Automatic process for AMS Certificate rebinding

[antoine-dentan]

Hello Lithnet Community.
In case it can help, I wrote a script that configures AMS so that the certificate used is the most recent one from the "Computer" store that matches the appropriate subject name.
The script lists the certificates in the store, selects the most recent one, binds to http.sys, and restarts the AMS service.
Added to a scheduled task, this script allows you to use Let's Encrypt certificates without having to reconfigure AMS every 3 months.

Hope this can help :)

Here is the code:

<#
.SYNOPSIS
Updates SSL certificate bindings in HTTP.SYS and restarts the LithnetAMS service.

.DESCRIPTION
This script retrieves SSL binding information from the Windows registry, compares the thumbprint of the current SSL certificate with the most recent certificate for a given subject, updates the SSL certificate binding if they differ, and restarts the LithnetAMS service.

.PARAMETER IPPort
The IP address and port of the SSL binding to update. Default is '0.0.0.0:443'.

.PARAMETER Subject
The subject name of the certificate to search for and update. Default is 'laps.adviseit.org'.

.EXAMPLE
.\Update-SSLCertificate.ps1
Updates the SSL certificate binding for the default IP port '0.0.0.0:443' and subject 'laps.adviseit.org'.

.EXAMPLE
.\Update-SSLCertificate.ps1 -IPPort '192.168.1.1:443' -Subject 'example.org'
Updates the SSL certificate binding for the specified IP port '192.168.1.1:443' and subject 'example.org'.
#>

[CmdletBinding()]
param (
[string]$IPPort = '0.0.0.0:443',
[string]$Subject = 'laps.adviseit.org'
)

function Get-SslBindingInfo {
<#
.SYNOPSIS
Retrieves SSL binding information from the Windows registry.

.DESCRIPTION
This function queries the Windows registry to obtain information about SSL bindings configured in HTTP.SYS. It returns an array of objects containing details about each SSL binding.

.PARAMETER BindingsPath
The registry path where SSL binding information is stored. By default, it is 'HKLM:\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo'.

.PARAMETER DefaultStoreName
The default certificate store name to use if none is specified in the registry. By default, it is 'My'.

.OUTPUTS
System.Array
Returns an array of objects representing SSL bindings with the properties IPPort, HashProperty, Thumbprint, Store, AppId, Subject, Issuer, and NotAfter.

.EXAMPLE
Get-SslBindingInfo
Retrieves and displays SSL binding information with default parameters.
#>
param (
    [string]$BindingsPath = 'HKLM:\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo',
    [string]$DefaultStoreName = 'My'
)

$results = [System.Collections.Generic.List[object]]::new()

try {
    if (-not (Test-Path $BindingsPath)) {
        Write-Warning "No SSL bindings found in HTTP.SYS."
        return $results
    }

    Get-ChildItem $BindingsPath | ForEach-Object {
        try {
            $keyName = $_.PSChildName
            $props = Get-ItemProperty -Path $_.PSPath -ErrorAction Stop

            $hashPropNames = @('SslCertHash', 'CertHash', 'CertificateHash', 'SslCertHashBinary')
            $hash = $null
            $usedHashName = '<none>'

            foreach ($n in $hashPropNames) {
                if ($props.PSObject.Properties.Name -contains $n) {
                    $hash = $props.$n
                    $usedHashName = $n
                    break
                }
            }

            if ($null -eq $hash -or $hash.Length -eq 0) {
                Write-Host "Binding $keyName without a hash ($usedHashName), ignored." -ForegroundColor Yellow
                return
            }

            $thumbHex = ($hash | ForEach-Object { $_.ToString('X2') }) -join ''
            $thumb = $thumbHex -replace '\s', ''

            $storeName = if ($props.PSObject.Properties.Name -contains 'SslCertStoreName') { $props.SslCertStoreName } else { $DefaultStoreName }

            $cert = Get-ChildItem -Path "Cert:\LocalMachine\$storeName" -ErrorAction SilentlyContinue |
                    Where-Object { ($_.Thumbprint -replace '\s', '').ToUpper() -eq $thumb.ToUpper() } |
                    Select-Object -First 1

            $appId = $props.AppId
            $appIdGuid = if ($appId -is [byte[]] -and $appId.Length -eq 16) {
                $guid = [System.Guid]::New($appId)
                $guid.ToString('B')
            } else {
                $appId
            }

            $result = [PSCustomObject]@{
                IPPort = $keyName
                HashProperty = $usedHashName
                Thumbprint = $thumb
                Store = $storeName
                AppId = $appIdGuid
                Subject = if ($cert) { $cert.Subject } else { '<not found>' }
                Issuer = if ($cert) { $cert.Issuer } else { '<not found>' }
                NotAfter = if ($cert) { $cert.NotAfter } else { $null }
            }

            $results.Add($result)
        } catch {
            Write-Error "An error occurred while processing the SSL binding: $_"
        }
    }
} catch {
    Write-Error "An error occurred while accessing the registry: $_"
}

return $results

}

function Get-UpdatedCertificate {
<#
.SYNOPSIS
Queries the "computer" certificate store and retrieves the most recent certificate with the subject name matching the one passed as an argument.

.PARAMETER Subject
The subject name of the certificate being searched for. The function will return the most recent certificate with this subject name.

.OUTPUTS
Returns an object of type "X509Certificate2".

.EXAMPLE
Get-UpdatedCertificate -Subject 'laps.adviseit.org'
Retrieves and displays the most recent certificate with the subject name 'laps.adviseit.org'.
#>
[CmdletBinding()]
param(
    [Parameter(Mandatory=$true)]
    [string] $Subject
)

try {
    $Certificate = Get-ChildItem -Path Cert:\LocalMachine\My |
        Where-Object {$_.Subject -eq "CN=$Subject"} |
        Sort-Object -Property NotAfter -Descending |
        Select-Object -First 1

    return $Certificate
} catch {
    Write-Error "An error occurred while retrieving the certificate: $_"
    return $null
}

}

try {
$CurrentCert = Get-SslBindingInfo | Where-Object {$_.IPPort -eq $IPPort}
$UpdatedCert = Get-UpdatedCertificate -Subject $Subject

if ($CurrentCert.Thumbprint -ne $UpdatedCert.Thumbprint) {
    netsh http update sslcert ipport=$IPPort certhash=$($UpdatedCert.Thumbprint) appid=$($CurrentCert.AppId)
}

} catch {
Write-Error "An error occurred while comparing or updating certificates: $_"
}

try {
Restart-Service LithnetAMS -ErrorAction Stop
} catch {
Write-Error "An error occurred while restarting the LithnetAMS service: $_"
}