我有一个非常简单的 Powershell 脚本来更新 SSL 证书。我们使用的是短时间 SSL,这是一个重复的过程。在我们的 TSG(终端服务器网关)上,我自动化了 IIS 证书部分,没有任何故障,但是在网关上执行相同操作时遇到了问题。
我尝试了两种选择:
# $NewThumb obtained elsewhere from the certificate
$settings = Get-WmiObject `
-class "Win32_TSGatewayServerSettings" `
-namespace "root\cimv2\TerminalServices" `
-ComputerName "localhost" `
-Authentication 6 -ErrorAction SilentlyContinue
if ($settings){
$h="Not Available"
$settings | fl # test ONE
if ($settings.CertHash){
# convert binary to hex ascii
$h=""; $settings.CertHash | % {$H+=$_.Tostring("X2") }
}
write-host "TH: $NewThumb CH: $h"
if ($NewThumb -eq $h){
write-host "We have the correct certificate"
}else {
# convert back to byte array
$certthumbprint= for ( $i=0; $i -lt $NewThumb.length; $i+=2) { [System.Convert]::ToByte($NewThumb.Substring( $i,2),16) }
$settings.SetCertificate($certthumbprint) | Out-Null
# test if change is effective
$settings = Get-WmiObject `
-class "Win32_TSGatewayServerSettings" `
-namespace "root\cimv2\TerminalServices" `
-ComputerName "localhost" `
-Authentication 6 -ErrorAction SilentlyContinue
$settings | fl
write-host "$($MySelf) New SSL Certificate Installed."
}
结果,之前
__GENUS : 2 __CLASS : Win32_TSGatewayServerSettings __SUPERCLASS : __DYNASTY : Win32_TSGatewayServerSettings __RELPATH : Win32_TSGatewayServerSettings.MaxConnections=4294967295 __PROPERTY_COUNT : 23 __DERIVATION : {} __SERVER : TSG __NAMESPACE : root\cimv2\TerminalServices __PATH :\\TSG\root\cimv2\TerminalServ...... adminMessageEndTime : adminMessageStartTime : adminMessageText : AuthenticationPluginCLSID : AuthenticationPluginDescription : AuthenticationPluginName : native AuthorizationPluginCLSID : AuthorizationPluginDescription : AuthorizationPluginName : native CentralCAPEnabled : False CertHash : consentMessageText : EnforceChannelBinding : True IsConfigured : True MaxConnections : 4294967295 MaximumAllowedConnectionsBySku : 4294967295 MaxLogEvents : 7 MaxProtocols : 2 OnlyConsentCapableClients : False RequestSOH : False SkuName : Windows Server Datacenter SslBridging : 0 UnlimitedConnections : True PSComputerName : TSG
结果,之后
..... removed CertHash : {185, 13, 12, 196...} ..... removed
现在,第二种选择(优雅,更少的代码):
# $NewThumb obtained elsewhere from the certificate
Import-Module RemoteDesktopServices -ErrorAction SilentlyContinue
write-host "Before"
$th=Get-Item -Path RDS:\GatewayServer\SSLCertificate\Thumbprint
$th | fl
Set-Item RDS:\GatewayServer\SSLCertificate\Thumbprint -Value $NewThumb
write-host "after"
$TH=Get-Item -Path RDS:\GatewayServer\SSLCertificate\Thumbprint
$th | fl
前
certhash
NULL
后
certhash
{185, 13, 12, 196...}
我的问题是,无论使用哪种方法,指纹在运行时都正确设置并显示在两个“After”上,但如果我再次运行脚本,在两种情况下,指纹最初都是 NULL。看起来像是 SQL 上缺少“提交”。
我正在 tsg 服务器上的invoke-command远程运行它。
答案1
在设置指纹之前,您需要确保 TSGateway 服务已停止。因此,在第二个示例中,您应该执行以下操作:
# $NewThumb obtained elsewhere from the certificate
Import-Module RemoteDesktopServices -ErrorAction SilentlyContinue
Stop-Service TSGateway
write-host "Before"
$th=Get-Item -Path RDS:\GatewayServer\SSLCertificate\Thumbprint
$th | fl
Set-Item RDS:\GatewayServer\SSLCertificate\Thumbprint -Value $NewThumb
Start-Service TSGateway
write-host "after"
$TH=Get-Item -Path RDS:\GatewayServer\SSLCertificate\Thumbprint
$th | fl
遗憾的是,这没有记录,但这是我在微软内部设置后的经验。
答案2
您可以使用 RemoteDesktop 模块命令来安装此证书
从磁盘上的 PFX 文件加载
$Password = ConvertTo-SecureString -String "yourPFXpassword" -AsPlainText -Force
Set-RDCertificate -Role RDGateway -ImportPath "C:\Certificates\NewCert.pfx" -Password $Password
或者从证书存储中加载
Set-RDCertificate -Role RDGateway -Thumbprint aedd995b45e633d4ef30fcbc8f3a48b627e9a28c