Getting OCS 2007 Certs through WMI

  • Article

 We recently had an interesting adventure where we needed to do an audit of the certificates used by various OCS servers.  In this case, scanning the computer's cert store wasn't sufficient - we needed to see which cert was bound to what interface.  The OCS Snap-In under compmgmt.msc provides this information, but GUIs don't scale, and they don't dump data into Excel sheets.  PowerShell to the rescue. 

 

function Out-Error {
param ( $msg = "Unspecified error ocurred." );

Write-Error -ErrorAction SilentlyContinue $msg;
Write-Host -ForegroundColor Red -BackgroundColor Black "ERROR: $msg";
break __outOfScript;
}

function Get-OCSCert {
param (
$computer = $null,
$wmiClass = $null,
$wmiInstance = $null,
$psExecPath = $null
);

$callingFunction = (Get-Variable -Scope 1 -Name MyInvocation).Value.MyCommand -replace " .*";

foreach ($var in @('computer', 'wmiClass', 'wmiInstance', 'psExecPath')) {
if (!(Test-Path variable:$var)) { Out-Error "$callingFunction -$var not specified."; }
}

    $scriptPath = \\$computer\d$\Scripts\;
if (!(Test-Path $scriptPath)) { mkdir $scriptPath | Out-Null; }
@"
`$wmi = Get-WmiObject $wmiClass;
if (`$wmi.count) {
    `$snArray = (`$wmi | Where-Object { `$_.$wmiInstance}).$wmiInstance;
} else {
    `$snArray = `$wmi.$wmiInstance;
}
`$sn = `$null;
foreach (`$num in `$snArray) { `$sn = ("{0:x2}" -f `$num) + `$sn; }
`$sn;
"@ |Set-Content -Path "$scriptPath\$callingFunction.ps1" -Force;

    $windowTitle = $Host.UI.RawUI.WindowTitle;
    $serialNumber = (& $psExecPath -acceptEula "\\$computer" cmd.exe "/c echo . | PowerShell.exe d:\scripts\$callingFunction.ps1 ") 2> $null;
    $Host.UI.RawUI.WindowTitle = $windowTitle;

    if (!$serialNumber) {
    Write-Warning "$callingFunction: Unable to determine cert on $computer.";
    return;
    }

    $store = 'My'; # locally installed certs
    $ro = [System.Security.Cryptography.X509Certificates.OpenFlags]"ReadOnly";$cu = System.Security.Cryptography.X509Certificates.StoreLocation]"LocalMachine" ;
    $c = new-object System.Security.Cryptography.X509Certificates.X509Store("\\$computer\$store",$cu);
    $c.Open($ro);
    $c.certificates | Where-Object { $_.SerialNumber -eq $serialNumber }
}

function Get-AcessEdgeServerInternalCert {
    param (
    $computer = $null,
    $psExecPath = $null
    );
    Get-OCSCert -computer $computer -wmiClass MSFT_SIPFederationInternalEdgeListeningAddressSetting -wmiInstance TLSCertSN -psExecPath $psExecPath;
}

function Get-AcessEdgeServerExternalCert {
    param (
    $computer = $null,
    $psExecPath = $null
    );
    Get-OCSCert -computer $computer -wmiClass MSFT_SIPFederationExternalEdgeListeningAddressSetting -wmiInstance TLSCertSN -psExecPath $psExecPath;
}

function Get-ProxyServerCert {
    param (
    $computer = $null,
    $psExecPath = $null
    );
    Get-OCSCert -computer $computer -wmiClass MSFT_SIPListeningAddressData -wmiInstance TLSCertSN -psExecPath $psExecPath;
}

function Get-MediaRelayServerInternalCert {
    param (
    $computer = $null,   
       $psExecPath = $null
    );
    # Same as Get-AccessEdgeServerInternalCert
    Get-OCSCert -computer $computer -wmiClass MSFT_SIPFederationInternalEdgeListeningAddressSetting -wmiInstance TLSCertSN -psExecPath $psExecPath;
}

function Get-MediaRelayServerExternalCert {
    param (
    $computer = $null,
    $psExecPath = $null
    );
    # Very different from Get-AccessEdgeServerExternalCert
    Get-OCSCert -computer $computer -wmiClass MSFT_SIPMediaRelaySetting -wmiInstance BankCertSN -psExecPath $psExecPath;
}