Blog‎ > ‎IT‎ > ‎

PowerShell Export SSL certificates

posted Apr 27, 2015, 7:27 PM by Jake Vosloo   [ updated May 11, 2015, 8:42 PM ]
PowerShell doesn't automatically offer to trust a remote server as many SSH clients does instead you have to go through a number of manual steps to be able to connect to an Azure remote server.  After configuring your VM in Azure, its powershell will be configured with a self signed cerificate for the external Azure URL. To be able to connect to this with PowerShell remoting, you must install the certificate into the local computer's trusted root certificates store. 

You can see which certificates is conneted on your computer using:
netsh http show sslcert

Here's a script which extracts a certificate from a port, save it as a file called DownloadCertAndImportRoot.ps1 on and then attempts to import it into the certificate store.

<#
This script retrieves the certificate from an SSL connection, saves the certificate as a file and attempts to import it into the trusted root store.
USAGE:  .\DownloadCertAndImportRoot.ps1 "https://www.google.com"
Adapted from: 
https://bernhardelbl.wordpress.com/2013/03/21/download-and-install-a-certificate-to-your-trusted-root-using-powershell/
#>
param($url)

[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} #Bypass Powershell certificate validation, so that we can download any untrusted certificate.
[System.Uri] $u = New-Object System.Uri($url)
[Net.ServicePoint] $sp = [Net.ServicePointManager]::FindServicePoint($u);
[System.Guid] $groupName = [System.Guid]::NewGuid() #allow to quickly close all connections
[Net.HttpWebRequest] $req = [Net.WebRequest]::create($url)
$req.Method = "GET"
$req.Timeout = 600000 # = 10 minutes
$req.ConnectionGroupName = $groupName
# // Set if you need a username/password to access the resource
#$req.Credentials = New-Object Net.NetworkCredential("username", "password");
[Net.HttpWebResponse] $result = $req.GetResponse() #If the server return 404 then you will get an exception here.
$sp.CloseConnectionGroup($groupName) | Out-Null

#Write the certificate to a temp file
$tempfilename = [System.IO.Path]::GetTempFileName() #get a temporary file reference
[System.Byte[]] $data = $sp.Certificate.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert)
[System.IO.File]::WriteAllBytes($tempfilename, $data)
Write-Debug "Downloaded to temp file: $tempfilename"

#move the temp file to the local folder for future use.
$outfilename = (Convert-Path .) + "\CertExport.cer"
if(Test-Path $outfilename) { del $outfilename }
mv $tempfilename $outfilename
Write-Host "Certificate saved as: $outfilename"

#Import the certificate into the root certificate store
if (([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))
{
    #CertUtil -addStore Root $outfilename
    $pfx = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
    $store = new-object System.Security.Cryptography.X509Certificates.X509Store(“Root”,”LocalMachine”)
    $pfx.Import($outfilename)
    $store.Open(“MaxAllowed”)
    $store.Add($pfx)
    $store.Close()
}
else
{
    Write-Host "The script is not running as administrator and cannot automatically import the certificate into the root store. You should Right-click the exported certificate file and install it into the trusted root store."
}


The manual process is:

You can use Chrome or Firefox to download the certificate and then user Windows Explorer or MMC to import it into the certificate store. This only works if you are not using any insecure ports which will be blocked by these browsers...

Open PowerShell and run the following command to confirm that it is failing:
Test-WsMan -Port 5986 -UseSSL YourServerUrl.cloudapp.net

You should get an error stating:
The SSL certificate is signed by an unknown certificate authority.

Now open the server url in chorme:
https://YourServerUrl.cloudapp.net:5986

Access and download the certificate to your local disk.
Right-click the certificate and install it into the trusted root store.
Try the PowerShell command again, it should work now.

References:
Comments