Based on my earlier script to import theSSL certificate for vCenter I decided to do the same for the Nutanix PRISM interface, the previous script could be easily reused with some small modifications as I had to add the port number to the URL where the certificate needs to be fetched from.
As an FYI: You can use your own certificate (either self signed or from an CA), as this is my lab environment I’m just using the default self signed certificate with the FQDN ‘prism.nutanix.local’ so I’ve tested this script using that exact FQDN.Best practise would be to change the certificate using the guidance of our Knowledge Base article: Installing an SSL Certificate (Login required).
As I was configuring the connection to my Nutanix cluster (again)I didn’t want to follow this procedure multiple times so I wrote a small PoSH script to walk you through these steps:
1) Ask you for the PRISMIP address
2) Ask you for the PRISMFQDN, the registered name in the default cert is ‘prism.nutanix.local’
3) Will check if the PRISMFQDN is reachable
4) If it is it will proceed with step 6
5) If it’s not reachable it will put the PRISM ClusterIP address and PRISMFQDN in your local HOSTS file
6) It will get the SSL Certificate from PRISM and import it into the “Trusted People” Computer store.
You can get your copy of the script here:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 |
# kees@nutanix.com # @kbaggerman on Twitter # http://blog.myvirtualvision.com # Created on Januari 20, 2015 #region script template Param( # vCenter IP Address [Parameter(Mandatory = $true)] [Alias('PRISM Cluster IP')] [string] $vcIP, # vCenter FQDN [Parameter(Mandatory = $true)] [Alias('PRISM Cluster Name')] [string] $vcHostName ) #endregion script template #region script functions function Get-WebsiteCertificate { [CmdletBinding()] param ( [Parameter(Mandatory=$false)] [System.Uri] $Uri, [Parameter()] [System.IO.FileInfo] $OutputFile, [Parameter()] [Switch] $UseSystemProxy, [Parameter()] [Switch] $UseDefaultCredentials, [Parameter()] [Switch] $TrustAllCertificates ) try { $request = [System.Net.WebRequest]::Create($Uri) if ($UseSystemProxy) { $request.Proxy = [System.Net.WebRequest]::DefaultWebProxy } if ($UseSystemProxy -and $UseDefaultCredentials) { $request.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials } if ($TrustAllCertificates) { # Create a compilation environment $Provider=New-Object Microsoft.CSharp.CSharpCodeProvider $Compiler=$Provider.CreateCompiler() $Params=New-Object System.CodeDom.Compiler.CompilerParameters $Params.GenerateExecutable=$False $Params.GenerateInMemory=$True $Params.IncludeDebugInformation=$False $Params.ReferencedAssemblies.Add("System.DLL") > $null $TASource=@' namespace Local.ToolkitExtensions.Net.CertificatePolicy { public class TrustAll : System.Net.ICertificatePolicy { public TrustAll() { } public bool CheckValidationResult(System.Net.ServicePoint sp, System.Security.Cryptography.X509Certificates.X509Certificate cert, System.Net.WebRequest req, int problem) { return true; } } } '@ $TAResults=$Provider.CompileAssemblyFromSource($Params,$TASource) $TAAssembly=$TAResults.CompiledAssembly ## We now create an instance of the TrustAll and attach it to the ServicePointManager $TrustAll=$TAAssembly.CreateInstance("Local.ToolkitExtensions.Net.CertificatePolicy.TrustAll") [System.Net.ServicePointManager]::CertificatePolicy=$TrustAll } $response = $request.GetResponse() $servicePoint = $request.ServicePoint $certificate = $servicePoint.Certificate if ($OutputFile) { $certBytes = $certificate.Export( [System.Security.Cryptography.X509Certificates.X509ContentType]::Cert ) [System.IO.File]::WriteAllBytes( $OutputFile, $certBytes ) $OutputFile.Refresh() return $OutputFile } else { return $certificate } } catch { Write-Error "Failed to get website certificate. The error was '$_'." return $null } <# .SYNOPSIS Retrieves the certificate used by a website. .DESCRIPTION Retrieves the certificate used by a website. Returns either an object or file. .PARAMETER Uri The URL of the website. This should start with https. .PARAMETER OutputFile Specifies what file to save the certificate as. .PARAMETER UseSystemProxy Whether or not to use the system proxy settings. .PARAMETER UseDefaultCredentials Whether or not to use the system logon credentials for the proxy. .PARAMETER TrustAllCertificates Ignore certificate errors for certificates that are expired, have a mismatched common name or are self signed. .EXAMPLE PS C:\> Get-WebsiteCertificate "https://www.gmail.com" -UseSystemProxy -UseDefaultCredentials -TrustAllCertificates -OutputFile C:\gmail.cer .INPUTS Does not accept pipeline input. .OUTPUTS System.Security.Cryptography.X509Certificates.X509Certificate, System.IO.FileInfo #> } function Import-Certificate { <# .SYNOPSIS Imports certificate in specified certificate store. .DESCRIPTION Imports certificate in specified certificate store. .PARAMETER CertFile The certificate file to be imported. .PARAMETER StoreNames The certificate store(s) in which the certificate should be imported. .PARAMETER LocalMachine Using the local machine certificate store to import the certificate .PARAMETER CurrentUser Using the current user certificate store to import the certificate .PARAMETER CertPassword The password which may be used to protect the certificate file .EXAMPLE PS C:\> Import-Certificate C:\Temp\myCert.cer Imports certificate file