Instantly share code, notes, and snippets.

Embed
What would you like to do?
A post-renewal script for Certify that replaces the Remote Desktop Gateway certificate.
<#
Replace-RDGatewayCertificate.ps1
by Colin Cogle <colincogle@startmail.com>
This program is free software: you can redistribute it and/or modify it under the terms
of the GNU General Public License as published by the Free Software Foundation, either
version 3 of the License. This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program.
If not, see <https://www.gnu.org/licenses/gpl-3.0.en.html>.
#>
<#
.SYNOPSIS
This post-flight script for Certify replaces the Remote Desktop Gateway certificate.
.DESCRIPTION
This script is meant to be called after a renewal by Certify 3. If a certificate was successfully
issued by and retrieved from Let's Encrypt, this will assign it to Remote Desktop Gateway.
.PARAMETER result
The certificate information returned by Certify.
.COMPONENT
RemoteDesktopServices
.LINK
https://gist.github.com/rhymeswithmogul/1cf289ab5affa35b02f664c0a359be57
.NOTES
This worked for me on Server 2012 R2. However, this script is provided as-is.
If you have a full-blown 2012/2016 Remote Desktop deployment, then you'll be able to use the example
on Certify's GitHub page to change the certificate (with the RemoteDesktop\Set-RDCertificate cmdlet).
This script is useful if you've installed only the Remote Desktop Gateway role, or if you're on a
downlevel version of Windows Server.
#>
Param(
[Parameter(Mandatory=$true)]$result
)
# Did the renewal succeed? If not, stop.
If (-Not $result.IsSuccess) {
Exit
}
# Call a 64-bit PowerShell session.
# Modules like RemoteDesktopServices are not available in 32-bit instance.
# See also: https://github.com/webprofusion/certify/blob/master/docs/Request%20Script%20Hooks.md
. "${env:windir}\sysnative\WindowsPowerShell\v1.0\powershell.exe" -Args $result -Command {
$result = $args[0]
# Check and see if the Remote Desktop Services PowerShell module is available.
# We'll use it if we can -- it's simpler.
$RDSPath = "RDS:\GatewayServer\SSLCertificate\Thumbprint"
Import-Module -Name RemoteDesktopServices -ErrorAction SilentlyContinue
If (Test-Path -Path $RDSPath) {
Set-Item -Path $RDSPath -Value ($result.ManagedItem.CertificateThumbprintHash)
}
Else {
# The RDS PowerShell module must not be available, so let's go through WMI.
# First, though, we need to convert the thumbprint from a string into a byte array.
# Special thanks to: http://www.beefycode.com/post/Convert-FromHex-PowerShell-Filter.aspx
$ByteArray = (($result.ManagedItem.CertificateThumbprintHash) -Split "(?<=\G\w{2})(?=\w{2})" | ForEach {[Convert]::ToByte($_,16)})
# I found out after significant poking and prodding that the settings are stored here,
# and though you can *read* the CertHash, the SetCertificate() method is the only way to change it.
$wmi = (Get-WmiObject -Class "Win32_TSGatewayServerSettings" -Namespace "root\cimv2\terminalservices")
$wmi.SetCertificate($ByteArray)
}
# Changes don't take effect until the service is restarted, but this will temporarily disconnect
# all connected users. Comment this line if you don't want that to happen automatically.
Restart-Service -Name TSGateway -Force
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment