GetAppGWCerts.psm1
<#
.Synopsis Displays and Exports all the certs (in .cer format) uploaded to the selected AppGW. .Description Displays and Exports all the certs (in .cer format) uploaded to the selected AppGW. .Parameter ResourceGroupName Name of the Resource group. .Parameter AppGWName Name of the AppGW .Example # Displays and Exports all the certs (in .cer format) uploaded to the selected AppGW. Get-AppGWCerts -ResourceGroupName RGname -AppGWName AppGwname -Export #> #------------------------------------------------------------------------------ # # # THIS CODE AND ANY ASSOCIATED INFORMATION ARE PROVIDED “AS IS” WITHOUT # WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT # LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS # FOR A PARTICULAR PURPOSE. THE ENTIRE RISK OF USE, INABILITY TO USE, OR # RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE USER. # #------------------------------------------------------------------------------ # This script will list the thumbprint of all the certificates uploaded to the AppGW Function Get-AppGWCerts{ Param( [Parameter(Mandatory=$true, ValueFromPipeline=$true)] [String]$ResourceGroupName, [Parameter(Mandatory=$true, ValueFromPipeline=$true)] [String]$AppGWName, [Parameter(Mandatory=$false)] [switch]$Export ) If($export -eq $true){ Write-Host "All certs will be exported to $HOME in .CER format." -ForegroundColor Green } "Only Last certificate in the chain will be presented in the output" $date = (Get-Date).ToUniversalTime() "Test Date : $($date) UTC" "`n" #Get AppGW Details $getGW = Get-AzApplicationGateway -ResourceGroupName $ResourceGroupName -Name $AppGWName if ($getgw.sku.Tier.Contains("v2") -ne "True"){ ######################### V1 part Write-Host "All Authentication Certs uploaded for $($getGW.Name) (Certs for HTTP Setting)" -ForegroundColor Green #Get the Setting Certificate details, you have to provide the name of the certificate $SettingCert = Get-AzApplicationGatewayAuthenticationCertificate -ApplicationGateway $getGW if($SettingCert.count -gt 1){ for($i=0; $i -lt $SettingCert.count; $i++){ #cmd to convert raw data to thumbprint. $Settingcertraw = $SettingCert.Data[$i] $Settingpfx= New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection $Settingpfx.Import([System.Convert]::FromBase64String($Settingcertraw),$null,[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable) #Output - Name and Thumbprint of the Setting certificate ("Cert name : $($SettingCert.Name[$i])" | Out-String ).split("`n") -match '\S' ("Cert Type : HTTP Setting").split("`n") -match '\S' ($Settingpfx[-1] | FL -Property Thumbprint, Subject, Issuer, Notafter, dnsnamelist | Out-String ).split("`n") -match '\S' "Expiring in : $(($Settingpfx[-1].NotAfter - $date).Days)" ("AppGwID : $($getGW.ID)" | Out-String ).split("`n") -match '\S' "`n" # Next code section will export the certificates. If you do not want to export certificate, comment these line. If($export -eq $true){ $Settingpfx | ForEach-Object { $certexpo = $Settingpfx.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert, "") $outPfxPath = $HOME+'\'+$($SettingCert.Name[$i])+'.cer' [io.file]::WriteAllBytes($outPfxPath, $certexpo) } } }} if($SettingCert.count -eq 1){ #cmd to convert raw data to thumbprint. $Settingcertraw = $SettingCert.Data $Settingpfx= New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection $Settingpfx.Import([System.Convert]::FromBase64String($Settingcertraw),$null,[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable) #Output - Name and Thumbprint of the Setting certificate ("Cert name : $($SettingCert.Name)" ).split("`n") -match '\S' ("Cert Type : HTTP Setting").split("`n") -match '\S' ($Settingpfx[-1] | FL -Property Thumbprint, Subject, Issuer, Notafter, dnsnamelist | Out-String).split("`n") -match '\S' "Expiring in : $(($Settingpfx[-1].NotAfter - $date).Days)Days" ("AppGwID : $($getGW.ID)" | Out-String ).split("`n") -match '\S' "`n" # Next code section will export the certificates. If you do not want to export certificate, comment these line. If($export -eq $true){ $Settingpfx | ForEach-Object { $certexpo = $Settingpfx.