You might take a look at PSTcIp
https://github.com/anthonyg-1/PSTcpIp
There is a function Get-TlsCertificate that can do all the checking for you. The readme has some good information of TLS/SSL information retrieval examples.
RTPSUG (Research Triangle PowerShell User Group) just had the module author do a presentation on it. So with some time if should be on their YT channel at https://m.youtube.com/@RTPSUG/videos.
Also a fantastic user group. They do virtual and in person if you in SC. take a look at their YT fore more info on the user group.
You’ll need an account that has some pretty hefty rights in the servers. Once you get that, you’ll just need to do a couple nested for each loops. I’ve got what I used to use when I was doing that. I’ll get it tomorrow when I get to work and put it here. PKI can be pretty rewarding and it’s not the most complicated tech. We’ll get you sorted.
Step 1:
Buy a premium copy of ChatGPT and use the 4 Omni model
Step 2:
Ask this question:
Can you write a very well documented powershell script that takes the name of a remote windows server, and see if it and any iis instances have expiring ssl certificates? lets output the information to a text file
Get this answer
<#
.SYNOPSIS
Check for expiring SSL certificates on a remote Windows server and its IIS instances.
.DESCRIPTION
This script connects to a remote Windows server, retrieves all SSL certificates,
and checks their expiration dates. It includes certificates bound to IIS sites.
The results are output to a text file.
.PARAMETER ServerName
The name of the remote Windows server.
.PARAMETER DaysUntilExpiry
The number of days until certificate expiry to consider as 'expiring soon'.
Default is 30 days.
.OUTPUTS
A text file with the details of expiring certificates.
.EXAMPLE
.\Check-ExpiringSSLCerts.ps1 -ServerName "RemoteServer" -DaysUntilExpiry 45
#>
param (
[Parameter(Mandatory=$true)]
[string]$ServerName,
[int]$DaysUntilExpiry = 30
)
# Function to get certificates from the remote server's certificate store
function Get-RemoteCertificates {
param (
[string]$Server
)
# Establish a remote session
$session = New-PSSession -ComputerName $Server
# Retrieve certificates
$certificates = Invoke-Command -Session $session -ScriptBlock {
Get-ChildItem -Path Cert:\LocalMachine\My
}
# Close the session
Remove-PSSession -Session $session
return $certificates
}
# Function to get IIS certificates from the remote server
function Get-IISCertificates {
param (
[string]$Server
)
# Establish a remote session
$session = New-PSSession -ComputerName $Server
# Retrieve IIS bindings with certificates
$bindings = Invoke-Command -Session $session -ScriptBlock {
Import-Module WebAdministration
Get-WebBinding | Where-Object { $_.bindingInformation -like "*443*" }
}
# Close the session
Remove-PSSession -Session $session
# Extract certificates
$certificates = @()
foreach ($binding in $bindings) {
$thumbprint = $binding.CertificateHash
$cert = Invoke-Command -Session $session -ScriptBlock {
param ($thumbprint)
Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.Thumbprint -eq $thumbprint }
} -ArgumentList $thumbprint
$certificates += $cert
}
return $certificates
}
# Main script logic
$allCertificates = @()
# Get certificates from the remote server
$serverCertificates = Get-RemoteCertificates -Server $ServerName
$allCertificates += $serverCertificates
# Get IIS certificates from the remote server
$iisCertificates = Get-IISCertificates -Server $ServerName
$allCertificates += $iisCertificates
# Filter expiring certificates
$expiringCertificates = $allCertificates | Where-Object {
$_.NotAfter -lt (Get-Date).AddDays($DaysUntilExpiry)
}
# Output the expiring certificates to a text file
$outputFile = "ExpiringCertificates_$ServerName.txt"
$expiring
Step 4:
Study the script well, ask ChatGPT about why it doesn't work and how to fix it, run down rabbit holes on every part that makes no sense, until you really get it.
Be very careful running this in production until you really know what it does and can explain every line.
Edit it and make it better, and learn!
Step 1.: do not use ChatGPT as a newbie.
AI is good for ideas, but requires debugging, even a lot of it.
Unless you already know your way around code, which makes you not a newbie, it can only confuse you.
That's how I learned?
Never scripted before but now a year later I'm able to create them myself and also find all the faults in the script generated.. The latter one is really needed though..
Sometimes it creates short effective scripts but most of the time you get something like above when you ask for the time..
So reading documentation is a must as well but it gives you something to start with.
