dist/Scripts/ImportSSTP.ps1


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82

param(
    [Parameter(Position=0,Mandatory=$true)]
    [string]$NewCertThumbprint,
    [Parameter(Position=1,Mandatory=$false)]
    [int]$RecreateDefaultBindings = 1
)

Import-Module RemoteAccess

$CertInStore = Get-ChildItem -Path Cert:\LocalMachine -Recurse | Where-Object {$_.thumbprint -eq $NewCertThumbprint} | Sort-Object -Descending | Select-Object -f 1
if($CertInStore){
    try{
        # Cert must exist in the personal store of machine to bind to RRAS
        if($CertInStore.PSPath -notlike "*LocalMachine\My\*"){
            $SourceStoreScope = 'LocalMachine'
            $SourceStorename = $CertInStore.PSParentPath.split("\")[-1]

            $SourceStore = New-Object  -TypeName System.Security.Cryptography.X509Certificates.X509Store  -ArgumentList $SourceStorename, $SourceStoreScope
            $SourceStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadOnly)
            
            $cert = $SourceStore.Certificates | Where-Object {$_.thumbprint -eq $CertInStore.Thumbprint}
            
            
            
            $DestStoreScope = 'LocalMachine'
            $DestStoreName = 'My'
            
            $DestStore = New-Object  -TypeName System.Security.Cryptography.X509Certificates.X509Store  -ArgumentList $DestStoreName, $DestStoreScope
            $DestStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
            $DestStore.Add($cert)
            
            
            $SourceStore.Close()
            $DestStore.Close()

            $CertInStore = Get-ChildItem -Path Cert:\LocalMachine\My -Recurse | Where-Object {$_.thumbprint -eq $NewCertThumbprint} | Sort-Object -Descending | Select-Object -f 1
        }
        "Stopping RemoteAccess service to prevent errors..."
        Stop-Service RemoteAccess
        if($RecreateDefaultBindings -eq 1)
        {
            "Checking if we need to replace default binding..."
            $replace = $false;
            $binds = Get-WebBinding -Name "Default Web Site" -Protocol https;
            for ($i=0; $i -lt $binds.length; $i++)
            {
                if(($binds[$i] | Select-Object -ExpandProperty bindingInformation) -eq "*:443:")
                {
                    "Default binding detected. Deleting..."
                    $binds[$i] | Remove-WebBinding;
                    $replace = $true;
                    break;
                }
            }
            if($replace -eq $true)
            {
                "Creating new default binding..."
                $binding = New-WebBinding -Name "Default Web Site" -Protocol https -IPAddress * -Port 443 -Force;
                $binds = Get-WebBinding -Name "Default Web Site" -Protocol https;
                for ($i=0; $i -lt $binds.length; $i++)
                {
                    if(($binds[$i] | Select-Object -ExpandProperty bindingInformation) -eq "*:443:")
                    {
                        $binding = $binds[$i];
                        break;
                    }
                }
                "Assigning certificate to new default binding..."
                $binding.AddSslCertificate($NewCertThumbprint, "my");
            }
        }
        "Assigning certificate to RRAS..."
        Set-RemoteAccess -SslCertificate $CertInStore
        "SSTP SSL certificate has been applied, restarting RemoteAccess..."
        Start-Service RemoteAccess
    }catch{
        "Cert thumbprint was not set successfully"
        "Error: $($Error[0])"
    }
}else{
    "Cert thumbprint not found in the cert store... which is strange because it should be there."
}