Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
By no means is this a unique idea but here is my version…. :)
The problem is trying to validate a certificate on a secure port which you cannot browse to!
For example Lync services can run on port 5061 and you will not be able to browse to that … at least I never was able to :)
anyway here is a quick powershell script to do it for you and give you some information on the certificate back
Copy and paste from here
param([parameter(Mandatory=$true)][string]$computername,[parameter(Mandatory=$true)][int]$port)
#Create a TCP Socket to the computer and a port number
$tcpsocket = New-Object Net.Sockets.TcpClient($computerName, $port)
#test if the socket got connected
if(!$tcpsocket)
{
Write-Error "Error Opening Connection: $port on $computername Unreachable"
exit 1
}
else
{
#Socket Got connected get the tcp stream ready to read the certificate
write-host "Successfully Connected to $computername on $port" -ForegroundColor Green -BackgroundColor Black
$tcpstream = $tcpsocket.GetStream()
Write-host "Reading SSL Certificate...." -ForegroundColor Yellow -BackgroundColor Black
#Create an SSL Connection
$sslStream = New-Object System.Net.Security.SslStream($tcpstream,$false)
#Force the SSL Connection to send us the certificate
$sslStream.AuthenticateAsClient($computerName)
#Read the certificate
$certinfo = New-Object system.security.cryptography.x509certificates.x509certificate2($sslStream.RemoteCertificate)
}
$returnobj = new-object psobject
$returnobj |Add-Member -MemberType NoteProperty -Name "FriendlyName" -Value $certinfo.FriendlyName
$returnobj |Add-Member -MemberType NoteProperty -Name "SubjectName" -Value $certinfo.SubjectName
$returnobj |Add-Member -MemberType NoteProperty -Name "HasPrivateKey" -Value $certinfo.HasPrivateKey
$returnobj |Add-Member -MemberType NoteProperty -Name "EnhancedKeyUsageList" -Value $certinfo.EnhancedKeyUsageList
$returnobj |Add-Member -MemberType NoteProperty -Name "DnsNameList" -Value $certinfo.DnsNameList
$returnobj |Add-Member -MemberType NoteProperty -Name "SerialNumber" -Value $certinfo.SerialNumber
$returnobj |Add-Member -MemberType NoteProperty -Name "Thumbprint" -Value $certinfo.Thumbprint
$returnobj
Comments
- Anonymous
January 01, 2003
absolutely correct :) - Anonymous
January 01, 2003
sorry you can now :) - Anonymous
June 26, 2014
Would be nice if we could copy or download the script. - Anonymous
June 26, 2014
You can completely skip creating $returnedobj and just return $Certinfo. This saves you like 8 lines of code:
return $Certinfo | Select-Object friendlyname,subjectname,hasprivatekey,EnhancedKeyUsageList,DnsNameList,SerialNumber,Thumbprint - Anonymous
December 19, 2014
This script will fail if you try to download an untrusted certificate (eg. sef-signed). Using a different SslStream constructor will fix this issue:
$sslStream = New-Object System.Net.Security.SslStream($tcpstream,$false, {
param($sender, $certificate, $chain, $sslPolicyErrors)
return $true
}) - Anonymous
August 21, 2015
Thanks!! In case the name of the SSL cert doesn't match the server name, I added an extra parameter for you to provide the CN name of the cert:
param([parameter(Mandatory=$true)][string]$computername,[parameter(Mandatory=$true)][int]$port,[parameter(Mandatory=$true)][string]$CNname
Then changed
$sslStream.AuthenticateAsClient($computername) to
$sslStream.AuthenticateAsClient($cnName) - Anonymous
November 05, 2015
I took this and converted it into a script function with Pipeline support so you can feed it a whole mess of names.
https://github.com/JustinGrote/Scripts/blob/master/Get-SSLCertificate.ps1 - Anonymous
February 08, 2016
Not a biggy but may be a good idea to close of the socket as well. I believe there is a dispose() method. - Anonymous
February 10, 2016
thanks for the info. with the comments I manage to get this going. (before PS crashed with self sign Cert of WAS) - Anonymous
February 10, 2016
any tip on how to get the root one?