Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Thursday, November 24, 2016 8:59 PM
Hello all,
Ive done some searching and haven't found a solution for this..i did find this posting. Since I have 260 servers that i need to renew certificates on going through each one at roughly a half hour each is 130 hours, not to mention potential human error building them. I've built a powershell script to essentially do the process but when i tested it in my lab it broke the management point. I'm wondering if anyone else has tackled this or if you see anything wrong with my process. If i figure it out i'll post whatever solution works. Thanks in advance for any help.
$server = $env:COMPUTERNAME
$webcert = Get-Certificate -template "ConfigmgrWebServerCerts" -CertStoreLocation cert:\LocalMachine\My -DnsName "$server`.lab.com " -Url ldap:
$dpcert = Get-Certificate -template "ConfigmgrDPCert" -CertStoreLocation cert:\LocalMachine\My -DnsName "$server`.lab.com " -Url ldap:
$d = (get-date).DayOfYear
dir | ?{$_.NotBefore.DayOfYear -eq "$d"}
$DPThumbPrint = (dir | ?{$_.NotBefore.DayOfYear -eq "$d"}).Thumbprint
$ss = ConvertTo-SecureString -String 'password' -AsPlainText -Force
Export-PfxCertificate -Cert $DPThumbPrint -FilePath "c:\install\($server)DPKey.pfx" -Password $ss
Import-Module webadministration
New-WebBinding -Name "Default Web Site" -IPAddress "*" -Port 443
Set-Location IIS:\SslBindings
$webprint = ($webcert).certificate.Thumbprint
Get-Item IIS:\SslBindings\0.0.0.0!443 | Remove-Item
get-item -Path "cert:\LocalMachine\My\webprint" | new-item 0.0.0.0!443
iisreset
#Once i get this working test the DP PFX import using this cmd
#Set-CMDistributionPoint
Sunday, November 27, 2016 2:34 AM ✅Answered | 1 vote
I was able to solve this entire issue with powershell. Two scripts, but its working and AUTOMATED! Without furher ado, here are the two scripts.
#Sam Kachar Final revision, yes i'm sure this time. If your using this just remember to add WSUS and any other bindings as mentioned above. For the primary with all those roles I did that server manually. This is just for all the DPs that had certs about to expire.
#This script automates renewing 2 certificates. One for the web server and the Distro Point.
#It even binds the new certificate to IIS
#Finally it copies the private key for the DP cert to the primary. Those will have to be harvested with a seperate script. This will be deployed via SCCM to all the DPs. First a couple for validation, then a larger group, and finally the remainder.
Import-Module webadministration
$server = $env:COMPUTERNAME
$webcert = Get-Certificate -template "ConfigmgrWebServerCerts" -CertStoreLocation cert:\LocalMachine\My -DnsName "$server`.lab.com " -Url ldap:
sleep -Seconds 10
$dpcert = Get-Certificate -template "ConfigmgrDPCert" -CertStoreLocation cert:\LocalMachine\My -DnsName "$server`.lab.com " -Url ldap:
sleep -Seconds 10
$webprint = ($webcert).certificate.Thumbprint
$DPThumbPrint = ($dpcert).certificate.Thumbprint
$ss = ConvertTo-SecureString -String 'password' -AsPlainText -Force
Set-Location "c:\
mkdir "c:\install\newkey\
Set-Location cert:\LocalMachine\My
Export-PfxCertificate -Cert $DPThumbPrint -filepath "c:\install\newkey\($server)DPKey.pfx" -Password $ss -Force
#now delete the DP Cert out of the store otherwise it will cause problems within sccm if the local client uses it for auth
Remove-Item cert:\LocalMachine\My\DPThumbPrint -DeleteKey
Set-Location IIS:\SslBindings
$certificate = Get-Item -Path "cert:\LocalMachine\My\webprint"
$certificate | Set-Item -Path "IIS:\SSLBindings\0.0.0.0!443" -Force
iisreset
#Don't forget to create the share and add domain computers as read/write/modify
set-location "C:\install\newkey"
copy *.pfx "\server\newkeys"
===========================================
#Sam Kachar PFX harvesting
#Load Configuration Manager PowerShell Module
#Need to add some time delays between these commands otherwise the manifest doesn't finsish loading in time or
#the psdrive doesn't instantiate in time
#Finally unlike the gui if the certificate you try importing is in use by a dp(they will use it as its client auth) the import
#will fail and you can't click on the "I know its use button, go ahead anyways" So my other script deletes the cert after it
#enrolls, exports, and copies it to the primary.
#One other vital piece i learned is this module can be loaded by system but can't be used properly. Meaning you can'l load the
#SCCM site provider unless your using a normal admin user account. Don't know why, and after this much work i don't care. Perhaps
#someone with more knowledge than i could speak on that one...so with that being the case after you deploy the other script
#this script is used to harvest all of the PFX files and assign them to dps. Wihtout them you wouldn't have OSD or be able to
#send status messages from te DP to the primary.
Import-module ($Env:SMS_ADMIN_UI_PATH.Substring(0,$Env:SMS_ADMIN_UI_PATH.Length-5) + '\ConfigurationManager.psd1')
sleep -Seconds 5
#Get SiteCode
$SiteCode = Get-PSDrive -PSProvider CMSITE
sleep -Seconds 5
Set-location $SiteCode":"
sleep -Seconds 5
#Set-CMDistributionPoint -Name 'serverdp.lab.com' -SiteCode 'LAB' -CertificatePath "C:\install\newkeys\server2DPKey.pfx" -CertificatePassword "$(ConvertTo-SecureString -String 'password' -AsPlainText -Force)"
#Set-CMDistributionPoint -Name 'server02.lab.com' -SiteCode 'LAB' -CertificatePath "C:\install\newkeys\server02DPKey.pfx" -CertificatePassword $ss
#This works as long as the DP isn't using the cert currently for auth and you run this as a normal user i.e. not system...will also need to add a foreach to rip through the entire list, but this worked for the POC.
