![](/img/trans.png)
[英]How do I import a certificate to the Certstore on remote systems when WinRM is disabled with powershell
[英]PowerShell HTTPS GET using client certificate from certstore
我正在嘗試找到如何使用客戶端證書通過 HTTPS 檢查 Web 內容的簡單方法。 我有 VBScript,其中定義了客戶端證書,跳過了服務器證書並定義了我正在搜索的內容(字符串“正在運行”)。 我的觀點是將腳本重寫為 PowerShell。
這是 VBS 代碼:
device = "10.10.10.10"
link = "5001/test"
Set Http = CreateObject("WinHttp.WinHttpRequest.5.1")
Http.SetClientCertificate "LOCAL_MACHINE\MY\test"
Http.Option(4) = 256 + 512 + 4096 + 8192
Http.Open "GET", "https://" & device & ":" & link, false
Http.Send
output = Http.ResponseText
If InStr(1,output,"running") Then
wscript.echo "OK"
Else
wscript.echo "Error"
End If
Set Http = Nothing
這是獲取 HTTP 網頁內容(但不是 https)的 Powershell 語法:
$page = (New-Object System.Net.WebClient).DownloadString("http://10.10.10.10:5001/test")
"$page"
這是使用 .CRT 文件(但不是來自 CERTSTORE)獲取 HTTPS 內容的 Powershell 語法
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
$cert = [System.Security.Cryptography.X509Certificates.X509Certificate2]::CreateFromCertFile("C:\Cert\test.crt")
$url = "https://10.10.10.10:5001/test"
$web = [System.Net.WebRequest]::Create($url)
$web.ClientCertificates.Add($Cert)
這是我獲取網絡內容的最新嘗試。 沒有成功。
#ignore untrusted certificate
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
#load my client certificate defined by thumbprint
$cert = Get-Childitem cert:\LocalMachine\My\5AA55B7B8D99
#get web contetn
$web = [System.Net.WebRequest]::Create($url)
#use my client certificate
$web.ClientCertificates.Add($Cert)
有任何想法嗎 ? 最好的祝福
這對我有用:
Invoke-RestMethod https://10.10.10.10:5001/test -CertificateThumbprint XXXXXXXXXXXXXXXX
有點晚的答案,但這是我在閱讀當前答案后得出的結論。
您可以使用“Invoke-WebRequest”和 -Certificate 參數。 您也可以在 Powershell 中使用“wget”,因為它是“Invoke-WebRequest”的別名
$cert = Get-ChildItem -Path cert:\LocalMachine\My\5AA55B7B8D99
$response = wget -Uri "https://10.10.10.10:5001/test" -method "Get" -Certificate $cert
$response.Content.Contains("running")
當我嘗試為 PRTG 創建啟用客戶端證書的傳感器時,這對我有用。 您可能想要更改超時值。 此外,您還需要捕獲異常,以防該站點因任何原因無法訪問。
$CertNumber = 證書指紋。
$CheckURL = 要加載的 URL。
證書加載和閱讀網站
#*************************************
#********CERTIFICATE LOADING**********
#*************************************
# LOAD CERTIFICATE FROM STORE
$Certificate = Get-ChildItem -Path Cert:\LocalMachine\My\$CertNumber
# CREATE WEB REQUEST
$req = [system.Net.HttpWebRequest]::Create($checkURL)
# ADD CERTS TO WEB REQUEST
$req.ClientCertificates.AddRange($Certificate)
#*************************************
#***********READING SITE**************
#*************************************
#SET TIMEOUT
$req.Timeout=10000
# GET WEB RESPONSE
$res = $req.GetResponse()
# GET DATA FROM RESPONSE
$ResponseStream = $res.GetResponseStream()
# Create a stream reader and read the stream returning the string value.
$StreamReader = New-Object System.IO.StreamReader -ArgumentList $ResponseStream
# BUILD STRING FROM RESPONSE
$strHtml = $StreamReader.ReadToEnd()
一個問題可能是客戶端機器必須信任它發送的證書。 因此,如果您嘗試發送的客戶端證書不是自簽名的,則需要將頒發者證書導入到機器的受信任根中。 完成后,您可以使用System.Security.Cryptography.X509Certificates.X509Certificate2
構造函數(而不是CreateFromCertFile
方法)添加MachineKeySet
標志
例如,在我的機器上,我有一個 pfx(沒有密碼,因此第二個參數為$null
),我想發布一些需要客戶端證書身份驗證的內容:
[Powershell]
$content = [System.IO.File]::ReadAllBytes("SomeContentIWantToPOST.json")
$endpoint = "https://contoso.com/endpoint"
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("MySuperPrivateCert.pfx",$null,[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::MachineKeySet)
$request = [System.Net.WebRequest]::Create($endpoint)
$request.ClientCertificates.Add($Cert)
$request.Method = "POST"
$request.ContentLength = $content.Length
$request.ContentType = "application/json"
$dataStream = $request.GetRequestStream()
$dataStream.Write($content, 0, $content.Length)
$dataStream.Close()
你這個,但我無法測試
$device = "10.10.10.10"
$link = "5001/test"
$Http = New-Object 'WinHttp.WinHttpRequest.5.1'
$Http.SetClientCertificate( "LOCAL_MACHINE\MY\test" )
$Http.Option(256 + 512 + 4096 + 8192) # or $Http.Option(4)
$Http.Open("GET", "https://" + $device + ":" + $link, $false)
Http.Send()
$output = Http.ResponseText
我建議使用 .NET 類X509Store訪問證書。 使用Certificates屬性(下面的示例),您可以通過指紋查找證書並將其附加到請求中。
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
$Store = New-Object System.Security.Cryptography.X509Certificates.X509Store(
[System.Security.Cryptography.X509Certificates.StoreName]::My, "localmachine")
$Store.Open("MaxAllowed")
$Certificate = $Store.Certificates | Where-Object Thumbprint -Eq "XXXXXXXXXXXXXXXX"
$Web = [System.Net.WebRequest]::Create($Url)
$Web.ClientCertificates.Add($Certificate)
$Response = $Web.GetResponse()
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.