使用来自 certstore 的客户端证书的 PowerShell HTTPS GET

Question

I'm trying find easy way how check web content via HTTPS with using client certificate. I have VBScript where is defined Client certificate, skipped Server certificate and defined what I'm searching (string "running"). My point is rewrite script to PowerShell.

Here is VBScode:

device = "10.10.10.10"
link = "5001/test"
Set Http = CreateObject("WinHttp.WinHttpRequest.5.1")
Http.SetClientCertificate "LOCAL_MACHINE\MY\test"
Http.Option(4) = 256 + 512 + 4096 + 8192 
Http.Open "GET", "https://" & device & ":" & link, false
Http.Send
output = Http.ResponseText
If InStr(1,output,"running") Then
wscript.echo "OK"
Else
wscript.echo "Error"
End If
Set Http = Nothing

Here is Powershell syntax to get HTTP web content (but not https):

$page = (New-Object System.Net.WebClient).DownloadString("http://10.10.10.10:5001/test")
"$page"

Here is Powershell syntax to get HTTPS contetn using .CRT file (but not from CERTSTORE)

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
$cert = [System.Security.Cryptography.X509Certificates.X509Certificate2]::CreateFromCertFile("C:\Cert\test.crt")
$url = "https://10.10.10.10:5001/test"
$web = [System.Net.WebRequest]::Create($url)
$web.ClientCertificates.Add($Cert)

Here is my latest try to get web contetn. No success.

#ignore untrusted certificate
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
#load my client certificate defined by thumbprint
$cert = Get-Childitem cert:\LocalMachine\My\5AA55B7B8D99
#get web contetn
$web = [System.Net.WebRequest]::Create($url)
#use my client certificate
$web.ClientCertificates.Add($Cert)

Any ideas ? Best regards

Answer 1

这对我有用：

Invoke-RestMethod https://10.10.10.10:5001/test -CertificateThumbprint XXXXXXXXXXXXXXXX 

Answer 2

Bit of a late answer but this is what I ended up with after reading the current answers.

You can use "Invoke-WebRequest" and the -Certificate parameter. You can also use "wget" in Powershell as it is the alias for "Invoke-WebRequest"

$cert = Get-ChildItem -Path cert:\LocalMachine\My\5AA55B7B8D99
$response = wget -Uri "https://10.10.10.10:5001/test" -method "Get" -Certificate $cert
$response.Content.Contains("running")

Answer 3

This is what worked for me when I was trying to create a client certificate enabled sensor for PRTG. You might want to change the timeout value. Also you'll want to trap exceptions in case the site is unreachable for whatever reason.

$CertNumber = thumbprint of certificate.

$CheckURL = URL to load.

CERTIFICATE LOADING AND READING SITE

#*************************************
#********CERTIFICATE LOADING**********
#*************************************

# LOAD CERTIFICATE FROM STORE
$Certificate = Get-ChildItem -Path Cert:\LocalMachine\My\$CertNumber
# CREATE WEB REQUEST
$req = [system.Net.HttpWebRequest]::Create($checkURL)
# ADD CERTS TO WEB REQUEST
$req.ClientCertificates.AddRange($Certificate)

#*************************************
#***********READING SITE**************
#*************************************

#SET TIMEOUT 
$req.Timeout=10000
# GET WEB RESPONSE
$res = $req.GetResponse()
# GET DATA FROM RESPONSE
$ResponseStream = $res.GetResponseStream()
# Create a stream reader and read the stream returning the string value.
$StreamReader = New-Object System.IO.StreamReader -ArgumentList $ResponseStream
# BUILD STRING FROM RESPONSE
$strHtml = $StreamReader.ReadToEnd()

Answer 4

One issue might be that the client machine has to trust the certificate that it's sending. So if the client cert you're trying to send is not self-signed, then the issuer cert needs to be imported into the trusted root of the machine. Once you have that, you can use the System.Security.Cryptography.X509Certificates.X509Certificate2 constructor (rather than CreateFromCertFile method) to add MachineKeySet flag

For example, on my machine, I have a pfx (with no password, hence the $null for the 2nd argument) and I want to POST some content that requires client cert auth:

[Powershell]

$content = [System.IO.File]::ReadAllBytes("SomeContentIWantToPOST.json")
$endpoint = "https://contoso.com/endpoint"
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("MySuperPrivateCert.pfx",$null,[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::MachineKeySet)
$request = [System.Net.WebRequest]::Create($endpoint)
$request.ClientCertificates.Add($Cert)
$request.Method = "POST"
$request.ContentLength = $content.Length
$request.ContentType = "application/json"
$dataStream = $request.GetRequestStream()
$dataStream.Write($content, 0, $content.Length)
$dataStream.Close()

Answer 5

Thy this, but I can't test it

$device = "10.10.10.10"
$link = "5001/test"
$Http = New-Object 'WinHttp.WinHttpRequest.5.1'
$Http.SetClientCertificate( "LOCAL_MACHINE\MY\test" )
$Http.Option(256 + 512 + 4096 + 8192) # or $Http.Option(4)
$Http.Open("GET", "https://" + $device + ":" + $link, $false)
Http.Send()
$output = Http.ResponseText

Answer 6

I would suggest accessing certificates using .NET class X509Store . Using Certificates property (example below) you can find certificate by thumbprint and attach it to the request.

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
$Store = New-Object System.Security.Cryptography.X509Certificates.X509Store(
        [System.Security.Cryptography.X509Certificates.StoreName]::My, "localmachine")
$Store.Open("MaxAllowed")
$Certificate = $Store.Certificates |  Where-Object Thumbprint -Eq "XXXXXXXXXXXXXXXX"
$Web = [System.Net.WebRequest]::Create($Url)
$Web.ClientCertificates.Add($Certificate)
$Response = $Web.GetResponse()