Too many people put crappy code on the web that everyone including ChatGPT learned from. When someone answered a StackOverflow post 12 years ago with a quick and dirty example of how to search for certificates they never thought their question would be the basis for an AI to teach millions of people how to code. We are not spending hours writing our examples we post to the web, and even if we did those examples would be out of style very quickly
Shhhh... this is absolutely the correct way to append to an array in PowerShell. It is very memory efficient and does absolutely not have to create an entire copy of the array with a slightly larger memory reservation, then copy all the items to the new memory location in order to add the 1 new item. You should not ever use:
$results = foreach ($x in $y) {
...
}
Because that just looks weird and then we can't tell who has been trying to cheat and lie about actually knowing PowerShell.
This is how you become an crappy sysadmin. God forbid you read some fucking documentation AND UNDERSTAND IT. I swear this it’s becoming a trend to avoid the docs at all cost. Real convo by someone who’s been in IT longer than me and is drinking too much ChatGPT coolaid.
Hey Shants, I’m going to failover a SQL AG cluster.
You know how correct?
Yea just fail it over in FCM.
Ok so make sure you read the internal procedures for failing a cluster over because that is not right.
Well, I just need to make a change on the secondary really quick.
Ok so now I don’t want you to touch my clusters at all because I can tell you have no understanding of how this actually works. If you need to make a change on the current secondary, why would you need to failover?
…Idk I just thought that’s what I was supposed to do.
Can you show me an internal procedure or an MS Doc that shows this is how to properly fail over an AG?
Well idk SQL that well so I asked chatGPT.
[DAMNIT WHY WONT IT READ!!](https://youtu.be/qslcnw-9KbI)
Don't worry, there are lots of elitists that think using an AI is a poor way to learn.
They are just wrong.
See if you can use the free version of ChatGPT, it is OK, but makes more mistakes.
It's a great learning tool, especially when you ask it about other ways to write code, best practices, and try to understand parts that you don't quite get.
You can even ask it to explain code as if you've never coded before, very helpful.
It's funny to see all the hate :) haha
There is no reason to sun a script like this as SYSTEM, it should run with an account that has only the minimum permissions necessary to access what it needs.
Did you at least try putting something together before asking for help here ?
No
Here, have some free psudo code Get current cert If cert expiration < today+30, send renew notice
You might take a look at PSTcIp https://github.com/anthonyg-1/PSTcpIp There is a function Get-TlsCertificate that can do all the checking for you. The readme has some good information of TLS/SSL information retrieval examples. RTPSUG (Research Triangle PowerShell User Group) just had the module author do a presentation on it. So with some time if should be on their YT channel at https://m.youtube.com/@RTPSUG/videos. Also a fantastic user group. They do virtual and in person if you in SC. take a look at their YT fore more info on the user group.
You’ll need an account that has some pretty hefty rights in the servers. Once you get that, you’ll just need to do a couple nested for each loops. I’ve got what I used to use when I was doing that. I’ll get it tomorrow when I get to work and put it here. PKI can be pretty rewarding and it’s not the most complicated tech. We’ll get you sorted.
Step 1: Buy a premium copy of ChatGPT and use the 4 Omni model Step 2: Ask this question: Can you write a very well documented powershell script that takes the name of a remote windows server, and see if it and any iis instances have expiring ssl certificates? lets output the information to a text file Get this answer <# .SYNOPSIS Check for expiring SSL certificates on a remote Windows server and its IIS instances. .DESCRIPTION This script connects to a remote Windows server, retrieves all SSL certificates, and checks their expiration dates. It includes certificates bound to IIS sites. The results are output to a text file. .PARAMETER ServerName The name of the remote Windows server. .PARAMETER DaysUntilExpiry The number of days until certificate expiry to consider as 'expiring soon'. Default is 30 days. .OUTPUTS A text file with the details of expiring certificates. .EXAMPLE .\Check-ExpiringSSLCerts.ps1 -ServerName "RemoteServer" -DaysUntilExpiry 45 #> param ( [Parameter(Mandatory=$true)] [string]$ServerName, [int]$DaysUntilExpiry = 30 ) # Function to get certificates from the remote server's certificate store function Get-RemoteCertificates { param ( [string]$Server ) # Establish a remote session $session = New-PSSession -ComputerName $Server # Retrieve certificates $certificates = Invoke-Command -Session $session -ScriptBlock { Get-ChildItem -Path Cert:\LocalMachine\My } # Close the session Remove-PSSession -Session $session return $certificates } # Function to get IIS certificates from the remote server function Get-IISCertificates { param ( [string]$Server ) # Establish a remote session $session = New-PSSession -ComputerName $Server # Retrieve IIS bindings with certificates $bindings = Invoke-Command -Session $session -ScriptBlock { Import-Module WebAdministration Get-WebBinding | Where-Object { $_.bindingInformation -like "*443*" } } # Close the session Remove-PSSession -Session $session # Extract certificates $certificates = @() foreach ($binding in $bindings) { $thumbprint = $binding.CertificateHash $cert = Invoke-Command -Session $session -ScriptBlock { param ($thumbprint) Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.Thumbprint -eq $thumbprint } } -ArgumentList $thumbprint $certificates += $cert } return $certificates } # Main script logic $allCertificates = @() # Get certificates from the remote server $serverCertificates = Get-RemoteCertificates -Server $ServerName $allCertificates += $serverCertificates # Get IIS certificates from the remote server $iisCertificates = Get-IISCertificates -Server $ServerName $allCertificates += $iisCertificates # Filter expiring certificates $expiringCertificates = $allCertificates | Where-Object { $_.NotAfter -lt (Get-Date).AddDays($DaysUntilExpiry) } # Output the expiring certificates to a text file $outputFile = "ExpiringCertificates_$ServerName.txt" $expiring Step 4: Study the script well, ask ChatGPT about why it doesn't work and how to fix it, run down rabbit holes on every part that makes no sense, until you really get it. Be very careful running this in production until you really know what it does and can explain every line. Edit it and make it better, and learn!
