Alle Jahre wieder… kommt ein neues SSL-Zertifikat und will getauscht werden. Das Ganze kann im Azure Portal recht nervig werden. Aber mit folgendem Skript könnt ihr das schnell und einfach erledigen. Lediglich die Konstanten oben im Skript anpassen, und los geht’s.
# INFO
# The PowerShell Console needs to be run with local Administrator rights
# Nobody understands why... but well, that's the way it is.
# Define constants
# The thumbprint of the old cert, which is to be replaced
$OldThumbprint = "123456789ABCDEF"
# The thumbprint of the new cert, which should be installed and activated
$NewThumbprint = "FEDCBA987654321"
# The path to the PFX-file
$PfxFilePath = "C:\_Install\wildcard.powershell24.de_2019-2020.pfx"
# Create empty arrays
$OldCertArray = @()
$NewCertArray = @()
$OtherCertArray = @()
# Import and connect
Import-Module AzureAD
Connect-AzureAD
# Get all registered apps an process each
# Doing it this way, because I want the displayname for convinience, which isn't shown when using Get-AzureADApplicationProxyApplication
$AllApps = Get-AzureADApplication -All $True
Foreach($App in $AllApps){
# Trying to fetch the app within Azure App Proxy
try{
$AppDetails = Get-AzureADApplicationProxyApplication -ObjectId $App.ObjectId
Write-Host ""
Write-Host "Processing $($App.DisplayName)..."
$HelperLine = "" | Select DisplayName,ObjectId,VerifiedCustomDomainCertificatesMetadata
$HelperLine.DisplayName = $App.DisplayName
$HelperLine.ObjectId = $App.ObjectId
$HelperLine.VerifiedCustomDomainCertificatesMetadata = $AppDetails.VerifiedCustomDomainCertificatesMetadata
# This app uses the cert with the old thumbprint
if($AppDetails.VerifiedCustomDomainCertificatesMetadata.Thumbprint -eq $OldThumbprint){
Write-Host " $($App.DisplayName) still has the old certificate" -ForegroundColor Red
$OldCertArray += $HelperLine
}
# This app already uses the new certificate
elseif($AppDetails.VerifiedCustomDomainCertificatesMetadata.Thumbprint -eq $NewThumbprint){
Write-Host " $($App.DisplayName) already has the new certificate" -ForegroundColor Green
$NewCertArray += $HelperLine
}
# This app uses a different certificate. Maybe have a closer look on these later on
else{
Write-Host " $($App.DisplayName) has a different certificate" -ForegroundColor Yellow
$OtherCertArray += $HelperLine
}
}
# This seems to be an app which isn't published via Azure App Proxy
catch{
Write-Host ""
Write-Host "$($App.DisplayName) is not an Application Proxy app. Skipping..." -ForegroundColor Cyan
}
}
# If there are any certs with the old thumbprint...
if($OldCertArray){
# ...check if we really want to replace them.
$Continue = Read-Host "Continue with replacing the certificate for following apps? [y/n]"
$OldCertArray
# Yes?
if($Continue -eq "y"){
# Setting the new cert for all apps with the old cert (but not with a different certificate)
# First we need the PFX-PW
$Password = Read-Host "Enter PFX-File Password" -AsSecureString
Foreach ($App in $OldCertArray){
try{
Write-Host "Setting new certificate for $($App.DisplayName)" -ForegroundColor Red
Set-AzureADApplicationProxyApplicationCustomDomainCertificate -ObjectId $App.ObjectId -PfxFilePath $PfxFilePath -Password $Password
}
catch{
Write-Host "Couldn't set new certificate for $($App.DisplayName)" -ForegroundColor Red
}
}
# A final info which apps don't use the old cert or don't use one at all
Write-Host "Different certificate or no certificate required for:"
$OtherCertArray
# If you want, here is an overview of all apps that already had the new cert, before it was changed by this script
#$NewCertArray
}
}