PowerShell: Deploy Certs on Remote Windows Servers

Quick Script for Local Machines:

$certPath="C:\kimconnect_cert.pfx"
$certPlaintextPassword='PASSWORD'
$certEncryptedPassword=ConvertTo-SecureString $certPlaintextPassword -AsPlainText -Force
Import-PfxCertificate -CertStoreLocation Cert:\LocalMachine\My -FilePath $certPath -Password $certEncryptedPassword;

Convenient script for a list of remote computers:

# Purpose: manually deploy certificates onto remote servers at the "Personal" Certificates store

# Set variables
#$computerNames=$env:computername
$computerNames='SHERVER01','SHERVER02'
$sourceCertFile="C:\kimconnect_cert.pfx"
$certPlaintextPassword='PASSWORD'

# Function to copy cert to remote servers prior to accessing WinRM to apply them
function importCert{
    param(
        [string[]]$computerNames=$env:computername,
        [string]$sourceCertFile,
        [string]$certPlaintextPassword
    )
    $certFileName=Split-Path $sourceCertFile -leaf
    $certFolder=Split-Path $sourceCertFile
    $targetLocalCertPath='C:\Certs\'+$certFileName
    $results=@() 
    try{        
        foreach ($computerName in $computerNames){            
            $destinationDirectory="\\$computerName`\c`$\Certs"
            $destinationFile="$destinationDirectory\$certFileName"
            $copySuccess=if(!(test-path $destinationFile)){
                #$command="robocopy $certFolder $destinationDirectory $certFileName"
                write-host "Copying certs to $destinationFile"
                if(!(test-path $(split-path $destinationFile -Parent))){
                    $null=new-item $(split-path $destinationFile -Parent) -ItemType Directory
                }
                Copy-Item $sourceCertFile -Destination $destinationFile -Force -EA Stop       
            }else{$true}
            $psSession=new-pssession $computername -SessionOption $(New-PSSessionOption -OpenTimeOut 10000)
            if($copySuccess -and $psSession){                
                $result=Invoke-Command -session $psSession -ScriptBlock {
                    param($certPath,$certPlaintextPassword)
                    Write-Output "Importing cert on $env:computername"
                    try{
                        $certEncryptedPassword=ConvertTo-SecureString $certPlaintextPassword -AsPlainText -Force
                        Import-PfxCertificate -CertStoreLocation Cert:\LocalMachine\My -FilePath $certPath -Password $certEncryptedPassword	
                        return $true
                    }catch{
                        write-warning $_
                        return $false
                    }
                } -ArgumentList $targetLocalCertPath,$certPlaintextPassword -EA Stop
                $results+=$result
                remove-pssession $psSession
            }
        }
    }catch{
        write-warning $_
        continue
    }
    return $results
}

importCert $computerNames $sourceCertFile $certPlaintextPassword

# Sample output
# Importing cert on LAX-ADFS05
#    PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\My
# Thumbprint                                Subject                                PSComputerName
# ----------                                -------                                --------------
# WHATSUPDOCA9E738253C5B4DF                 CN=*.kimconnect.com, OU=Domai...       LAX-ADFS05
# Purpose: manually deploy certificates onto remote servers at the "Personal" Certificates store

# Set variables
$sourceCert="\\FILESHERVER01\SOMECERT.pfx "
$certPassword=ConvertTo-SecureString "CERT_PASSWORT" -AsPlainText -Force
$servers="SHERVER01","SHERVER02"

# Function to copy cert to remote servers prior to accessing WinRM to apply them
function copyCertsToServers{
$servers |%{Copy-Item $sourceCert -Destination "\\$_`\c$"}
}
copyCertsToServers;

# Apply certs on remote machines
$servers | %{ Invoke-Command -ComputerName $_ -ScriptBlock {
param($x)
$env:computername;
Import-PfxCertificate -CertStoreLocation Cert:\LocalMachine\My -FilePath "C:\WildCard.pfx" -Password $x;
} -ArgumentList $certPassword
}

Leave a Reply

Your email address will not be published. Required fields are marked *