Can you update a certificate hash using powershell?

Welcome Forums General PowerShell Q&A Can you update a certificate hash using powershell?

Viewing 5 reply threads
  • Author
    Posts
    • #190420
      Participant
      Topics: 2
      Replies: 7
      Points: 21
      Rank: Member

      I am attempting to write a script that gets the thumbprint\hash value from a certificate in the certificate store, puts that value in a variable.

      So far:

      #Declare variables at string type
      
      #Get the Thumbprint of the trusted cert from the personal store
      
      [string]$CertHash = wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Get SSLCertificateSHA1Hash
      
      #Trim the variable value to strip out header and whitespace before the hash value
      
      [string]$TrustedHash = $CertHash.TrimStart("SSLCertificateSHA1Hash")
      
      [string]$TrustedHash = $TRustedHash.TrimStart( )
      
      #Assign the trimmed value of $TrustedHash to the RDP certificate
      
      wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash=$TrustedHash
      However I run into a problem at the last line. the wmic command used to set the SSLCertificateSHA1Hash won't accept a variable as an argument to update the hash value. If you type the thumbprint by hand, it works as expected.
      I've already found a better way to get the thumbprint value without having to trim the string value:
      $Thumbprint = (Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -match ""}).Thumbprint;
      BUT, I have not been able to locate a way to use the PowerShell certificate provider to update that SSLCertificateSHA1Hash value for a specific cert.
      Eventually I will put this into a loop that cycles through a list of servers from a .txt file, but first I need to make the individual set of commands do what I need it to do.
      Thanks in advance for your help!
    • #190429
      Participant
      Topics: 2
      Replies: 7
      Points: 21
      Rank: Member

      In a nutshell, what I'm trying to do step by step:

      1. Get the thumbprint of the trusted cert in Cert:\LocalMachine\My and place that value in a variable.
      2. Set the thumbprint/hash of the Remote Desktop certificate to match that of the trusted cert in Cert:\LocalMachine\my

       

    • #190447
      Senior Moderator
      Topics: 8
      Replies: 1141
      Points: 3,928
      Helping Hand
      Rank: Community Hero

      SSLCertificateSHA1HashType is a read-only property, hence IMO, it cannot be changed via WMI

      https://docs.microsoft.com/en-us/windows/win32/termserv/win32-tsgeneralsetting#members

    • #190561
      Participant
      Topics: 2
      Replies: 7
      Points: 21
      Rank: Member

      wmic can be used to update that thumbprint value.

      wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="THUMBPRINT"

      however as this is to eventually be placed into a loop through all servers in a txt file, I need to find a the P$ equivalent of that wmic command, or find a way to pass a variable declared in PowerShell as the "THUMBPRINT" value.

       

       

       

    • #190927
      Participant
      Topics: 0
      Replies: 21
      Points: 136
      Helping Hand
      Rank: Participant

      @Kvprasoon is correct. The thumbprint of a certificate cannot be changed. The WMIC command you want to run is not changing the thumbprint. The thumbprint is used to identify which certificate should be installed into Terminal Services.

    • #191371
      Participant
      Topics: 2
      Replies: 7
      Points: 21
      Rank: Member

      Thanks for clarifying.

      So, in fact this is what we want to accomplish:

      1. Collect the thumbprint from the trusted cert in the personal store.

      2. Install the cert with the matching thumbprint into Terminal services.

       

      Ideally I'd like to be able to put the hostnames of all servers that need this fix into a txt file and have it loop through the list of servers, performing this for each one.

       

      So, for example:

      $Servers = Get-Content C:\temp\servers.txt
      
      ForEach ($Server in $Servers)
      
      {
      
      #Declare variables at string type
      
      #Get the Thumbprint of the trusted cert from the personal store
      
      [string]$CertHash = wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Get SSLCertificateSHA1Hash
      
      #Trim the variable value to strip out header and whitespace before the hash value
      
      [string]$TrustedHash = $CertHash.TrimStart("SSLCertificateSHA1Hash")
      
      [string]$TrustedHash = $TRustedHash.TrimStart( )
      
      #Assign the certificate with the $TrustedHash value to Terminal Services
      
      wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash=$TrustedHash

       

      Apologies for my confusion about the specific functionality, and thanks in advance for any help.

Viewing 5 reply threads
  • You must be logged in to reply to this topic.