The following script downloads the certificate from a SSL secured web site (HTTPS) , creates a .cer file and installs it into the Trusted Root Certification Authorities of the Local Machine. Additionally a .cer file will be created in the script directory.
Download
http://dl.dropbox.com/u/40751518/CodeSamples/downloadandinstallcertificate.zip
Execute the script
Start PowerShell As Administrator and run the following command…
powershell downloadandinstallcertificate.ps1 https://yourwebsite.com
Source Code
# // first argument is mapped to $url
param($url)
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
[System.Uri] $u = New-Object System.Uri($url)
[Net.ServicePoint] $sp = [Net.ServicePointManager]::FindServicePoint($u);
[System.Guid] $groupName = [System.Guid]::NewGuid()
# // create a request
[Net.HttpWebRequest] $req = [Net.WebRequest]::create($url)
$req.Method = "GET"
$req.Timeout = 600000 # = 10 minutes
$req.ConnectionGroupName = $groupName
# // Set if you need a username/password to access the resource
#$req.Credentials = New-Object Net.NetworkCredential("username", "password");
[Net.HttpWebResponse] $result = $req.GetResponse()
$sp.CloseConnectionGroup($groupName)
$fullPathIncFileName = $MyInvocation.MyCommand.Definition
$currentScriptName = $MyInvocation.MyCommand.Name
$currentExecutingPath = $fullPathIncFileName.Replace($currentScriptName, "")
$outfilename = $currentExecutingPath + "Export.cer"
[System.Byte[]] $data = $sp.Certificate.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert)
[System.IO.File]::WriteAllBytes($outfilename, $data)
Write-Host $outfilename
CertUtil -addStore Root $outfilename
Dude that is… not very powershell-y. You’re using a bunch of net objects directly when there are cmdlets that do that much more efficiently, then you shell out to a native executable.
## Set up variables and objects
$url = #put the URL here if you don’t use the param
$filename = [System.IO.Path]::GetTempFileName() #get a temporary file reference
$pfx = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$store = new-object System.Security.Cryptography.X509Certificates.X509Store(“Root”,”LocalMachine”)
## Download the cert file
Invoke-WebRequest -Uri $url -OutFile $filename
$pfx.Import($filename)
$store.Open(“MaxAllowed”)
$store.Add($pfx)
$store.Close()
## clean up
Remove-Item $filename
Dude your code is…not the same.
You are just doing a simple file download whereas my code is downloading the certificate of a ssl secured web site.
It’s there for an example. The point is using certutil.exe is bad form and leads to all sorts of potential issues.
In the real world scenario it’s not there, so your download cmdlet is worthless here. But the point with the certutil is better. I will integrate your import snipped.
What do you mean what isn’t there?
What do you mean what isn’t there?
I combined the 2 scripts as below and on my blog:
(http://www.jake.vosloo.co/blog/IT/powershellsslazureselfsignedcertificates)
param($url)
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} #Bypass Powershell certificate validation, so that we can download any untrusted certificate.
[System.Uri] $u = New-Object System.Uri($url)
[Net.ServicePoint] $sp = [Net.ServicePointManager]::FindServicePoint($u);
[System.Guid] $groupName = [System.Guid]::NewGuid() #allow to quickly close all connections
[Net.HttpWebRequest] $req = [Net.WebRequest]::create($url)
$req.Method = “GET”
$req.Timeout = 600000 # = 10 minutes
$req.ConnectionGroupName = $groupName
# // Set if you need a username/password to access the resource
#$req.Credentials = New-Object Net.NetworkCredential(“username”, “password”);
[Net.HttpWebResponse] $result = $req.GetResponse() #If the server return 404 then you will get an exception here.
$sp.CloseConnectionGroup($groupName) | Out-Null
#Write the certificate to a temp file
$tempfilename = [System.IO.Path]::GetTempFileName() #get a temporary file reference
[System.Byte[]] $data = $sp.Certificate.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert)
[System.IO.File]::WriteAllBytes($tempfilename, $data)
Write-Debug “Downloaded to temp file: $tempfilename”
#move the temp file to the local folder for future use.
$outfilename = (Convert-Path .) + “\CertExport.cer”
if(Test-Path $outfilename) { del $outfilename }
mv $tempfilename $outfilename
Write-Host “Certificate saved as: $outfilename”
#Import the certificate into the root certificate store
if (([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))
{
#CertUtil -addStore Root $outfilename
$pfx = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$store = new-object System.Security.Cryptography.X509Certificates.X509Store(“Root”,”LocalMachine”)
$pfx.Import($outfilename)
$store.Open(“MaxAllowed”)
$store.Add($pfx)
$store.Close()
}
else
{
Write-Host “The script is not running as administrator and cannot automatically import the certificate into the root store. You should Right-click the exported certificate file and install it into the trusted root store.”
}