I have a very simple Powershell script to renew SSL certificates. We are using short duration SSL and this is a repetitive process. On our TSG (Terminal Server Gateway), I automated the IIS certificate portion without a glitch, however I'm having issues doing the same on the gateway.
I attempted two options:
# $NewThumb obtained elsewhere from the certificate
$settings = Get-WmiObject `
-class "Win32_TSGatewayServerSettings" `
-namespace "root\cimv2\TerminalServices" `
-ComputerName "localhost" `
-Authentication 6 -ErrorAction SilentlyContinue
if ($settings){
$h="Not Available"
$settings | fl # test ONE
if ($settings.CertHash){
# convert binary to hex ascii
$h=""; $settings.CertHash | % {$H+=$_.Tostring("X2") }
}
write-host "TH: $NewThumb CH: $h"
if ($NewThumb -eq $h){
write-host "We have the correct certificate"
}else {
# convert back to byte array
$certthumbprint= for ( $i=0; $i -lt $NewThumb.length; $i+=2) { [System.Convert]::ToByte($NewThumb.Substring( $i,2),16) }
$settings.SetCertificate($certthumbprint) | Out-Null
# test if change is effective
$settings = Get-WmiObject `
-class "Win32_TSGatewayServerSettings" `
-namespace "root\cimv2\TerminalServices" `
-ComputerName "localhost" `
-Authentication 6 -ErrorAction SilentlyContinue
$settings | fl
write-host "$($MySelf) New SSL Certificate Installed."
}
Result, BEFORE
__GENUS : 2 __CLASS : Win32_TSGatewayServerSettings __SUPERCLASS : __DYNASTY : Win32_TSGatewayServerSettings __RELPATH : Win32_TSGatewayServerSettings.MaxConnections=4294967295 __PROPERTY_COUNT : 23 __DERIVATION : {} __SERVER : TSG __NAMESPACE : root\cimv2\TerminalServices __PATH :\\TSG\root\cimv2\TerminalServ...... adminMessageEndTime : adminMessageStartTime : adminMessageText : AuthenticationPluginCLSID : AuthenticationPluginDescription : AuthenticationPluginName : native AuthorizationPluginCLSID : AuthorizationPluginDescription : AuthorizationPluginName : native CentralCAPEnabled : False CertHash : consentMessageText : EnforceChannelBinding : True IsConfigured : True MaxConnections : 4294967295 MaximumAllowedConnectionsBySku : 4294967295 MaxLogEvents : 7 MaxProtocols : 2 OnlyConsentCapableClients : False RequestSOH : False SkuName : Windows Server Datacenter SslBridging : 0 UnlimitedConnections : True PSComputerName : TSG
Result, AFTER
..... removed CertHash : {185, 13, 12, 196...} ..... removed
now,the second option (elegant, less code):
# $NewThumb obtained elsewhere from the certificate
Import-Module RemoteDesktopServices -ErrorAction SilentlyContinue
write-host "Before"
$th=Get-Item -Path RDS:\GatewayServer\SSLCertificate\Thumbprint
$th | fl
Set-Item RDS:\GatewayServer\SSLCertificate\Thumbprint -Value $NewThumb
write-host "after"
$TH=Get-Item -Path RDS:\GatewayServer\SSLCertificate\Thumbprint
$th | fl
Before
certhash
NULL
After
certhash
{185, 13, 12, 196...}
My issue is that when run, either methods, the Thumbprint is correctly set and display on both 'After', but, if I run the script again, on both cases the Thumbprint is initially NULL. Looks like a missing 'commit' on SQL.
I'm running this remotely on invoke-command on the tsg server.
You need to ensure the TSGateway service is stopped before you set the thumbprint. So in your second example you should do:
This is sadly not documented but this has been my experience after setting this up internally at Microsoft.
You can use the RemoteDesktop module commands to install this cert for you
Either load from PFX file on disk
Or load from cert already in your cert store
From https://docs.microsoft.com/en-us/powershell/module/remotedesktop/set-rdcertificate?view=winserver2012r2-ps