Continuing my previous post I want to discuss about certificate installation. As you know, certificate erollment generally consist of several steps:

  • Certificate Request generation;
  • Certificate Request submission to Certification Authority;
  • Certificate Request response (certificate signed by CA) installation;

In previous post I have demonstrated how certificate request can be created using native PowerShell capabilities. While CA server cannot be contacted directly from managed client, you will have to manually transfer and submit certificate to Certification Authority.

When you create Certificate Request, it is placed in Certificate Enrollment Requests container (in Certificates snap-in). This request waits for signed certificate public part. When certificate public part is signed by external authority, signed certificate must be installed to local store. Installation process consist of two steps:

  • "Stick" response to request;
  • Move signed certificate with corresponding private key from Certificate Enrollment Requests container to Personal.

The following script will install certificate request response as described and launch MOMCertImport.exe utility to configure OpsMgr Agent to use this certificate. This script use CryptoAPI COM interfaces, so as mentioned in previous post, Windows XP and Windows Server 2003 are not supported by this script. In a fact, CertReq.exe utility use the same interfaces to do his stuff. The script requires two mandatory parameters:

  1. Specify path to certificate signed by external CA;
  2. Specify local or UNC path to MOMCertImport Utility.
#####################################################################
# Install-OpsMgrCertificate.ps1
# Version 1.0
#
# Installs and configures response from Certification Authority for OpsMgr
# managed client
#
# Vadims Podans (c) 2010
# http://en-us.sysadmins.lv/
#####################################################################
#requires -Version 2.0

function Install-OpsMgrCertificate {
<#
.Synopsis
    Installs and configures response from Certification Authority for OpsMgr
    managed client.
.Description
    Installs Certification Authority response for OpsMgr certificate request and
    configures OpsMgr to use installed certificate.
.Parameter CertPath
    Specifies path to issued certificate.
.Parameter MomCertImport
    Specifies path to a folder where MOMcertImport.exe utility is located.
.EXAMPLE
    Install-OpsMgrCertificate C:\OpsMgrCert.cer \\server\share
    
    Installs certificate from C:\OpsMgrCert.cer and runs MomCertImport utility
    to confgure OpsMgr to use installed certificate.
#>
[CmdletBinding()]
    param (
        [Parameter(Mandatory = $true, Position = 0)]
        [string]$CertPath,
        [Parameter(Mandatory = $true, Position = 1)]
        [string]$MOMCertImportPath
    )
    $OS = (Get-WmiObject Win32_OperatingSystem).Version
    if ($OS[0] -lt 6) {
        Write-Warning "Windows XP, Windows Server 2003 and Windows Server 2003 R2 are not supported!"
        return
    }
    trap {continue}
    # get managed computer FQDN. If this workgroup computer, NetBIOS name is used
    $domain = ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).Name
    if ($domain -eq $null) {
        $fqdn = $Env:COMPUTERNAME
    } else {
        $fqdn = $env:COMPUTERNAME + "." + $domain
    }
    # instantiate X509Certificate2 object to store response from CA
    try {
        $cert = New-Object Security.Cryptography.X509Certificates.X509Certificate2
        $cert.Import($path)
    } catch {Write-Warning "Specified file is not valid certificate. Aborting"; throw}
    # currently I don't know how to use byte array (DER byte encoded certificate)
    # in CryptoAPI Interfaces, so I convert byte array (that is stored in
    # RawData property) to Base64 encoded string using standard .NET converter.
    $Base64 = [System.Convert]::ToBase64String($cert.RawData)
    # instanitate IX509enrollment COM object:
    # http://msdn.microsoft.com/en-us/library/aa377809(VS.85).aspx
    $Response = New-Object -ComObject X509Enrollment.CX509Enrollment
    # initialize object in LocalMachine context
    $Response.Initialize(0x2)
    # install certificate to initialized context. So method will inspect certificate
    # requests in Certificate Enrollment Requests container in LocalMachine store
    $Response.InstallResponse(0x4,$Base64,0x1,"")
    # locate MOMCertImport utility
    try {gi $MOMCertImportPath\MoMCertImport.exe}
    catch {Write-Warning "Unable to find MomCertImport.exe in specified directory. Aborting"; throw}
    # and configure OpsMgr Agent to use installed certificate
    & "$MOMCertImportPath\MoMCertImport.exe /SubjectName $fqdn"
}

As always enjoy the automation of tools within the Windows-based, .NET aware, WPF accessible, multi-processes on the same IP/Port usage, admin's automation tools, PowerShell! © Flowering Weeds :)


Share this article:

Comments:


Post your comment:

Please, solve this little equation and enter result below. Captcha