none
PowerShell Script to renew certificate RRS feed

  • Question

  • My boss has tasked me with building a script to renew the computer certificate on all the workstations in the company as RSA SHA512 certificates using the existing keys on the certificates on the workstations.  I have been working hard at this for the last day or so and am not getting what I need.  I am posting the code that I am using but changing the names to protect the innocent.  Any help would be appreciated.

    $dnsname = "$env:COMPUTERNAME.company.local"
    $container = $(Get-ChildItem Cert:\localmachine\my | ? {$_.Extensions | ? {$_.oid.friendlyname -match "Template"}})
    New-SelfSignedCertificate -CertStoreLocation cert:\LocalMachine\My -Container $container.PSChildName -DnsName $dnsname -ExistingKey -FriendlyName $dnsname -Provider "Microsoft RSA SChannel Cryptographic Provider" -Subject $dnsname

    Thursday, December 28, 2017 6:05 PM

Answers

  • I understand that part.  The issue I need to resolve is to renew the certificate while changing it from SHA1 to SHA512 using the same keys.

    Edit: I have now been informed that the keys will not need to be the same so this thread is now mute.

    • Edited by TBingeman Friday, December 29, 2017 5:00 PM scope change
    • Marked as answer by TBingeman Friday, December 29, 2017 5:00 PM
    Friday, December 29, 2017 4:06 PM

All replies

  • I appreciate your suggestions but they do not meet what I need.  Our existing certs are not SHA512 certificates and your suggestions would use the existing cert's SHA1.
    Thursday, December 28, 2017 6:53 PM
  • You have not stated which certs you want to renew.

    The following line can return multiple certs:

    $container = $(Get-ChildItem Cert:\localmachine\my |
        Where-Object { $_.Extensions | Where-Object { $_.oid.friendlyname -match "Template" } })


    \_(ツ)_/

    Thursday, December 28, 2017 7:11 PM
  • When I run the command on multiple computers, I am only given one result on each one.
    Thursday, December 28, 2017 7:21 PM
  • A self-signed cert is not usable outside of the account that created it without installing it elsewhere.


    \_(ツ)_/

    Thursday, December 28, 2017 7:38 PM
  • the cert that this is going to create will be using the existing keys on each individual machine to recreate the cert for that machine itself
    Thursday, December 28, 2017 8:25 PM
  • Post in the security forum.  Maybe they will be able to figure out what you are trying to do.

    In a domain the machine certs are managed by Active Directory.


    \_(ツ)_/

    Thursday, December 28, 2017 8:42 PM
  • This is not a security issue though, this is a scripting issue.  I am trying to write the script using my machine in order to package it and send it to the other machines in the domain and run on their machines.  The point is I need this script to work on my machine first and generate the certificate using the same keys as the old certificate.
    Friday, December 29, 2017 3:43 PM
  • What is the error?  What is not working?

    \_(ツ)_/

    Friday, December 29, 2017 3:46 PM
  • PS C:\Windows\system32> C:\temp\Certificate Generation Script\NewCert.ps1
    New-SelfSignedCertificate : CertEnroll::CX509CertificateRequestCertificate::InitializeFromPrivateKey: Keyset does not exist 0x80090016 (-2146893802 NTE_BAD_KEYSET)
    At C:\temp\Certificate Generation Script\NewCert.ps1:3 char:1
    + New-SelfSignedCertificate -CertStoreLocation cert:\LocalMachine\My -C ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [New-SelfSignedCertificate], Exception
        + FullyQualifiedErrorId : System.Exception,Microsoft.CertificateServices.Commands.NewSelfSignedCertificateCommand
    Friday, December 29, 2017 3:50 PM
  • Have you tried cloning the old cert?

    New-SelfSignedCertificate -CloneCert Cert:\CurrentUser\my\B6C882DA4C85B4B04BABA9AD3582E62E10E467A2 -ExistingKey


    \_(ツ)_/

    Friday, December 29, 2017 3:55 PM
  • that command will not work as it is using the user certificate not the computer certificate for that specific user.  B6C882DA4C85B4B04BABA9AD3582E62E10E467A2 is the PSChildName of that specific user certificate.  If I were to use that command, even with changing it to localmachine and the PSChildName of my certificate, it would create a clone of the SHA1 certificate not generating at SHA512 certificate.
    Friday, December 29, 2017 4:00 PM
  • You can use any self-signed cert in any store:

    See: http://microsoftis.com/quick-way-to-extend-your-self-signed-certificate-using-powershell/


    \_(ツ)_/

    Friday, December 29, 2017 4:04 PM
  • I understand that part.  The issue I need to resolve is to renew the certificate while changing it from SHA1 to SHA512 using the same keys.

    Edit: I have now been informed that the keys will not need to be the same so this thread is now mute.

    • Edited by TBingeman Friday, December 29, 2017 5:00 PM scope change
    • Marked as answer by TBingeman Friday, December 29, 2017 5:00 PM
    Friday, December 29, 2017 4:06 PM