{"id":1548,"date":"2015-01-04T23:58:31","date_gmt":"2015-01-04T15:58:31","guid":{"rendered":"http:\/\/www.jhouseconsulting.com\/?p=1548"},"modified":"2015-01-05T00:14:32","modified_gmt":"2015-01-04T16:14:32","slug":"script-to-import-and-bind-a-certificate-to-the-default-web-site","status":"publish","type":"post","link":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/2015\/01\/04\/script-to-import-and-bind-a-certificate-to-the-default-web-site-1548","title":{"rendered":"Script to Import and Bind a Certificate to the Default Web Site"},"content":{"rendered":"

\"SSL<\/a>This Powershell script will import and bind a certificate to the Default\u00a0Web Site.\u00a0I use this script for\u00a0Citrix StoreFront and Director deployments, but it’s written to be very flexible and versatile so can be used for other tasks.<\/p>\n

The original idea came from scripts written by Thomas Albaek<\/a> and\u00a0Jerome Quief<\/a>\u00a0for Citrix StoreFront.<\/p>\n

The way I’ve written this script it will actually remove\u00a0any existing certificate bindings first, which is really handy for pushing out updated certificates as I found that other scripts written to do this task would fail when run more than once.<\/p>\n

Review\u00a0the documentation within the script to understand the syntax.<\/p>\n

Here is the \n\tInstall-Certificate.ps1\t(1552 downloads\t)\n<\/a>\n script:<\/p>\n