$ss = ConvertTo-SecureString -String 'password' -AsPlainText -Force
Get-CMDistributionPoint -SiteSystemServerName server02.lab.com | Set-CMDistributionPoint -CertificatePath 'C:\install\newkeys\server02DPKey.pfx' -CertificatePassword $ss -ErrorAction SilentlyContinue
Friday, November 25, 2016 5:41 AM
Hi,
I saw that you have renewed web certificate and PXE DP certificate.
But I can’t see that you try to renew the client certificate in your certificate store at the same time.
You also need to binding WSUS administation ,port 8531,web certificate through webbinding.
Best Regards,
Ray
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
Friday, November 25, 2016 6:45 PM
Hi Ray thank for the reply. For my prod env. i manually took care of the certificates including IIS. It was in the lab where i tried running this script, and am testing it. I managed to get the script to successfully both renew both certificates and bind properly. The guides i had comes across gave some really bad advice. By running the remove item completely wrecks your IIS instance. To handle that I built this new script that takes care of every single step with one exception. I can't figure out how to import the PFX cert into the SCCM env. If i have to I suppose i can import them manually, but even at 3 minutes each thats 8 hours of work. So it'd be worthwhile for me to do a little more digging. I tried using the the set-cmdistributionpoint cmdlet which has parameters for both PFX and password but it fails.
If anyone needs it, here is the script that works properly for updating your infrastructure. Again keep in mind this isn't for building a new infra, but updating it because the certs are or have expired(i'd hope you run it before they expire)
#Sam Kachar 4th revision. The only piece left to validate is the seperate script for PK import.
#I've tested this entire script as system and intend on deploying to my DPs via SCCM...so testing as system was key.
#This script automates renewing 2 certificates. One for the web server and the Distro Point.
#It even binds the new certificate to IIS
#Finally it copies the private key for the DP cert to the primary. Those will have to be harvested with a separatescript.
Import-Module webadministration
$server = $env:COMPUTERNAME
$webcert = Get-Certificate -template "ConfigmgrWebServerCerts" -CertStoreLocation cert:\LocalMachine\My -DnsName "$server`.lab.com " -Url ldap:
sleep -Seconds 10
$dpcert = Get-Certificate -template "ConfigmgrDPCert" -CertStoreLocation cert:\LocalMachine\My -DnsName "$server`.lab.com " -Url ldap:
sleep -Seconds 10
$webprint = ($webcert).certificate.Thumbprint
$DPThumbPrint = ($dpcert).certificate.Thumbprint
$ss = ConvertTo-SecureString -String 'password' -AsPlainText -Force
Set-Location "c:\
mkdir "c:\install\newkey\
Set-Location cert:\LocalMachine\My
Export-PfxCertificate -Cert $DPThumbPrint -filepath "c:\install\newkey\($server)DPKey.pfx" -Password $ss -Force
Set-Location IIS:\SslBindings
$certificate = Get-Item -Path "cert:\LocalMachine\My\webprint"
$certificate | Set-Item -Path "IIS:\SSLBindings\0.0.0.0!443" -Force
iisreset
#Don't forget to create the share and add domain computers as read/write/modify
set-location "C:\install\newkey"
copy *.pfx "\primaryserver\newkeys"
CMDLet i tried to import the cert into the primary was the following:
$ss = ConvertTo-SecureString -String 'password' -AsPlainText -Force
Set-CMDistributionPoint -Name DPServer.lab.com -CertificatePath "C:\install\newkeys\DPKey.pfx" -CertificatePassword $ss
This fails with the following error.
Set-CMDistributionPoint : Cannot bind parameter 'CertificatePassword'. Cannot convert the
"System.Security.SecureString" value of type "System.String" to type "System.Security.SecureString".
At line:1 char:137
- ... ficatePassword "$ss"
- ~~~~~
+ CategoryInfo : InvalidArgument: (:) [Set-CMDistributionPoint], ParameterBindingException
+ FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.ConfigurationManagement.Cmdlets.HS.Commands.Set
DistributionPointCommand
If anyone has any idea how i could import the private key I'd really appreciate it. At the very least my script can help people renew their certificates and web binding.
Cheers,
-Sam Kachar
Sunday, December 4, 2016 9:32 PM
I ran into an issue with this deployment process. While it works, and the script to harvest the private keys works the 4 servers i deployed it to is no longer updating its SCEP/Win Defender Definitions. Content is replicating to the DPs without issue, but inside the DTS log i'm getting code 600 web dav errors. Since i can't reboot these servers whenever i want I thought that might be the culprit, but after reboot SCEP is still throwing errors in the DTS log. It did work in the lab ok, so the only thing i can think of is the process is running as the computer when it runs the script. Thats where i think the problem is coming in. When i renew the certs manually using my user account the servers seem to work fine, and i think its because my user account is an SCCM administrator whereas the server is not.
I'd be interested to hear from someone on the topic. I manually updated 50 servers and i used my pfx harvesting script for the private key import into SCCM. Those servers aren't throwing the same DTS errors. Everything on the 2012 servers that i deployed the powershell script to worked. It bound the certs to IIS and everything appears fine, but SCEP just won't dl properly.
I'm going to manually update 3 2012 servers tonight and see if they have the same issue that the deployment had. Perhaps its a 2012 thing. IDK.
Just really frustrating after spending all that time writing that script from the ground up and having it not work. Well at least the harvest script works.