IIS Client Certificate Mapping using PowerShell

Posted by jeffythampi | Dec 11, 2019 | IIS, PowerShell, SSL/TLS, Technology | 0 |

IIS Client Certificate Mapping using PowerShell

Migrate IIS client certificates from Windows 2003 to Windows 2016 using PowerShell

To import the certificate, we need to have the public key information exported to .cer certificate file

#Get the File names of certificate
$names = Get-ChildItem C:\Users\Administrator\Desktop\Certs\
$results = @()
#looping through each certificates to fetch Public Key and User Info
foreach($name in $names) {
	#reading content of the file
    $CertData = Get-Content $name.FullName
    $CertData = $CertData[1..($CertData.Length-2)]	#To remove first and last line in the content
    $publicKey = ""
    $CertData | % {
        $publicKey += $_.ToString()
    }
	
	#Getting user name from certificate
	$certif = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
	$certif.Import($name.FullName)
	$userName = $certif.GetName().ToString().Split(",")[-1].Replace("CN=","").Replace(" ","")
    $result = New-Object -TypeName PSObject -Property @{
    FileName = $name.Name
    UserName = $userName
    PublicKey = $publicKey
    }
	
	#List of all certificate data and user name
    $results += $result
}
#$results | select FileName, UserName, PublicKey

Once the Information is collected, users have to be created locally on the server

foreach($userInfo in $results) {
    New-LocalUser -Name $userInfo.UserName -Password (ConvertTo-SecureString "ThisIsAGoodPassword123" -AsPlainText -Force)
    #Set-LocalUser -Name $userInfo.UserName -Password (ConvertTo-SecureString "ThisIsAGoodPassword123@2k" -AsPlainText -Force)
}

After user creation, In IIS oneToOneMappings, we have to add the certificate public key along with the respective user name and password

Both foreach loops can be merged. I have divided the foreach for better readability.

foreach($userInfo in $results) {
    Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -location 'EveryCarParts1' `
    -filter "system.webServer/security/authentication/iisClientCertificateMappingAuthentication/oneToOneMappings" `
    -name '.' `
    -value @{enabled='True';userName=$userInfo.UserName;password='ThisIsAGoodPassword123';certificate=$userInfo.PublicKey}
}

For adding Web configuration Property, I got the clue from following post
https://stackoverflow.com/questions/29497971/configuring-iis-client-certificate-mapping-authentication

Thank you for reading my post. Hope this is helpful to you.

About The Author

jeffythampi

I am Jeffy Thampi. I have 8+ years of experience in IT with strong focus on Cloud, Infrastructure related technologies and PowerShell scripting. I have been working on Microsoft Azure, Active Directory, Hyper-V, MS SQL etc. and other technologies such as f5 Load Balancer, Veritas backup and many more.

Leave a reply Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Recent Posts

Recent Comments

jeffythampi on Send email from Outlook using PowerShell
jeffythampi on Send email from Outlook using PowerShell
REB on Send email from Outlook using PowerShell
dragoon luver on Send email from Outlook using PowerShell
Cristiano S on Dynamic DNS with CloudFlare and PowerShell