\r\n<#\r\n  This script will import and bind a certificate to the Default\r\n  Web Site for use with Citrix StoreFront, etc.\r\n\r\n  The original idea came from scripts written by Thomas Albaek and\r\n  Jerome Quief:\r\n  - http:\/\/www.albaek.org\/automatic-installation-of-citrix-storefront-2-6\/\r\n  - https:\/\/jeromequief.wordpress.com\/2014\/06\/11\/storefront-2-5-unattended-install-and-config\/\r\n\r\n  I have enhanced and modernized it. You can either pass parameters\r\n  to it, or hardcode them. The nice thing about this script is that\r\n  it can also be used to remove\/update certificates.\r\n\r\n  Syntax examples:\r\n\r\n    Using hardcoded variables:\r\n      Install-Certificate.ps1\r\n\r\n    Passing parameters:\r\n      Install-Certificate.ps1 -PFXPath:".\\star_jhouseconsulting_com.pfx" -PFXPassword:"notT3LL1ngu" -CertSubject:"CN=*.jhouseconsulting.com"\r\n\r\n    The ExcludeLocalServerCert is optional, and is forced to $True\r\n    if left off. You really never want this set to false, especially\r\n    if using a wildcard certificate. It's there mainly for flexibility.\r\n\r\n    If the password contains a $ sign, you must escape it with the `\r\n    character.\r\n\r\n  Script Name: Install-Certificate.ps1\r\n  Release 1.0\r\n  Written by Jeremy@jhouseconsulting.com 21st December 2014\r\n\r\n  Note: This script has been tested thoroughly on Windows 2012R2\r\n        (IIS 8.5). Due to the cmdlets used I cannot guarantee full\r\n        backward compatibility.\r\n\r\n  A log file will either be written to %windir%\\Temp or to the\r\n  %LogPath% Task Sequence variable if running from an SCCM\\MDT\r\n  Task.\r\n\r\n#>\r\n\r\n#-------------------------------------------------------------\r\nparam([String]$PFXPath,[String]$PFXPassword,[String]$CertSubject,[switch]$ExcludeLocalServerCert)\r\n\r\n# Set Powershell Compatibility Mode\r\nSet-StrictMode -Version 2.0\r\n\r\n$ScriptPath = {Split-Path $MyInvocation.ScriptName}\r\n\r\nif ([String]::IsNullOrEmpty($PFXPath)) {\r\n  $PFXPath = $(&$ScriptPath) + "\\star_jhouseconsulting_com.pfx"\r\n}\r\n\r\nif ([String]::IsNullOrEmpty($PFXPassword)) {\r\n  $PFXPassword = "notT3LL1ngu"\r\n}\r\n\r\nif ([String]::IsNullOrEmpty($CertSubject)) {\r\n  $CertSubject = "CN=*.jhouseconsulting.com"\r\n}\r\n\r\nif (!($ExcludeLocalServerCert.IsPresent)) {\r\n  $ExcludeLocalServerCert = $True\r\n}\r\n\r\n# Set to the Web Site\r\n$sitename = "Default Web Site"\r\n\r\n# Set to the Port number\r\n$port = 443\r\n\r\n#-------------------------------------------------------------\r\n\r\nFunction IsTaskSequence() {\r\n  # This code was taken from a discussion on the CodePlex PowerShell\r\n  # App Deployment Toolkit site. It was posted by mmashwani.\r\n  Try {\r\n      [__ComObject]$SMSTSEnvironment = New-Object -ComObject Microsoft.SMS.TSEnvironment -ErrorAction 'SilentlyContinue' -ErrorVariable SMSTSEnvironmentErr\r\n  }\r\n  Catch {\r\n  }\r\n  If ($SMSTSEnvironmentErr) {\r\n    Write-Verbose "Unable to load ComObject [Microsoft.SMS.TSEnvironment]. Therefore, script is not currently running from an MDT or SCCM Task Sequence."\r\n    Return $false\r\n  }\r\n  ElseIf ($null -ne $SMSTSEnvironment) {\r\n    Write-Verbose "Successfully loaded ComObject [Microsoft.SMS.TSEnvironment]. Therefore, script is currently running from an MDT or SCCM Task Sequence."\r\n    Return $true\r\n  }\r\n}\r\n\r\n#-------------------------------------------------------------\r\n\r\n$invalidChars = [io.path]::GetInvalidFileNamechars()\r\n$datestampforfilename = ((Get-Date -format s).ToString() -replace "[$invalidChars]","-")\r\n\r\n# Get the script path\r\n$ScriptPath = {Split-Path $MyInvocation.ScriptName}\r\n$ScriptName = [System.IO.Path]::GetFilenameWithoutExtension($MyInvocation.MyCommand.Path.ToString())\r\n$Logfile = "$ScriptName-$($datestampforfilename).txt"\r\n$logPath = "$($env:windir)\\Temp"\r\n\r\nIf (IsTaskSequence) {\r\n  $tsenv = New-Object -COMObject Microsoft.SMS.TSEnvironment\r\n  $logPath = $tsenv.Value("LogPath")\r\n\r\n  $UserDomain = [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($tsenv.Value("UserDomain")))\r\n  $UserID = [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($tsenv.Value("UserID")))\r\n  $UserPassword = [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($tsenv.Value("UserPassword")))\r\n}\r\n\r\n$logfile = "$logPath\\$Logfile"\r\n\r\n# Start the logging\r\nStart-Transcript $logFile\r\nWrite-Output "Logging to $logFile"\r\n\r\n#-------------------------------------------------------------\r\n\r\nWrite-Output "Start Certificate Installation"\r\n\r\nWrite-Output "Loading the Web Administration Module"\r\ntry{\r\n    Import-Module webadministration\r\n}\r\ncatch{\r\n    Write-Output "Failed to load the Web Administration Module"\r\n}\r\n\r\nWrite-Output "Deleting existing certificate from Store"\r\ntry{\r\n    $cert = Get-ChildItem cert:\\LocalMachine\\MY | Where-Object {$_.subject -like "$CertSubject*" -AND $_.Subject -notmatch "CN=$env:COMPUTERNAME"}\r\n    $thumbprint = $cert.Thumbprint.ToString()\r\n    If (Test-Path "cert:\\localmachine\\my\\$thumbprint") {\r\n      Remove-Item -Path cert:\\localmachine\\my\\$thumbprint -DeleteKey\r\n    }\r\n}\r\ncatch{\r\n    Write-Output "Unable to delete existing certificate from store"\r\n}\r\n\r\nWrite-Output "Running certutil to import certificate into Store"\r\ntry{\r\n    $ImportError = certutil.exe -f -importpfx -p $PFXPassword $PFXPath\r\n}\r\ncatch{\r\n    Write-Output "certutil failed to import certificate: $ImportError"\r\n}\r\n\r\nWrite-Output "Locating the cert in the Store"\r\ntry{\r\n    If ($ExcludeLocalServerCert) {\r\n      $cert = Get-ChildItem cert:\\LocalMachine\\MY | Where-Object {$_.subject -like "$CertSubject*" -AND $_.Subject -notmatch "CN=$env:COMPUTERNAME"}\r\n    } Else {\r\n      $cert = Get-ChildItem cert:\\LocalMachine\\My | Where-Object {$_.subject -like "$CertSubject*"}\r\n    }\r\n    $thumbprint = $cert.Thumbprint.ToString()\r\n    Write-Output $cert\r\n}\r\ncatch{\r\n    Write-Output "Unable to locate cert in certificate store"\r\n}\r\n\r\nWrite-Output "Removing any existing binding from the site and SSLBindings store"\r\ntry{\r\n  # Remove existing binding form site\r\n  if ($null -ne (Get-WebBinding -Name $sitename | where-object {$_.protocol -eq "https"})) {\r\n    $RemoveWebBinding = Remove-WebBinding -Name $sitename -Port $Port -Protocol "https"\r\n    Write-Output $RemoveWebBinding\r\n  }\r\n  # Remove existing binding in SSLBindings store\r\n  If (Test-Path "IIS:\\SslBindings\0.0.0.0!$port") {\r\n    $RemoveSSLBinding = Remove-Item -path "IIS:\\SSLBindings\0.0.0.0!$port"\r\n    Write-Output $RemoveSSLBinding\r\n  }\r\n}\r\ncatch{\r\n    Write-Output "Unable to remove existing binding"\r\n}\r\n\r\nWrite-Output "Bind your certificate to IIS HTTPS listener"\r\ntry{\r\n  $NewWebBinding = New-WebBinding -Name $sitename -Port $Port -Protocol "https"\r\n  Write-Output $NewWebBinding\r\n  $AddSSLCertToWebBinding = (Get-WebBinding $sitename -Port $Port -Protocol "https").AddSslCertificate($thumbprint, "MY")\r\n  Write-Output $AddSSLCertToWebBinding\r\n}\r\ncatch{\r\n    Write-Output "Unable to bind cert"\r\n}\r\n\r\nWrite-Output "Completed Certificate Installation"\r\n\r\n# Stop logging\r\nStop-Transcript\r\n<\/pre>\n
Enjoy!<\/p>\n","protected":false},"excerpt":{"rendered":"
This Powershell script will import and bind a certificate to the Default\u00a0Web Site.\u00a0I use this script for\u00a0Citrix StoreFront and Director deployments, but it’s written to be very flexible and versatile so can be used for other tasks. The original idea came from scripts written by Thomas Albaek and\u00a0Jerome Quief\u00a0for Citrix StoreFront. The way I’ve written … Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ngg_post_thumbnail":0,"footnotes":""},"categories":[14,410,401,5],"tags":[403,405,416,406,408,404,402,341,340,407],"class_list":["post-1548","post","type-post","status-publish","format-standard","hentry","category-citrix","category-citrix-director","category-citrix-storefront","category-scripting","tag-bind","tag-certutil","tag-citrix","tag-default-web-site","tag-director","tag-iis","tag-install-certificate","tag-posh","tag-powershell","tag-storefront"],"aioseo_notices":[],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-json\/wp\/v2\/posts\/1548","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-json\/wp\/v2\/comments?post=1548"}],"version-history":[{"count":6,"href":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-json\/wp\/v2\/posts\/1548\/revisions"}],"predecessor-version":[{"id":1558,"href":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-json\/wp\/v2\/posts\/1548\/revisions\/1558"}],"wp:attachment":[{"href":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-json\/wp\/v2\/media?parent=1548"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-json\/wp\/v2\/categories?post=1548"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.jhouseconsulting.com\/jhouseconsulting\/wp-json\/wp\/v2\/tags?post=1548"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}