对于来自 OU 的服务器列表,如何使用 Powershell 查找仅 IIS 的 SSL 证书何时过期?
How can I use Powershell to find when an SSL certificate expires for ONLY IIS for a list of servers from OU?
我有这部分代码,如果我只能让脚本只回复存在的主题(表示 IIS 证书),那么我就可以完成...(我有 OU 枚举,并且Invoke 部分向下,以及用于在任务中安排的文件的电子邮件):
[注意:我将过期时间设置为 500 天,这样我可以稍后使用脚本来查找特定的过期时间]
[注意 2:$day 在我的 $profile 中设置为“$day = Get-Date -Format yyyyMMdd”]
$serverlist = $serverListpath.Name
foreach($server in $serverlist){
if($server -like '#*')
{
continue
}
$threshold = 500 #Number of days to look for expiring certificates
$deadline = (Get-Date).AddDays($threshold) #Set deadline date
$p = ($c++/$server.count) * 100
Write-Progress -Activity "Checking $._" -Status "$p % completed" -PercentComplete $p;
if(Test-Connection -ComputerName $server -Count 2 -Quiet){
#$server = "KnownIISServerHostname" #<-- to test with a hostname
Invoke-Command -Verbose -ComputerName $server { Dir Cert:\LocalMachine\My } |`
foreach {
If ($_.NotAfter -le $deadline) {
$_ | Select *| select PSComputerName, Subject, NotAfter, @{Label="Expires In (Days)";Expression={($_.NotAfter - (Get-Date)).Days}} }
}|`
select PSComputerName,Subject, NotAfter, @{Label="Expires In (Days)";Expression={($_.NotAfter - (Get-Date)).Days}} |`
export-csv -Force -Append -Encoding ASCII -NoTypeInformation .\output$day-ExpiringIISSSLCerts.csv
}
}
那么我应该在哪里调整它才能得到“只有现有的“主题”字段的回复?不获取空主题回复(即 RDP 证书)
尝试使用这个:
Import-Module WebAdministration
$CertAll=Get-ChildItem -Path Cert:\LocalMachine\My
$CertInUse=Get-Childitem -Path IIS:\SslBindings
$CertSame=Compare-Object -ReferenceObject $CertAll -DifferenceObject $CertInUse -Property ThumbPrint -IncludeEqual -ExcludeDifferent
$CertSame | foreach{Get-Childitem –path Cert:\LocalMachine\My$($_.thumbprint)} | Select-Object -Property Subject, @{n=’ExpireInDays’;e={($_.notafter – (Get-Date)).Days}}
由于 IIS 证书是您关注的范围,我建议使用 IIS PowerShell 模块来确保您只选择 IIS 实际使用的证书。
以下内容应使用 HTTPS(SSL) 提取附加到站点的证书。我目前在单个 IIS 服务器上没有多个站点用于测试,但理论上这应该找到所有站点,而不仅仅是“默认网站”。
$serverlist = $serverListpath.Name
foreach($server in $serverlist){
if($server -like '#*')
{
continue
}
$threshold = 500 #Number of days to look for expiring certificates
$deadline = (Get-Date).AddDays($threshold) #Set deadline date
$p = ($c++/$server.count) * 100
Write-Progress -Activity "Checking $._" -Status "$p % completed" -PercentComplete $p;
if(Test-Connection -ComputerName $server -Count 2 -Quiet){
#$server = "KnownIISServerHostname" #<-- to test with a hostname
#Pull certificates from existing IIS bindings
$certificates = Invoke-Command -Verbose -ComputerName $server {
Import-Module IISAdministration
$sitebindings = Get-IISSite | foreach { Get-IISSiteBinding -Protocol HTTPS -Name $_ }
$thumbprints = $sitebindings.Attributes | where {$_.Name -match "certificateHash"} | Select-Object -ExpandProperty Value
$thumbprints | foreach {dir Cert:\LocalMachine\My$_}
}
$certificates |`
foreach {
If ($_.NotAfter -le $deadline) {
$_ | Select *| select PSComputerName, Subject, NotAfter, @{Label="Expires In (Days)";Expression={($_.NotAfter - (Get-Date)).Days}} }
}|`
select PSComputerName,Subject, NotAfter, @{Label="Expires In (Days)";Expression={($_.NotAfter - (Get-Date)).Days}} |`
export-csv -Force -Append -Encoding ASCII -NoTypeInformation .\output$day-ExpiringIISSSLCerts.csv
}
}
#完成本地 运行 脚本。在 Foreach 调用命令中调用它。
$CertAll=GCI -Path Cert:\LocalMachine\My
$CertInUse= (GCI IIS:SSLBindings)
$CertSame=Compare-Object -ReferenceObject $CertAll -DifferenceObject $CertInUse -Property ThumbPrint -IncludeEqual -ExcludeDifferent
#$CertSame=Compare-Object -ReferenceObject $CertAll -Property ThumbPrint -IncludeEqual -ExcludeDifferent
$CertSame | foreach{GCI -filter "" –path Cert:\LocalMachine\My$($_.thumbprint)} | Select-Object -Property Issuer, @{n=’ExpireInDays’;e={($_.notafter – (Get-Date)).Days}} -First 1
