ($Path) {
                    $bytes = [System.IO.File]::ReadAllBytes($path)
                    $Certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
                    $Certificate.Import($bytes, $null, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::DefaultKeySet)
                    return $Certificate
                }
                
                if ($Thumbprint) {
                    try {
                        Write-Verbose "Searching Cert:\$Store\$Folder"
                        Get-ChildItem "Cert:\$Store\$Folder" -Recurse | Where-Object Thumbprint -in $args[0]
                    }
                    catch {
                        # don't care - there's a weird issue with remoting where an exception gets thrown for no apparent reason
                    }
                }
                else {
                    try {
                        Write-Verbose "Searching Cert:\$Store\$Folder"
                        Get-ChildItem "Cert:\$Store\$Folder" -Recurse | Where-Object { "$($_.EnhancedKeyUsageList)" -match '1\.3\.6\.1\.5\.5\.7\.3\.1' }
                    }
                    catch {
                        # don't care
                    }
                }
            }
            
            try {
                Invoke-Command2 -ComputerName $computer -Credential $Credential -ScriptBlock $scriptblock -ArgumentList $thumbprint, $Store, $Folder, $Path -ErrorAction Stop |
                Select-DefaultView -Property FriendlyName, DnsNameList, Thumbprint, NotBefore, NotAfter, Subject, Issuer
            }
            catch {
                Stop-Function -Message $_ -ErrorRecord $_ -Target $computer -Continue
            }
        }
    }
}