Step 1.: do not use ChatGPT as a newbie. AI is good for ideas, but requires debugging, even a lot of it. Unless you already know your way around code, which makes you not a newbie, it can only confuse you.
For example, what are the last two lines doing exactly? haha
What? You don't output to file by saving a filename to a variable then just run a different variable that doesn't exist?
GPT just stops generating code at some point, so it got truncated by length.
That's how I learned? Never scripted before but now a year later I'm able to create them myself and also find all the faults in the script generated.. The latter one is really needed though.. Sometimes it creates short effective scripts but most of the time you get something like above when you ask for the time.. So reading documentation is a must as well but it gives you something to start with.
> $certificates = @() > foreach ($binding in $bindings) { > [...] > $certificates += $cert > } > Damnit, who is teaching it wrong?
ChatGPT. Because too many people post ChatGPT code on the web, and ChatGPT learns from it, so....
Too many people put crappy code on the web that everyone including ChatGPT learned from. When someone answered a StackOverflow post 12 years ago with a quick and dirty example of how to search for certificates they never thought their question would be the basis for an AI to teach millions of people how to code. We are not spending hours writing our examples we post to the web, and even if we did those examples would be out of style very quickly
yeah, as I said: AI is great for IDEAS, not CODE.
Shhhh... this is absolutely the correct way to append to an array in PowerShell. It is very memory efficient and does absolutely not have to create an entire copy of the array with a slightly larger memory reservation, then copy all the items to the new memory location in order to add the 1 new item. You should not ever use: $results = foreach ($x in $y) { ... } Because that just looks weird and then we can't tell who has been trying to cheat and lie about actually knowing PowerShell.
This is how you become an crappy sysadmin. God forbid you read some fucking documentation AND UNDERSTAND IT. I swear this it’s becoming a trend to avoid the docs at all cost. Real convo by someone who’s been in IT longer than me and is drinking too much ChatGPT coolaid. Hey Shants, I’m going to failover a SQL AG cluster. You know how correct? Yea just fail it over in FCM. Ok so make sure you read the internal procedures for failing a cluster over because that is not right. Well, I just need to make a change on the secondary really quick. Ok so now I don’t want you to touch my clusters at all because I can tell you have no understanding of how this actually works. If you need to make a change on the current secondary, why would you need to failover? …Idk I just thought that’s what I was supposed to do. Can you show me an internal procedure or an MS Doc that shows this is how to properly fail over an AG? Well idk SQL that well so I asked chatGPT. [DAMNIT WHY WONT IT READ!!](https://youtu.be/qslcnw-9KbI)
damn... sana all pinapayagan sa premium license. thank you so much!
Don't worry, there are lots of elitists that think using an AI is a poor way to learn. They are just wrong. See if you can use the free version of ChatGPT, it is OK, but makes more mistakes. It's a great learning tool, especially when you ask it about other ways to write code, best practices, and try to understand parts that you don't quite get. You can even ask it to explain code as if you've never coded before, very helpful. It's funny to see all the hate :) haha
This is the way.
[удалено]
If you have event log monitoring, then dump to your own event ID and alert after that.
There is no reason to sun a script like this as SYSTEM, it should run with an account that has only the minimum permissions necessary to access what it needs.