Download and Install a Certificate to your Trusted Root using Powershell

The following script downloads the certificate from a SSL secured web site (HTTPS) , creates a .cer file and installs it into the  Trusted Root Certification Authorities of the Local Machine. Additionally a .cer file will be created in the script directory.

Download

http://dl.dropbox.com/u/40751518/CodeSamples/downloadandinstallcertificate.zip

Execute the script

Start PowerShell As Administrator and run the following command…

powershell downloadandinstallcertificate.ps1 https://yourwebsite.com

Source Code

# // first argument is mapped to $url
param($url)

[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}

[System.Uri] $u = New-Object System.Uri($url)
[Net.ServicePoint] $sp = [Net.ServicePointManager]::FindServicePoint($u);

[System.Guid] $groupName = [System.Guid]::NewGuid()

# // create a request
[Net.HttpWebRequest] $req = [Net.WebRequest]::create($url)
$req.Method = "GET"
$req.Timeout = 600000 # = 10 minutes
$req.ConnectionGroupName = $groupName

# // Set if you need a username/password to access the resource
#$req.Credentials = New-Object Net.NetworkCredential("username", "password");

[Net.HttpWebResponse] $result = $req.GetResponse()

$sp.CloseConnectionGroup($groupName)

$fullPathIncFileName = $MyInvocation.MyCommand.Definition

$currentScriptName = $MyInvocation.MyCommand.Name

$currentExecutingPath = $fullPathIncFileName.Replace($currentScriptName, "")

$outfilename = $currentExecutingPath + "Export.cer"

[System.Byte[]] $data = $sp.Certificate.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert)
[System.IO.File]::WriteAllBytes($outfilename, $data)
Write-Host $outfilename

CertUtil -addStore Root $outfilename

 

Advertisements

7 thoughts on “Download and Install a Certificate to your Trusted Root using Powershell

  1. Jordan M says:

    Dude that is… not very powershell-y. You’re using a bunch of net objects directly when there are cmdlets that do that much more efficiently, then you shell out to a native executable.

    ## Set up variables and objects
    $url = #put the URL here if you don’t use the param
    $filename = [System.IO.Path]::GetTempFileName() #get a temporary file reference
    $pfx = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
    $store = new-object System.Security.Cryptography.X509Certificates.X509Store(“Root”,”LocalMachine”)

    ## Download the cert file
    Invoke-WebRequest -Uri $url -OutFile $filename
    $pfx.Import($filename)
    $store.Open(“MaxAllowed”)
    $store.Add($pfx)
    $store.Close()

    ## clean up
    Remove-Item $filename

  2. Jake says:

    I combined the 2 scripts as below and on my blog:
    (http://www.jake.vosloo.co/blog/IT/powershellsslazureselfsignedcertificates)

    param($url)

    [Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} #Bypass Powershell certificate validation, so that we can download any untrusted certificate.
    [System.Uri] $u = New-Object System.Uri($url)
    [Net.ServicePoint] $sp = [Net.ServicePointManager]::FindServicePoint($u);
    [System.Guid] $groupName = [System.Guid]::NewGuid() #allow to quickly close all connections
    [Net.HttpWebRequest] $req = [Net.WebRequest]::create($url)
    $req.Method = “GET”
    $req.Timeout = 600000 # = 10 minutes
    $req.ConnectionGroupName = $groupName
    # // Set if you need a username/password to access the resource
    #$req.Credentials = New-Object Net.NetworkCredential(“username”, “password”);
    [Net.HttpWebResponse] $result = $req.GetResponse() #If the server return 404 then you will get an exception here.
    $sp.CloseConnectionGroup($groupName) | Out-Null

    #Write the certificate to a temp file
    $tempfilename = [System.IO.Path]::GetTempFileName() #get a temporary file reference
    [System.Byte[]] $data = $sp.Certificate.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert)
    [System.IO.File]::WriteAllBytes($tempfilename, $data)
    Write-Debug “Downloaded to temp file: $tempfilename”

    #move the temp file to the local folder for future use.
    $outfilename = (Convert-Path .) + “\CertExport.cer”
    if(Test-Path $outfilename) { del $outfilename }
    mv $tempfilename $outfilename
    Write-Host “Certificate saved as: $outfilename”

    #Import the certificate into the root certificate store
    if (([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))
    {
    #CertUtil -addStore Root $outfilename
    $pfx = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
    $store = new-object System.Security.Cryptography.X509Certificates.X509Store(“Root”,”LocalMachine”)
    $pfx.Import($outfilename)
    $store.Open(“MaxAllowed”)
    $store.Add($pfx)
    $store.Close()
    }
    else
    {
    Write-Host “The script is not running as administrator and cannot automatically import the certificate into the root store. You should Right-click the exported certificate file and install it into the trusted root store.”
    }

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: