Last active
April 28, 2021 14:48
-
-
Save Zsoldier/6bc08e6d42b625dcaf7890733ab64048 to your computer and use it in GitHub Desktop.
Allows you to pull down a remote systems SSL certificate regardless of whether it's trusted or not. This was made for Powershell Core, so should work on any platform than runs PS Core. No ServicePoint required. Specifically created to pull down and convert a vCenter's SSL Cert and convert to SHA256 thumbprint for registration to NSX-T.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Function Get-SSLCert{ | |
| [CmdletBinding()] | |
| <# | |
| .SYNOPSIS | |
| Gets SSL certificate of remote system. | |
| .DESCRIPTION | |
| Gets SSL certificate of remote system in order to get it's thumbprint. | |
| .EXAMPLE | |
| Get-SSLCert tech.zsoldier.com | |
| Returns the certificate as object. | |
| .EXAMPLE | |
| Get-SSLCert tech.zsoldier.com -SHA256Thumbprint | |
| This will simply output the certificates thumbprint as SHA256 format replacing "-" with ":". | |
| Made to enable capturing a vCenter certificate's thumbprint in SHA256 format to register in NSX-T as a compute manager. | |
| .PARAMETER SHA256Thumbprint | |
| Captures certificate and outputs SHA256 formatted thumbprint. Defaults to false. | |
| .PARAMETER URI | |
| Required string value can be DNS or IP Address. | |
| .PARAMETER Port | |
| Define the port to connect to. 443 is default, can be modified to match endpoints actual port for SSL communications. | |
| Port 636 is met w/ mixed results, unsure why this has issues. Try using 3389 instead to get cert. | |
| .PARAMETER DownloadCert | |
| Downloads the target's cert to current path. | |
| .NOTES | |
| Authored by: K. Chris Nakagaki | |
| https://tech.zsoldier.com | |
| #> | |
| param ( | |
| [Parameter(Mandatory=$true)] | |
| [ValidateNotNullOrEmpty] | |
| [string] | |
| $URI, | |
| [Parameter(Mandatory=$false)] | |
| [switch] | |
| $SHA256Thumbprint=$false, | |
| [int] | |
| $Port = 443, | |
| [switch] | |
| $DownloadCert | |
| ) | |
| $Certificate = $null | |
| $TcpClient = New-Object -TypeName System.Net.Sockets.TcpClient | |
| try | |
| { | |
| $TcpClient.Connect($URI, $Port) | |
| $TcpStream = $TcpClient.GetStream() | |
| $Callback = { param($sender, $cert, $chain, $errors) return $true } | |
| $SslStream = New-Object -TypeName System.Net.Security.SslStream -ArgumentList @($TcpStream, $true, $Callback) | |
| try | |
| { | |
| $SslStream.AuthenticateAsClient($URI) | |
| $Certificate = $SslStream.RemoteCertificate | |
| } | |
| finally | |
| { | |
| $SslStream.Dispose() | |
| } | |
| } | |
| finally | |
| { | |
| $TcpClient.Dispose() | |
| } | |
| if ($Certificate) { | |
| if ($Certificate -isnot [System.Security.Cryptography.X509Certificates.X509Certificate2]) { | |
| $Certificate = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList $Certificate | |
| } | |
| $SHA256 = [Security.Cryptography.SHA256]::Create() | |
| $Bytes = $Certificate.GetRawCertData() | |
| $HASH = $SHA256.ComputeHash($Bytes) | |
| $thumbprint = [BitConverter]::ToString($HASH).Replace('-',':') | |
| Switch ($SHA256Thumbprint) | |
| { | |
| $false | |
| { | |
| Write-Output $Certificate | |
| } | |
| $true | |
| { | |
| Write-Output $thumbprint | |
| } | |
| } | |
| Switch ($DownloadCert) | |
| { | |
| $false | |
| { | |
| Write-Output $Certificate | |
| } | |
| $true | |
| { | |
| $randomnum = Get-Random | |
| $subjectname = $Certificate.subject.replace("C=","").replace("CN=","").replace(",","") | |
| $randomfilename = ($subjectname + $randomnum + ".cer") | |
| $directory = (Get-Location).path | |
| [System.IO.File]::WriteAllBytes(($directory + "/" + $randomfilename),$Certificate.RawData) | |
| } | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment