5

Situation: an IIS 7.5 server with 30+ sites and 10+ certificates and a few certificates may be obsolete. Obsolete means they're not binded to the ip:port of any site on IIS.

I could check each site bindings through the GUI, but that seems not the fastest way.

With what command(s) can I get a list of sites using a certain certificate given its common name like *.example.com. I think I need at least netsh http show sslcert, but that output only shows the certificate hash and no site names.

Chris
  • 488
  • 6
  • 14

1 Answers1

8

I'm using the following PowerShell script to look at all certs on the box and for each try to find it in the IIS SSL bindings.

import-module WebAdministration

ls cert:\LocalMachine\my | select * | foreach {

  $found = $false
  $tp = $_.Thumbprint

  ls IIS:\SslBindings | Foreach {
    if ($_.Thumbprint -eq $tp)
    {
      Write-Host "Used in $($_.IpAddress) $($_.Host)"
      $found = $true
    }    
  }
  if ($found)
  {
    Write-Host $tp -foregroundcolor green
    Write-Host $_.Subject -foregroundcolor green
    Write-Host $_.NotAfter -foregroundcolor green
  }
  else
  {
    Write-Host "Not in use"
    Write-Host $tp -foregroundcolor red
    Write-Host $_.Subject -foregroundcolor red
    Write-Host $_.NotAfter -foregroundcolor red
  }
  Write-Host "***************************************************************"
}
Peter Hahndorf
  • 13,763
  • 3
  • 37
  • 58
  • I have little to no experience with powershell script. Can you show how to call your script with some demo parameters set? – Chris Jan 19 '15 at 13:01
  • @Chris - the script doesn't need parameters, you should run it as an elevated administrator and you need to have the IIS Web-Scripting-Tools installed (via Server roles). Say you saved the script as C:\FindUnusedCerts.ps1, just open a PowerShell and type 'C:\FindUnusedCerts.ps1' – Peter Hahndorf Jan 19 '15 at 13:16
  • You rock! I installed IIS Web-Scripting-Tools via the Server manager GUI. Role: Web Server (IIS) -> Role service: Management Tools / IIS Management Scripts and Tools. Via http://stackoverflow.com/a/1612561/1385429 – Chris Jan 19 '15 at 13:31
  • It'll be worthwhile mentioning that you need to set the execution policy first in powershell using: set-executionpolicy remotesigned And then execute your script using .\myscriptname.ps1 – Jonty Jun 03 '17 at 10:28
  • All I get is simply three green lines of gibberish code, while I have more than 10 certificates and more than 100 sites on my server. What might be wrong. I installed `IIS Management Scripts and Tools`. – Saeed Neamati Jun 30 '17 at 06:59