Every year again… comes a new SSL-certificate and want to be replaced. Since doing so within the Azure Portal is quite a tedious task, here’s a script that gets the work done quite easily and fast. Simply adjust the constants in the script’s header, and you’re all set.
# INFO
# The PowerShell Console needs to be run with local Administrator rights
# Nobody understands why... but well, that's the way it is.
# Define constants
# The thumbprint of the old cert, which is to be replaced
$OldThumbprint = "123456789ABCDEF"
# The thumbprint of the new cert, which should be installed and activated
$NewThumbprint = "FEDCBA987654321"
# The path to the PFX-file
$PfxFilePath = "C:_Installwildcard.powershell24.de_2019-2020.pfx"
# Create empty arrays
$OldCertArray = @()
$NewCertArray = @()
$OtherCertArray = @()
# Import and connect
Import-Module AzureAD
Connect-AzureAD
# Get all registered apps an process each
# Doing it this way, because I want the displayname for convinience, which isn't shown when using Get-AzureADApplicationProxyApplication
$AllApps = Get-AzureADApplication -All $True
Foreach($App in $AllApps){
# Trying to fetch the app within Azure App Proxy
try{
$AppDetails = Get-AzureADApplicationProxyApplication -ObjectId $App.ObjectId
Write-Host ""
Write-Host "Processing $($App.DisplayName)..."
$HelperLine = "" | Select DisplayName,ObjectId,VerifiedCustomDomainCertificatesMetadata
$HelperLine.DisplayName = $App.DisplayName
$HelperLine.ObjectId = $App.ObjectId
$HelperLine.VerifiedCustomDomainCertificatesMetadata = $AppDetails.VerifiedCustomDomainCertificatesMetadata
# This app uses the cert with the old thumbprint
if($AppDetails.VerifiedCustomDomainCertificatesMetadata.Thumbprint -eq $OldThumbprint){
Write-Host " $($App.DisplayName) still has the old certificate" -ForegroundColor Red
$OldCertArray += $HelperLine
}
# This app already uses the new certificate
elseif($AppDetails.VerifiedCustomDomainCertificatesMetadata.Thumbprint -eq $NewThumbprint){
Write-Host " $($App.DisplayName) already has the new certificate" -ForegroundColor Green
$NewCertArray += $HelperLine
}
# This app uses a different certificate. Maybe have a closer look on these late on
else{
Write-Host " $($App.DisplayName) has a different certificate" -ForegroundColor Yellow
$OtherCertArray += $HelperLine
}
}
# This seems to be an app which isn't published via Azure App Proxy
catch{
Write-Host ""
Write-Host "$($App.DisplayName) is not an Application Proxy app. Skipping..." -ForegroundColor Cyan
}
}
# If there are any certs with the old thumbprint...
if($OldCertArray){
# ...check if we really want to replace them.
$Continue = Read-Host "Continue with replacing the certificate for following apps? [y/n]"
$OldCertArray
# Yes?
if($Continue -eq "y"){
# Setting the new cert for all apps with the old cert (but not with a different certificate)
# First we need the PFX-PW
$Password = Read-Host "Enter PFX-File Password" -AsSecureString
Foreach ($App in $OldCertArray){
try{
Write-Host "Setting new certificate for $($App.DisplayName)" -ForegroundColor Red
Set-AzureADApplicationProxyApplicationCustomDomainCertificate -ObjectId $App.ObjectId -PfxFilePath $PfxFilePath -Password $Password
}
catch{
Write-Host "Couldn't set new certificate for $($App.DisplayName)" -ForegroundColor Red
}
}
# A final info which apps don't use the old cert or don't use one at all
Write-Host "Different certificate or no certificate required for:"
$OtherCertArray
# If you want, here is an overview of all apps that already had the new cert, before it was changed by this script
#$NewCertArray
}
}