Allegis

1.1.11

Public/Get-AllegisServerCertFromSocket.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
                                function Get-AllegisServerCertFromSocket ($hostname, $port=443, $SNIHeader, [switch]$FailWithoutTrust)

<#

    .Description

    Connect to a remote server using an SSL connection and retrieve the certificate.

    .Parameter Hostname

    The hostname or IP of the server you wish to retrieve the certificate from. Note that this name 

    will be passed in the SNI authentication header if SNIHeader is null.

    .Paremeter Port 

    The port you want to connect to, default is 443.

    .Paremeter SNIHeader

    This value will be passed to the server in the SNI authentication, useful for checking fall back

    certificates and certificates listening on different endpoints.

    .Parameter FailWithoutTrust

    Enabling this switch will cause your connection to fail if you connect to a server where the certificate

    is not trusted, because it doesn't chain or is expired. Instead of getting a certificate you will get a 

    catchable exception.

    .Example Retrieve-ServerCertFromSocket www.wrish.com 443 | Export-Certificate -FilePath C:\temp\test.cer ; start c:\temp\test.cer

    Export the certificate from a server to a file, and then open that file to view the certificate being used

    .Example Retrieve-ServerCertFromSocket www.wrish.com 443 | fl subject,*not*,Thumb*,ser*

    Retrieve a certificate and display the mail useful values to the screen.

#>

{

    if (!$SNIHeader) {

        $SNIHeader = $hostname

    }

    $cert = $null

    try {

        $tcpclient = new-object System.Net.Sockets.tcpclient

        $tcpclient.Connect($hostname,$port)

        #Authenticate with SSL

        if (!$FailWithoutTrust) {

            $sslstream = new-object System.Net.Security.SslStream -ArgumentList $tcpclient.GetStream(),$false, {$true}

        } else {

            $sslstream = new-object System.Net.Security.SslStream -ArgumentList $tcpclient.GetStream(),$false

        }

        $sslstream.AuthenticateAsClient($SNIHeader)

        $cert =  [System.Security.Cryptography.X509Certificates.X509Certificate2]($sslstream.remotecertificate)

     } catch {

        throw "Failed to retrieve remote certificate from $hostname`:$port because $_"

     } finally {

        #cleanup

        if ($sslStream) {$sslstream.close()}

        if ($tcpclient) {$tcpclient.close()}        

     }    

    return $cert

}