Home > Blogs > VMware PowerCLI Blog


Automating SSL Checks for vCenter and Host Certificates

AlanFeb2012_thumb_thumb1_thumb_thumb[2]
Posted by
Alan Renouf
Technical Marketing

Recently William Lam wrote a great article showing how easy it was to check your hosts SSL Certificates and Expiry information using a free tool called ssl-cert-check, he explains that it is best practice to replace VMware’s self-signed SSL certificates that are included with the vCenter Server and on all hosts, make sure you read his post here and in turn make sure you also read Michael Websters articles which take you through this process here.

But what if we wanted to check these certificates in PowerCLI, recently I found a great PowerShell Advanced function which allows us to do just this, we are able to test the certificate of any given website and return the details.

Using this script and a little code of our own we can easily check all our hosts and the vCenter Certificates as seen below:

SNAGHTML1f5e280e

The code will output the most important details included who the issuer of the certificate is, whether it is valid and when it expires, both in date and length of time.

This could easily be adapted to check on a regular basis and email closer to the expiry date.

Code

Function Test-WebServerSSL {
# Function original location:
http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?List=332991f0-bfed-4143-9eea-f521167d287c&ID=60
[CmdletBinding()]
    param(
        [Parameter(Mandatory = $true, ValueFromPipeline = $true, Position = 0)]
        [string]$URL,
        [Parameter(Position = 1)]
        [ValidateRange(1,65535)]
        [int]$Port = 443,
        [Parameter(Position = 2)]
        [Net.WebProxy]$Proxy,
        [Parameter(Position = 3)]
        [int]$Timeout = 15000,
        [switch]$UseUserContext
    )
Add-Type @"
using System;
using System.Net;
using System.Security.Cryptography.X509Certificates;
namespace PKI {
    namespace Web {
        public class WebSSL {
            public Uri OriginalURi;
            public Uri ReturnedURi;
            public X509Certificate2 Certificate;
            //public X500DistinguishedName Issuer;
            //public X500DistinguishedName Subject;
            public string Issuer;
            public string Subject;
            public string[] SubjectAlternativeNames;
            public bool CertificateIsValid;
            //public X509ChainStatus[] ErrorInformation;
            public string[] ErrorInformation;
            public HttpWebResponse Response;
        }
    }
}
"@
    $ConnectString = "
https://$url:$port"
    $WebRequest = [Net.WebRequest]::Create($ConnectString)
    $WebRequest.Proxy = $Proxy
    $WebRequest.Credentials = $null
    $WebRequest.Timeout = $Timeout
    $WebRequest.AllowAutoRedirect = $true
    [Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
    try {$Response = $WebRequest.GetResponse()}
    catch {}
    if ($WebRequest.ServicePoint.Certificate -ne $null) {
        $Cert = [Security.Cryptography.X509Certificates.X509Certificate2]$WebRequest.ServicePoint.Certificate.Handle
        try {$SAN = ($Cert.Extensions | Where-Object {$_.Oid.Value -eq "2.5.29.17"}).Format(0) -split ", "}
        catch {$SAN = $null}
        $chain = New-Object Security.Cryptography.X509Certificates.X509Chain -ArgumentList (!$UseUserContext)
        [void]$chain.ChainPolicy.ApplicationPolicy.Add("1.3.6.1.5.5.7.3.1")
        $Status = $chain.Build($Cert)
        New-Object PKI.Web.WebSSL -Property @{
            OriginalUri = $ConnectString;
            ReturnedUri = $Response.ResponseUri;
            Certificate = $WebRequest.ServicePoint.Certificate;
            Issuer = $WebRequest.ServicePoint.Certificate.Issuer;
            Subject = $WebRequest.ServicePoint.Certificate.Subject;
            SubjectAlternativeNames = $SAN;
            CertificateIsValid = $Status;
            Response = $Response;
            ErrorInformation = $chain.ChainStatus | ForEach-Object {$_.Status}
        }
        $chain.Reset()
        [Net.ServicePointManager]::ServerCertificateValidationCallback = $null
    } else {
        Write-Error $Error[0]
    }
}

Connect-VIServer MyVC -User Administrator –Password Password!