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert, "") $outPfxPath = $HOME+'\'+$($SettingCert.Name)+'.cer' [io.file]::WriteAllBytes($outPfxPath, $certexpo) } } } ######################### } Else{# V2 HTTP Setting certs, and V2 SSL or Listener Certs Write-Host "All Trusted Root Certs uploaded for $($getGW.Name) (Certs for HTTP Setting)" -ForegroundColor Green #Get the Setting Certificate details, you have to provide the name of the certificate $SettingCert = Get-AzApplicationGatewayTrustedRootCertificate -ApplicationGateway $getGW if($SettingCert.count -gt 1){ for($i=0; $i -lt $SettingCert.count; $i++){ #cmd to convert raw data to thumbprint. $Settingcertraw = $SettingCert.Data[$i] $Settingpfx= New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection $Settingpfx.Import([System.Convert]::FromBase64String($Settingcertraw),$null,[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable) #Output - Name and Thumbprint of the Setting certificate ("Cert name : $($SettingCert.Name[$i])" ).split("`n") -match '\S' ("Cert Type : HTTP Setting").split("`n") -match '\S' ($Settingpfx[-1] | FL -Property Thumbprint, Subject, Issuer, Notafter, dnsnamelist | Out-String ).split("`n") -match '\S' "Expiring in : $(($Settingpfx[-1].NotAfter - $date).Days)Days" ("AppGwID : $($getGW.ID)" | Out-String ).split("`n") -match '\S' "`n" # Next code section will export the certificates. If you do not want to export certificate, comment these line. If($export -eq $true){ $Settingpfx | ForEach-Object { $certexpo = $Settingpfx.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert, "") $outPfxPath = $HOME+'\'+$($SettingCert.Name[$i])+'.cer' [io.file]::WriteAllBytes($outPfxPath, $certexpo) } } } } if($SettingCert.count -eq 1){ #cmd to convert raw data to thumbprint. $Settingcertraw = $SettingCert.Data $Settingpfx= New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection $Settingpfx.Import([System.Convert]::FromBase64String($Settingcertraw),$null,[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable) #Output - Name and Thumbprint of the Setting certificate ("Cert name : $($SettingCert.Name)" | Out-String ).split("`n") -match '\S' ("Cert Type : HTTP Setting").split("`n") -match '\S' ($Settingpfx[-1] | FL -Property Thumbprint, Subject, Issuer, Notafter, dnsnamelist | Out-String ).split("`n") -match '\S' "Expiring in : $(($Settingpfx[-1].NotAfter - $date).Days)Days" ("AppGwID : $($getGW.ID)" | Out-String ).split("`n") -match '\S' "`n" # Next code section will export the certificates. If you do not want to export certificate, comment these line. If($export -eq $true){ $Settingpfx | ForEach-Object { $certexpo = $Settingpfx.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert, "") $outPfxPath = $HOME+'\'+$($SettingCert.Name)+'.cer' [io.file]::WriteAllBytes($outPfxPath, $certexpo) } } } } Write-Host "All SSL Certs uploaded for $($getGW.Name) (Certs for Listener)" -ForegroundColor Green #Get the Listener Certificate details, you have to provide the name of the certificate $ListenerCert = Get-AzApplicationGatewaySslCertificate -ApplicationGateway $getGW if($ListenerCert.count -gt 1){ [array]$kvname = $ListenerCert.KeyVaultSecretId | where {$_ -ne $null} | foreach {$_ -replace"https://" -replace ".vault.*" -replace "`n"} [array]$kvcertname = $ListenerCert.KeyVaultSecretId | where {$_ -ne $null} | foreach {$_ -replace".*/secrets/" -replace "/.*"} [array]$ListenerCertKVname = ($ListenerCert | where {$_.KeyVaultSecretId -ne $null}).Name [array]$KVID = $ListenerCert.KeyVaultSecretId | where {$_ -ne $null} for($i=0; $i -lt $kvname.count; $i++){ $kvcertdata = Get-AzKeyVaultCertificate -VaultName $kvname[$i] -Name $kvcertname[$i] $ListenerpfxKV = $kvcertdata.Certificate ("Cert name : $($ListenerCertKVname[$i])").split("`n") -match '\S' ("Cert Type : Listener").split("`n") -match '\S' ("Key VaultID : $($kvid[$i])").split("`n") -match '\S' ($ListenerpfxKV[-1] | FL -Property Thumbprint, Subject, Issuer, Notafter, dnsnamelist | Out-String).split("`n") -match '\S' "Expiring in : $(($ListenerpfxKV[-1].NotAfter - $date).Days) Days" ("AppGwID : $($getGW.ID)" | Out-String ).split("`n") -match '\S' "`n" #}#temp # Next code section will export the certificates. If you do not want to export certificate, comment these line. If($export -eq $true){ $ListenerpfxKV | ForEach-Object { $certexpo = $ListenerpfxKV.