myCert.cer into the current users personal store .EXAMPLE PS C:\> Import-Certificate -CertFile C:\Temp\myCert.cer -StoreNames my Imports certificate file myCert.cer into the current users personal store .EXAMPLE PS C:\> Import-Certificate -Cert $certificate -StoreNames my -StoreType LocalMachine Imports the certificate stored in $certificate into the local machines personal store .EXAMPLE PS C:\> Import-Certificate -Cert $certificate -SN my -ST Machine Imports the certificate stored in $certificate into the local machines personal store using alias names .EXAMPLE PS C:\> ls cert:\currentUser\TrustedPublisher | Import-Certificate -ST Machine -SN TrustedPublisher Copies the certificates found in current users TrustedPublishers store to local machines TrustedPublisher using alias .INPUTS System.String|System.Security.Cryptography.X509Certificates.X509Certificate2, System.String, System.String .OUTPUTS NA .NOTES NAME: Import-Certificate AUTHOR: Patrick Sczepanksi (Original anti121) VERSION: 20110502 #Requires -Version 2.0 .LINK http://poshcode.org/2643 http://poshcode.org/1937 (Link to original script) #> [CmdletBinding()] param ( [Parameter(ValueFromPipeline=$true,Mandatory=$true, Position=0, ParameterSetName="CertFile")] [System.IO.FileInfo] $CertFile, [Parameter(ValueFromPipeline=$true,Mandatory=$true, Position=0, ParameterSetName="Cert")] [System.Security.Cryptography.X509Certificates.X509Certificate2] $Cert, [Parameter(Position=1)] [Alias("SN")] [string[]] $StoreNames = "My", [Parameter(Position=2)] [Alias("Type","ST")] [ValidateSet("LocalMachine","Machine","CurrentUser","User")] [string]$StoreType = "CurrentUser", [Parameter(Position=3)] [Alias("Password","PW")] [string] $CertPassword ) begin { [void][System.Reflection.Assembly]::LoadWithPartialName("System.Security") } process { switch ($pscmdlet.ParameterSetName) { "CertFile" { try { $Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $($CertFile.FullName),$CertPassword } catch { Write-Error ("Error reading '$CertFile': $_ .") -ErrorAction:Continue } } "Cert" { } default { Write-Error "Missing parameter:`nYou need to specify either a certificate or a certificate file name." } } switch -regex ($storeType) { "Machine$" { $StoreScope = "LocalMachine" } "User$" { $StoreScope = "CurrentUser" } } if ( $Cert ) { $StoreNames | ForEach-Object { $StoreName = $_ Write-Verbose " [Import-Certificate] :: $($Cert.Subject) ($($Cert.Thumbprint))" Write-Verbose " [Import-Certificate] :: Import into cert:\$StoreScope\$StoreName" if (Test-Path "cert:\$StoreScope\$StoreName") { try { $store = New-Object System.Security.Cryptography.X509Certificates.X509Store $StoreName, $StoreScope $store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite) $store.Add($Cert) if ( $CertFile ) { Write-Verbose " [Import-Certificate] :: Successfully added '$CertFile' to 'cert:\$StoreScope\$StoreName'." } else { Write-Verbose " [Import-Certificate] :: Successfully added '$($Cert.Subject) ($($Cert.Thumbprint))' to 'cert:\$StoreScope\$StoreName'." } } catch { Write-Error ("Error adding '$($Cert.Subject) ($($Cert.Thumbprint))' to 'cert:\$StoreScope\$StoreName': $_ .") -ErrorAction:Continue } if ( $store ) { $store.Close() } } else { Write-Warning "Certificate store '$StoreName' does not exist. Skipping..." } } } else { Write-Warning "No certificates found." } } end { Write-Host "Finished importing certificates." } } #endregion script functions #region script checks # Check DNS and skip hosts file modification if the name exists in DNS if(!(Test-Connection -Cn $vcHostNAme -BufferSize 16 -Count 1 -ea 0 -quiet)) { Write-Host "Problem connecting to $vcHostNAme" Write-Host "Flushing DNS" ipconfig /flushdns | out-null Write-Host "Registering DNS" ipconfig /registerdns | out-null Write-Host "Re-pinging $vcHostNAme" if(!(Test-Connection -Cn $vcHostNAme -BufferSize 16 -Count 1 -ea 0 -quiet)) {Write-Host "Problem still exists in connecting to $vcHostNAme, setting Hosts file"} ac -Encoding UTF8 C:\Windows\system32\drivers\etc\hosts "$vcIP $vcHostName" } Write-Host "$vcHostNAme can be reached, proceeding with script" #endregion script checks #region Get the certificate and import it #Import certificate into Trusted Peolpe Computer Cert Store $SecSettings = "https://" $SecvcHostName = $SecSettings+$vcHostName Get-WebsiteCertificate $SecvcHostName local.cer -trust | Out-Null Import-Certificate -certfile local.cer -StoreNames TrustedPeople -StoreType LocalMachine | Out-Null Write-Host "The SSL Certificate has been installed" #Cleaning up Remove-Item local.cer #endregion Get the Certificate and import it |
The following two tabs change content below.
Kees Baggerman
Kees Baggerman is a Staff Solutions Architect for End User Computing at Nutanix. Kees has driven numerous Microsoft and Citrix, and RES infrastructures functional/technical designs, migrations, implementations engagements over the years.
Latest posts by Kees Baggerman (see all)
- Nutanix AHV and Citrix MCS: Adding a persistent disk via Powershell – v2 - November 19, 2019
- Recovering a Protection Domain snapshot to a VM - September 13, 2019
- Checking power settings on VMs using powershell - September 11, 2019
- Updated: VM Reporting Script for Nutanix with Powershell - July 3, 2019
- Updated (again!): VM Reporting Script for Nutanix AHV/vSphere with Powershell - June 17, 2019
http://winplat.net/2017/08/08/install-certificate-on-nutanix-prism/