I built a set of scripts to automate renewal and installation of certificates. I decided to post my work in progress, hoping I might be able to help some people…
Disclaimer: I’m by no means an expert in PowerShell…
Some of the features I needed for installing cettificates are :
- Replacing certificates in running systems should be done during quiet hours (e.g. > 2 am).
- Some certificates need to installed on more than 1 machine.
- Some certificates need to installed on more than 1 machine which are dependent.
The scripts all run from a single computer, using remote powershell (or ssh) sessions. So make sure remoting works (winrm /quickconfig).
Configure Trustedhosts to include any servers you want to connect with:
Set-Item WSMan:\localhost\Client\TrustedHosts -Value …
- If CredSSP is required (e.g. for adfs) enable credential delegation to those machines:
Enable-WSManCredSSP -Role Client -DelegateComputer … -force
The scripts use 2 modules from the PSGallery: CredentialManager and Posh-SSH. Install these prior to using/editing the scripts.
Install-Module -Name CredentialManager
Install-Module -Name Posh-SSH
The scrips are separated in 2 parts.
Certificate renewal: The first script (CTW-CopyCert2Queue.ps1) is run as a post script after certificate renewal. It copies the certificate to a set location with a predefined format, moves old certificates to an archive folder and sends an e-mail with some details about the new certificate.
Certificate installation: The second script (SchedTask-ProcessCertificates.ps1) is run by a scheduled task. This script will run all certificate install scripts in a sub folder. Within these certificate install scripts all handling of a specific certificate is done.
Create a scheduled task to run at a set interval, e.g. once a week on sunday @ 4 AM. Run the task using a regular (local user). Have the task start SchedTask-ProcessCertificates.ps1.
Log in as the regular (local) user used for the scheduled task. Start Credential Manager and add the required credentials of the server to connect to as generic credentials. The “internet or network address” is the name used to reference the credentials in the scripts.
C:\ - CTW\ - PFX\ # New certificates are stored here - _archive\ # New certificates are stored here - Scripts\ # Main scripts - _scripts\ # Certificate install scripts - _files\ # Includes and openssl
The _files folder contains the include file(s) and the openssl files (openssl.exe, openssl.cfg, libcrypto-1_1-x64.dll and libssl-1_1-x64.dll).
Use the fqdn (I use ‘wc’ for * in case of a wildcard certificate) as the name of the managed certificate in Certify SSL Manager. This name is used by the scripts.