We recently had an interesting adventure where we needed to do an audit of the certificates used by various OCS servers.  In this case, scanning the computer's cert store wasn't sufficient - we needed to see which cert was bound to what interface.  The OCS Snap-In under compmgmt.msc provides this information, but GUIs don't scale, and they don't dump data into Excel sheets.  PowerShell to the rescue. 

 

function Out-Error {
    param ( $msg = "Unspecified error ocurred." );

    Write-Error -ErrorAction SilentlyContinue $msg;
    Write-Host -ForegroundColor Red -BackgroundColor Black "ERROR: $msg";
    break __outOfScript;
}

function Get-OCSCert {
    param (
        $computer = $null,
        $wmiClass = $null,
        $wmiInstance = $null,
        $psExecPath = $null
    );

    $callingFunction = (Get-Variable -Scope 1 -Name MyInvocation).Value.MyCommand -replace " .*";

    
foreach ($var in @('computer', 'wmiClass', 'wmiInstance', 'psExecPath')) {
       
if (!(Test-Path variable:$var)) { Out-Error "$callingFunction -$var not specified."; }
    }

    $scriptPath = \\$computer\d$\Scripts\;
    if
(!(Test-Path $scriptPath)) { mkdir $scriptPath | Out-Null; }
@"
`$wmi = Get-WmiObject $wmiClass;
if (`$wmi.count) {
    `$snArray = (`$wmi | Where-Object { `$_.$wmiInstance}).$wmiInstance;
} else {
    `$snArray = `$wmi.$wmiInstance;
}
`$sn = `$null;
foreach (`$num in `$snArray) { `$sn = ("{0:x2}" -f `$num) + `$sn; }
`$sn;
"@ | Set-Content -Path "$scriptPath\$callingFunction.ps1" -Force;

    $windowTitle = $Host.UI.RawUI.WindowTitle;
    $serialNumber = (& $psExecPath -acceptEula "\\$computer" cmd.exe "/c echo . | PowerShell.exe d:\scripts\$callingFunction.ps1 ") 2> $null;
    $Host.UI.RawUI.WindowTitle = $windowTitle;

    if (!$serialNumber) {
        Write-Warning "$callingFunction: Unable to determine cert on $computer.";
        return;
    }

    $store = 'My'; # locally installed certs
    $ro = [System.Security.Cryptography.X509Certificates.OpenFlags]"ReadOnly";$cu = System.Security.Cryptography.X509Certificates.StoreLocation]"LocalMachine" ;
    $c = new-object System.Security.Cryptography.X509Certificates.X509Store("\\$computer\$store",$cu);
    $c.Open($ro);
    $c.certificates | Where-Object { $_.SerialNumber -eq $serialNumber }
}

function Get-AcessEdgeServerInternalCert {
    param (
        $computer = $null,
        $psExecPath = $null
    );
    Get-OCSCert -computer $computer -wmiClass MSFT_SIPFederationInternalEdgeListeningAddressSetting -wmiInstance TLSCertSN -psExecPath $psExecPath;
}

function Get-AcessEdgeServerExternalCert {
    param (
        $computer = $null,
        $psExecPath = $null
    );
    Get-OCSCert -computer $computer -wmiClass MSFT_SIPFederationExternalEdgeListeningAddressSetting -wmiInstance TLSCertSN -psExecPath $psExecPath;
}

function Get-ProxyServerCert {
    param (
        $computer = $null,
        $psExecPath = $null
    );
    Get-OCSCert -computer $computer -wmiClass MSFT_SIPListeningAddressData -wmiInstance TLSCertSN -psExecPath $psExecPath;
}

function Get-MediaRelayServerInternalCert {
    param (
        $computer = $null,   
       $psExecPath = $null
    );
    # Same as Get-AccessEdgeServerInternalCert
    Get-OCSCert -computer $computer -wmiClass MSFT_SIPFederationInternalEdgeListeningAddressSetting -wmiInstance TLSCertSN -psExecPath $psExecPath;
}

function Get-MediaRelayServerExternalCert {
    param (   
        $computer = $null,
        $psExecPath = $null
    );
    # Very different from Get-AccessEdgeServerExternalCert
    Get-OCSCert -computer $computer -wmiClass MSFT_SIPMediaRelaySetting -wmiInstance BankCertSN -psExecPath $psExecPath;
}