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert, "") $outPfxPath = $HOME+'\'+$($ListenerCertKVname[$i])+'.cer' [io.file]::WriteAllBytes($outPfxPath, $certexpo) } } }# for loop for Key vault certs # Normal Listener Cert part $normalcertcount = $ListenerCert.count - $kvname.count [array]$Listenercertraw = $ListenerCert.PublicCertData | where {$_ -ne $null} [array]$normalcertname = ($ListenerCert | where {$_.PublicCertData -ne $null}).Name #$normalcertname = $normalcertname.name #foreach ($normalcertname in $normalcertname){ for($i=0; $i -lt $normalcertcount; $i++){ #cmd to convert raw data to thumbprint. $Listenerpfx = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2collection $Listenerpfx.Import([System.Convert]::FromBase64String($Listenercertraw[$i]),$null,[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable) #Output - Name and Thumbprint of the Listener certificate ("Cert name : $($normalcertname[$i])").split("`n") -match '\S' ("Cert Type : Listener").split("`n") -match '\S' ($Listenerpfx[-1] | FL -Property Thumbprint, Subject, Issuer, Notafter, dnsnamelist | Out-String).split("`n") -match '\S' "Expiring in : $(($Listenerpfx[-1].NotAfter - $date).Days)Days" ("AppGwID : $($getGW.ID)" | Out-String ).split("`n") -match '\S' "`n" #} # Next code section will export the certificates. If you do not want to export certificate, comment these line. If($export -eq $true){ $Listenerpfx[-1] | ForEach-Object { $certexpo = $Listenerpfx[-1].Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert, "") $outPfxPath = $HOME+'\'+$($normalcertname[$i])+'.cer' [io.file]::WriteAllBytes($outPfxPath, $certexpo) } } } } if($ListenerCert.count -eq 1){ if($ListenerCert.KeyVaultSecretId -ne $null){ $kvname = $ListenerCert.KeyVaultSecretId | where {$_ -ne $null} | foreach {$_ -replace"https://" -replace ".vault.*" -replace "`n"} $kvcertname = $ListenerCert.KeyVaultSecretId | where {$_ -ne $null} | foreach {$_ -replace".*/secrets/" -replace "/.*"} [array]$ListenerCertKVname = ($ListenerCert | where {$_.KeyVaultSecretId -ne $null}).Name $kvcertdata = Get-AzKeyVaultCertificate -VaultName $kvname -Name $kvcertname $ListenerpfxKV = $kvcertdata.Certificate ("Cert name : $($ListenerCertKVname)").split("`n") -match '\S' ("Cert Type : Listener").split("`n") -match '\S' ("Key VaultID : $($ListenerCert.KeyVaultSecretId)").split("`n") -match '\S' ($ListenerpfxKV[-1] | FL -Property Thumbprint, Subject, Issuer, Notafter, dnsnamelist | Out-String).split("`n") -match '\S' "Expiring in : $(($ListenerpfxKV[-1].NotAfter - $date).Days)Days" ("AppGwID : $($getGW.ID)" | Out-String ).split("`n") -match '\S' "`n" # Next code section will export the certificates. If you do not want to export certificate, comment these line. If($export -eq $true){ $ListenerpfxKV | ForEach-Object { $certexpo = $ListenerpfxKV.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert, "") $outPfxPath = $HOME+'\'+$($ListenerCertKVname)+'.cer' [io.file]::WriteAllBytes($outPfxPath, $certexpo) } } }# for loop for Key vault certs Else{ #normal cert part $Listenercertraw = $ListenerCert.PublicCertData | where {$_ -ne $null} #cmd to convert raw data to thumbprint. $Listenerpfx= New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection $Listenerpfx.Import([System.Convert]::FromBase64String($Listenercertraw),$null,[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable) #Output - Name and Thumbprint of the Listener certificate ("Cert name : $($ListenerCert.name)").split("`n") -match '\S' ("Cert Type : Listener").split("`n") -match '\S' ($Listenerpfx[-1] | FL -Property Thumbprint, Subject, Issuer, Notafter, dnsnamelist | Out-String).split("`n") -match '\S' "Expiring in : $(($Listenerpfx[-1].NotAfter - $date).Days)Days" ("AppGwID : $($getGW.ID)" | Out-String ).split("`n") -match '\S' "`n" } # Next code section will export the certificates. If you do not want to export certificate, comment these line. If($export -eq $true){ $Listenerpfx[-1] | ForEach-Object { $certexpo = $Listenerpfx[-1].Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert, "") $outPfxPath = $HOME+'\'+$($ListenerCert.name)+'.cer' [io.file]::WriteAllBytes($outPfxPath, $certexpo) } } } } Export-ModuleMember -Function Get-AppGWCerts |