Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
A post-renewal script for Certify that replaces the Remote Desktop Gateway certificate.
<#
Replace-RDGatewayCertificate.ps1
by Colin Cogle <colincogle@startmail.com>
This program is free software: you can redistribute it and/or modify it under the terms
of the GNU General Public License as published by the Free Software Foundation, either
version 3 of the License. This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program.
If not, see <https://www.gnu.org/licenses/gpl-3.0.en.html>.
#>
<#
.SYNOPSIS
This post-flight script for Certify replaces the Remote Desktop Gateway certificate.
.DESCRIPTION
This script is meant to be called after a renewal by Certify 3. If a certificate was successfully
issued by and retrieved from Let's Encrypt, this will assign it to Remote Desktop Gateway.
.PARAMETER result
The certificate information returned by Certify.
.COMPONENT
RemoteDesktopServices
.LINK
https://gist.github.com/rhymeswithmogul/1cf289ab5affa35b02f664c0a359be57
.NOTES
This worked for me on Server 2012 R2. However, this script is provided as-is.
If you have a full-blown 2012/2016 Remote Desktop deployment, then you'll be able to use the example
on Certify's GitHub page to change the certificate (with the RemoteDesktop\Set-RDCertificate cmdlet).
This script is useful if you've installed only the Remote Desktop Gateway role, or if you're on a
downlevel version of Windows Server.
#>
Param(
[Parameter(Mandatory=$true)]$result
)
# Did the renewal succeed? If not, stop.
If (-Not $result.IsSuccess) {
Exit
}
# Call a 64-bit PowerShell session.
# Modules like RemoteDesktopServices are not available in 32-bit instance.
# See also: https://github.com/webprofusion/certify/blob/master/docs/Request%20Script%20Hooks.md
. "${env:windir}\sysnative\WindowsPowerShell\v1.0\powershell.exe" -Args $result -Command {
$result = $args[0]
# Check and see if the Remote Desktop Services PowerShell module is available.
# We'll use it if we can -- it's simpler.
$RDSPath = "RDS:\GatewayServer\SSLCertificate\Thumbprint"
Import-Module -Name RemoteDesktopServices -ErrorAction SilentlyContinue
If (Test-Path -Path $RDSPath) {
Set-Item -Path $RDSPath -Value ($result.ManagedItem.CertificateThumbprintHash)
}
Else {
# The RDS PowerShell module must not be available, so let's go through WMI.
# First, though, we need to convert the thumbprint from a string into a byte array.
# Special thanks to: http://www.beefycode.com/post/Convert-FromHex-PowerShell-Filter.aspx
$ByteArray = (($result.ManagedItem.CertificateThumbprintHash) -Split "(?<=\G\w{2})(?=\w{2})" | ForEach {[Convert]::ToByte($_,16)})
# I found out after significant poking and prodding that the settings are stored here,
# and though you can *read* the CertHash, the SetCertificate() method is the only way to change it.
$wmi = (Get-WmiObject -Class "Win32_TSGatewayServerSettings" -Namespace "root\cimv2\terminalservices")
$wmi.SetCertificate($ByteArray)
}
# Changes don't take effect until the service is restarted, but this will temporarily disconnect
# all connected users. Comment this line if you don't want that to happen automatically.
Restart-Service -Name TSGateway -Force
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.