感谢@bruce-zhang
我有这部分代码,如果我只能让脚本只回复存在的主题(表示 IIS 证书),那么我就可以完成...(我有 OU 枚举,并且Invoke 部分向下,以及用于在任务中安排的文件的电子邮件): [注意:我将过期时间设置为 500 天,这样我可以稍后使用脚本来查找特定的过期时间] [注意 2:$day 在我的 $profile 中设置为“$day = Get-Date -Format yyyyMMdd”]
$serverlist = $serverListpath.Name
foreach($server in $serverlist){
if($server -like '#*')
{
continue
}
$threshold = 500 #Number of days to look for expiring certificates
$deadline = (Get-Date).AddDays($threshold) #Set deadline date
$p = ($c++/$server.count) * 100
Write-Progress -Activity "Checking $._" -Status "$p % completed" -PercentComplete $p;
if(Test-Connection -ComputerName $server -Count 2 -Quiet){
#$server = "KnownIISServerHostname" #<-- to test with a hostname
Invoke-Command -Verbose -ComputerName $server { Dir Cert:\LocalMachine\My } |`
foreach {
If ($_.NotAfter -le $deadline) {
$_ | Select *| select PSComputerName, Subject, NotAfter, @{Label="Expires In (Days)";Expression={($_.NotAfter - (Get-Date)).Days}} }
}|`
select PSComputerName,Subject, NotAfter, @{Label="Expires In (Days)";Expression={($_.NotAfter - (Get-Date)).Days}} |`
export-csv -Force -Append -Encoding ASCII -NoTypeInformation .\output$day-ExpiringIISSSLCerts.csv
}
}
那么我应该在哪里调整它才能得到“只有现有的“主题”字段的回复?不获取空主题回复(即 RDP 证书)
尝试使用这个:
Import-Module WebAdministration
$CertAll=Get-ChildItem -Path Cert:\LocalMachine\My
$CertInUse=Get-Childitem -Path IIS:\SslBindings
$CertSame=Compare-Object -ReferenceObject $CertAll -DifferenceObject $CertInUse -Property ThumbPrint -IncludeEqual -ExcludeDifferent
$CertSame | foreach{Get-Childitem –path Cert:\LocalMachine\My$($_.thumbprint)} | Select-Object -Property Subject, @{n=’ExpireInDays’;e={($_.notafter – (Get-Date)).Days}}
由于 IIS 证书是您关注的范围,我建议使用 IIS PowerShell 模块来确保您只选择 IIS 实际使用的证书。
以下内容应使用 HTTPS(SSL) 提取附加到站点的证书。我目前在单个 IIS 服务器上没有多个站点用于测试,但理论上这应该找到所有站点,而不仅仅是“默认网站”。
$serverlist = $serverListpath.Name
foreach($server in $serverlist){
if($server -like '#*')
{
continue
}
$threshold = 500 #Number of days to look for expiring certificates
$deadline = (Get-Date).AddDays($threshold) #Set deadline date
$p = ($c++/$server.count) * 100
Write-Progress -Activity "Checking $._" -Status "$p % completed" -PercentComplete $p;
if(Test-Connection -ComputerName $server -Count 2 -Quiet){
#$server = "KnownIISServerHostname" #<-- to test with a hostname
#Pull certificates from existing IIS bindings
$certificates = Invoke-Command -Verbose -ComputerName $server {
Import-Module IISAdministration
$sitebindings = Get-IISSite | foreach { Get-IISSiteBinding -Protocol HTTPS -Name $_ }
$thumbprints = $sitebindings.Attributes | where {$_.Name -match "certificateHash"} | Select-Object -ExpandProperty Value
$thumbprints | foreach {dir Cert:\LocalMachine\My$_}
}
$certificates |`
foreach {
If ($_.NotAfter -le $deadline) {
$_ | Select *| select PSComputerName, Subject, NotAfter, @{Label="Expires In (Days)";Expression={($_.NotAfter - (Get-Date)).Days}} }
}|`
select PSComputerName,Subject, NotAfter, @{Label="Expires In (Days)";Expression={($_.NotAfter - (Get-Date)).Days}} |`
export-csv -Force -Append -Encoding ASCII -NoTypeInformation .\output$day-ExpiringIISSSLCerts.csv
}
}
#完成本地 运行 脚本。在 Foreach 调用命令中调用它。
$CertAll=GCI -Path Cert:\LocalMachine\My
$CertInUse= (GCI IIS:SSLBindings)
$CertSame=Compare-Object -ReferenceObject $CertAll -DifferenceObject $CertInUse -Property ThumbPrint -IncludeEqual -ExcludeDifferent
#$CertSame=Compare-Object -ReferenceObject $CertAll -Property ThumbPrint -IncludeEqual -ExcludeDifferent
$CertSame | foreach{GCI -filter "" –path Cert:\LocalMachine\My$($_.thumbprint)} | Select-Object -Property Issuer, @{n=’ExpireInDays’;e={($_.notafter – (Get-Date)).Days}} -First 1
感谢@bruce-zhang