在Powershell中设置IIS绑定证书时出现问题
我正在编写一个Powershell脚本,以浏览我的IIS绑定列表,找到任何具有特定“旧”证书指纹的证书,并用具有“新”指纹的证书替换它们的证书。这是因为我可以为许多绑定更新证书,因为我们在许多站点上使用相同的证书,所以我们需要将所有具有旧证书的绑定更新为新证书。下面是我的想法:在Powershell中设置IIS绑定证书时出现问题,powershell,ssl,iis,certificate,Powershell,Ssl,Iis,Certificate,我正在编写一个Powershell脚本,以浏览我的IIS绑定列表,找到任何具有特定“旧”证书指纹的证书,并用具有“新”指纹的证书替换它们的证书。这是因为我可以为许多绑定更新证书,因为我们在许多站点上使用相同的证书,所以我们需要将所有具有旧证书的绑定更新为新证书。下面是我的想法: ##### EDIT THESE VARIABLES ##### $SiteName = "movc-website-www" $OldCertThumbprint = "76 ae 0b 2e b9 f7 45 ce
##### EDIT THESE VARIABLES #####
$SiteName = "movc-website-www"
$OldCertThumbprint = "76 ae 0b 2e b9 f7 45 ce 27 c4 02 6e 90 66 62 93 69 d7 5e 4c"
$ReplacementCertThumbprint = "7f fa 9f f3 90 b8 a2 d8 4c 98 51 47 a5 64 1d 90 f6 2f ca 73"
##### FUNCTIONS #####
Function ReplaceWebsiteBinding {
Param(
[string] $SiteName,
[string] $OldCertThumbprint,
[string] $ReplacementCertThumbprint
);
Import-Module WebAdministration;
$ReplacedCount = 0
$IISBindings = (Get-ItemProperty -Path "IIS:\Sites\$SiteName" -Name Bindings)
for ($i=0; $i -lt ($IISBindings.Collection).Length; $i++) {
if (($IISBindings.Collection[$i]).certificateHash -eq $OldCertThumbprint) {
($IISBindings.Collection[$i]).RebindSslCertificate($ReplacementCertThumbprint, "My")
$ReplacedCount++
}
}
Return $ReplacedCount
}
##### MAIN PROGRAM #####
$OldCertThumbprint = $OldCertThumbprint.Replace(" ", "").ToUpper()
$ReplacementCertThumbprint = $ReplacementCertThumbprint.Replace(" ", "").ToUpper()
# Check that cert with given thumbprints exist
$FoundCert = Get-ChildItem -Path Cert:\LocalMachine\My |
Where-Object { $_.Thumbprint -eq $OldCertThumbprint } |
Select-Object -ExpandProperty Thumbprint
if (!$FoundCert) {
Write-Host "Old cert with thumbprint $OldCertThumbprint not found!"
Exit
}
$FoundCert = Get-ChildItem -Path Cert:\LocalMachine\My |
Where-Object { $_.Thumbprint -eq $ReplacementCertThumbprint } |
Select-Object -ExpandProperty Thumbprint
if (!$FoundCert) {
Write-Host "Replacement cert with thumbprint $ReplacementCertThumbprint not found!"
Exit
}
# Associate new cert with bindings that have old cert
$ReplacedCount = ReplaceWebsiteBinding $SiteName $OldCertThumbprint $ReplacementCertThumbprint
Write-Host "Replaced $ReplacedCount binding(s)."
问题是,这不起作用,因为调用.rebindslcertificate(…)
的行会给我以下Powershell错误:
Value does not fall within the expected range.
At (...)
+ ($IISBindings.Collection[$i]).RebindSslCertificate($Repla ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [], ArgumentException
+ FullyQualifiedErrorId : System.ArgumentException
这并不是最有用的错误,我也不明白为什么我会得到它。在我看来,这些论点是正确的;指纹是由
Get ChildItem
代码找到的,“我的”看起来不错。我能想到的唯一一件事是,它可能在当前用户证书存储中查找,而不是在本地计算机证书存储中查找,这是所需证书所在的位置。有人能帮我解释为什么会发生此错误吗?事实证明,我遇到的问题与所描述的相同(重新绑定SLCertificate
证书与删除证书,然后调用添加SLCertificate
)。由于某些愚蠢的原因从Windows中的证书对话框复制指纹时,它会在字符串的开头插入一个零宽度LTR字符,因此我的指纹无效。我在脚本的开头添加了一个对此的检查以防止:
if ($OldCertThumbprint -match "[\W-[\ ]]") {
Write-Host "Old cert thumbprint contains non-word characters, maybe a zero-width LTR Unicode character at the beginning. You almost certainly don't want this! Aborting!"
Exit
}
if ($ReplacementCertThumbprint -match "[\W-[\ ]]") {
Write-Host "Replacement cert thumbprint contains non-word characters, maybe a zero-width LTR Unicode character at the beginning. You almost certainly don't want this! Aborting!"
Exit
}
您的代码看起来是正确的。您是否以管理员身份运行?如果只运行以下代码,是否显示旧的和替换的指纹/主题?“$FoundCert=Get ChildItem-Path Cert:\LocalMachine\My”是,我以管理员身份运行。是的,将显示它们。要进一步验证防弹指纹,请使用“^[a-fA-F0-9]{40}$”。(假设sha1散列)