Home > Certificates, Powershell Scripts, Windows Server > Copy certificates from one server to another

Copy certificates from one server to another

So for some reason, which until now remains a mystery, certificates where missing in the Trusted root certificate authorities certificate store on one of our servers.

Of course one of the missing ones, was the one needed for a main part of the servers purpose, so that had to be fixed.

While the certificates mmc does permit the export on the source server and the import onto the broken one, working in the GUI, is just….

So I cooked up a Powershell script to do the job for me:

<#
.SYNOPSIS
Compares a given certificate store between 2 Windows machines. Copies missing to target if specified

.DESCRIPTION
The script compares the specified certificate store of the source machine against the target machine. 
If the Write switch is specified, the missing certificates are copied from the source machine to the target machine

.PARAMETER SourceServer
Source Machine name

.PARAMETER TargetServer
Target Machine name

.PARAMETER CertStore
Certificate store to be checked
Possible values of the store: 
My - Personal Store
Root - Trusted root certificate authorities
CertificateAuthority - Intermediate certificate authorities
AuthRoot - Third-party certificate authorities

.PARAMETER write
If specified, certificates missing on the target server will be copied to the target server

.INPUTS
System.String

.OUTPUTS
Console output
Certificates 

.EXAMPLE
Check-MachineCerts.ps1 -SourceServer "SomeServer" -TargetServer "SomeServer" -certstore "AuthStore"
Outputs the certificates missing in the Third-party certificate authorities store on the target machine as compared to the source machine

.EXAMPLE
Check-MachineCerts.ps1 -SourceServer "SomeServer" -TargetServer "SomeServer" -certstore "My" -write
Outputs the certificates missing in the Personal Store on the target machine as compared to the source machine. 
Copies the missing certificates to the target machine

.NOTES
Check-MachineCerts.ps1
by theAdminGuy - theadminguy.wordpress.com
#>
Param(
	[Parameter(Mandatory=$true)][String]$SourceServer,
	[Parameter(Mandatory=$true)][String]$TargetServer,
	[Parameter(Mandatory=$true)]
		[ValidateSet("My","Root","CertificateAuthority","AuthRoot")]
		[String]$CertStore,
	[Parameter(Mandatory=$false)][switch]$write
)
#
#Connect to the source Root store (readonly)
$sourceStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("\\$SourceServer\$CertStore","LocalMachine")
$sourceStore.open("ReadOnly")
#connect to the target store (readwrite)
$targetStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("\\$TargetServer\$CertStore","LocalMachine")
$targetStore.open("ReadWrite")

$sourceCerts = $sourceStore.certificates
$targetCerts = $targetStore.certificates

Function CheckPrecense(){
Param(
    $sourcecert
)
	[int]$intCertFound = "0"
    $script:rtrCheckPrecense = "CertNotFound"
    ForEach ($targetcert in $targetCerts){     
        $test = $sourcecert.Equals($targetcert)
        if ($test -eq $true){
            $intCertFound++
        }
    }
    If ($intCertFound -ne "0"){
            $script:rtrCheckPrecense = "CertFound"
    }
} #end function 

foreach ($sourcecert in $sourceCerts){
    CheckPrecense $sourcecert
    If ($rtrCheckPrecense -eq "CertNotFound"){
        Write-Host `n`n $sourceCert.Subject " was not found on " $TargetServer
        If ($write -eq $true){
        	Write-Host `n "Copying Certificate from " $SourceServer `n
        	$targetStore.Add($sourceCert)
        }
    }
}

Don’t judge me by the fact that the .Synopsis part of the script takes up half the lines in the script, but not being a programmer by trade, I am trying to improve on my documentation skills (as well as making myself able to reuse the script once I have forgotten it’s original purpose)

The script can be easily modified to also remove certs from the target, which is not present on the source.

Do let me know all your input, thoughts etc.

 

/theadminguy

  1. Riz
    02/02/2016 at 05:30

    Thanks for the excellent script and it has worked well. Omly problem I faced after the copying of the certs to different server was when I tried to bind the certs to the site on the server where I copied we were getting the error – Error adding SSL binding – A specified logon session does not exist. I am checking this now on the INternet should not be a big problem though. Thanks a lot for the script – Riz

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: