Reading a Certificate off a remote SSL Server for Troubleshooting with Powershell!


 

By no means is this a unique idea but here is my version…. 🙂

The problem is trying to validate a certificate on a secure port which you cannot browse to!

For example Lync services can run on port 5061 and you will not be able to browse to that … at least I never was able to 🙂

anyway here is a quick powershell script to do it for you and give you some information on the certificate back

image

Copy and paste from here

 

param([parameter(Mandatory=$true)][string]$computername,[parameter(Mandatory=$true)][int]$port)

#Create a TCP Socket to the computer and a port number
$tcpsocket = New-Object Net.Sockets.TcpClient($computerName, $port)

#test if the socket got connected
if(!$tcpsocket)
{
    Write-Error "Error Opening Connection: $port on $computername Unreachable"
    exit 1
}
else
{
    #Socket Got connected get the tcp stream ready to read the certificate
    write-host "Successfully Connected to $computername on $port" -ForegroundColor Green -BackgroundColor Black
    $tcpstream = $tcpsocket.GetStream()
    Write-host "Reading SSL Certificate…." -ForegroundColor Yellow -BackgroundColor Black
    #Create an SSL Connection
    $sslStream = New-Object System.Net.Security.SslStream($tcpstream,$false)
    #Force the SSL Connection to send us the certificate
    $sslStream.AuthenticateAsClient($computerName)

    #Read the certificate
    $certinfo = New-Object system.security.cryptography.x509certificates.x509certificate2($sslStream.RemoteCertificate)
}

$returnobj = new-object psobject
$returnobj |Add-Member -MemberType NoteProperty -Name "FriendlyName" -Value $certinfo.FriendlyName
$returnobj |Add-Member -MemberType NoteProperty -Name "SubjectName" -Value $certinfo.SubjectName
$returnobj |Add-Member -MemberType NoteProperty -Name "HasPrivateKey" -Value $certinfo.HasPrivateKey
$returnobj |Add-Member -MemberType NoteProperty -Name "EnhancedKeyUsageList" -Value $certinfo.EnhancedKeyUsageList
$returnobj |Add-Member -MemberType NoteProperty -Name "DnsNameList" -Value $certinfo.DnsNameList
$returnobj |Add-Member -MemberType NoteProperty -Name "SerialNumber" -Value $certinfo.SerialNumber
$returnobj |Add-Member -MemberType NoteProperty -Name "Thumbprint" -Value $certinfo.Thumbprint
$returnobj


Comments (10)

  1. Anonymous says:

    absolutely correct 🙂

  2. Anonymous says:

    sorry you can now 🙂

  3. Pat Richard says:

    Would be nice if we could copy or download the script.

  4. Pat Richard says:

    You can completely skip creating $returnedobj and just return $Certinfo. This saves you like 8 lines of code:
    return $Certinfo | Select-Object friendlyname,subjectname,hasprivatekey,EnhancedKeyUsageList,DnsNameList,SerialNumber,Thumbprint

  5. qbik says:

    This script will fail if you try to download an untrusted certificate (eg. sef-signed). Using a different SslStream constructor will fix this issue:

    $sslStream = New-Object System.Net.Security.SslStream($tcpstream,$false, {
    param($sender, $certificate, $chain, $sslPolicyErrors)
    return $true
    })

  6. itismeap says:

    Thanks!! In case the name of the SSL cert doesn’t match the server name, I added an extra parameter for you to provide the CN name of the cert:

    param([parameter(Mandatory=$true)][string]$computername,[parameter(Mandatory=$true)][int]$port,[parameter(Mandatory=$true)][string]$CNname

    Then changed

    $sslStream.AuthenticateAsClient($computername) to

    $sslStream.AuthenticateAsClient($cnName)

  7. Justin Grote says:

    I took this and converted it into a script function with Pipeline support so you can feed it a whole mess of names.

    https://github.com/JustinGrote/Scripts/blob/master/Get-SSLCertificate.ps1

  8. Andrei Hawke says:

    Not a biggy but may be a good idea to close of the socket as well. I believe there is a dispose() method.

  9. TSO says:

    thanks for the info. with the comments I manage to get this going. (before PS crashed with self sign Cert of WAS)

  10. TSO says:

    any tip on how to get the root one?

Skip to main content