# Check for Host Certificates
Get-VMHost | Foreach { Test-WebServerSSL -URL $_.Name | Select OriginalURi, CertificateIsValid, Issuer, @{N="Expires";E={$_.Certificate.NotAfter} }, @{N="DaysTillExpire";E={(New-TimeSpan -Start (Get-Date) -End ($_.Certificate.NotAfter)).Days} }}

# Check for vCenter Certificate
Test-WebServerSSL -URL $DefaultVIServer | Select OriginalURi, CertificateIsValid, Issuer, @{N="Expires";E={$_.Certificate.NotAfter} }, @{N="DaysTillExpire";E={(New-TimeSpan -Start (Get-Date) -End ($_.Certificate.NotAfter)).Days} }

Get notification of new blog postings and more by following VMware PowerCLI on Twitter: @PowerCLI

 

This entry was posted in Advanced on by .
Alan Renouf

About Alan Renouf

Alan Renouf is a Product Line Manager at VMware focusing on API's, SDK's and CLI's, He is responsible for providing the architects and operators of private and public cloud infrastructure with the toolkits/frameworks and command-line interfaces they require to build a fully automated software-defined datacenter. Alan is a frequent blogger at http://blogs.vmware.com/PowerCLI a book author and has a personal blog at http://virtu-al.net. You can follow Alan on twitter as @alanrenouf.

10 thoughts on “Automating SSL Checks for vCenter and Host Certificates

  1. Michael

    Excellent, Alan.
    thanks

    Reply
  2. Claudio Galletti

    I recommend to use the version 1.8 of the PsPki module on CodePlex, from the author of this function, because the posted code version “leaks” Response objects, causing issues.
    Bye
    Claudio

    Reply
  3. Naseem Ansari

    Thank you for the blog. It’s a really very nice your article. Thank you so much for the sharing.

    Reply
  4. setuproku

    For all the fans of CBS All access, here is the best news that you can here today. CBS All access is now available on Roku TV and Roku streaming devices. More details visit https://www.setuproku.com/watch-sports-news-cbs-roku/

    Reply
  5. Access CBS All Access on Roku

    If you are a sports lover, access CBS All Access on Roku and enjoy live sports events like NCAA football, PGA championship, NFL Games and many more. If you want to Activate CBS All on your Roku Streaming Devices to visit this https://www.mylinkroku.com/cbs-all-access-on-roku/

    Reply
  6. macykaelyn

    Get all the guidance that you want on activating you Roku. Here you can find step-by-step instructions for your device as well as troubleshooting advice. Our trained professionals are available 24 x 7 on toll-free lines. Call us @ +1-844-965-4357 or visit our site https://www.rokuactivationcode.com/

    Reply
  7. pbskids.org/activate

    PBS Kids application on mobile – You can stream the PBS kids channel from your mobile. Download the application from the Google Play Store or App Store and allow your kids to enjoy their favorite shows. If you want to Activate PBS Kids on your Roku Streaming Devices to visit here https://roku.techpal365.com/pbskids-org-activate/

    Reply
  8. Hbogo.com/activate

    Get HBO Go on your Roku streaming device without facing any difficulties. You just need to log in with your credentials. If you want to Activate HBO GO on your Roku Streaming Devices to visit this page https://www.mylinkroku.com/hbo-go-channel-activation-roku/

    Reply
  9. Hgtv.com/roku

    Selecting the HGTV channel from the channel store on your Roku device, you need to enter the activation code displayed on the TV screen on the website hgtv.com/roku activate. If you want to Activate HGTV on your Roku Streaming Devices to visit above the link.

    Reply
  10. tv.youtube.com/activate

    Watch the all-new Documentary Now shoe that’s on the top tier with YouTube Tv on Roku. If you want to Activate Youtube on Roku Streaming Devices to visit this page https://roku.techpal365.com/watch-youtube-on-roku-using-tv-youtube-com-activate/

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*