Fix Root & Intermediate Certificate Store For Me In Bulk please, kthxbi

Fact 1: Trusted Root Certificates belong in the Trusted Root Certification Authorities Store and Intermediate Certificates belong in the Intermediate Certification Authorities Store.

Fact 2: Lync Server 2013 on Windows Server 2012 does not like environments that do not believe Fact 1.

Related to well known issue: https://support.microsoft.com/en-us/help/2795828/lync-server-2013-front-end-service-cannot-start-in-windows-server-2012 there are many oddities that may occur on your Lync 2013 Server’s in the event you have a certificate placed in the incorrect store.  In my experience this is also true for trusted/intermediate certs that have nothing to do with the actual certificate chain that’s assigned to your Lync services.  Example being you use a DigiCert as your CA for your Lync services which is setup correctly but you may have a private CA cert in which it was placed in the wrong store by some masterful GPO admins.  Microsoft commonly references the basic single command in the above article as well when resolving this for BUT…. what I have not yet seen is how to quickly do it for bulk servers at once.  Hence the reason for this post, enjoy.

This script can be executed from any server/workstation which has WinRM connectivity to your servers in which you want to clean the cert stores.  It’s based on using an input file you’ll need to create (FixMe.txt) in the same folder which you run this script from that contains a basic list of the server FQDN’s.

For any servers in which it detects a Trusted Root certificate placed in the Intermediate Store or vice versa it’ll write to host a count of each then list the cert thumbprint(s) as it moves to the correct store.

For any servers that has no certs placed in the wrong store it’ll simply state there are 0 and move on to the next server.

Example output:

Hopefully this saves some of you some time as I understand how annoying it is to clean manually.

# Script purpose to properly clean Trusted Root and Intermediate Root certificate stores from misplaced certs
# Author: Jeff McBride | www.LyncLead.com
# Date: 2/21/2017
#
##### Create FixMe.txt in same folder executing this script. It's content should be a list of server FQDN's separated by carriage return.
#
$Servers = Get-Content .\FixMe.txt
#
##### No Need to edit below content

ForEach ($Server in $Servers) {
 Invoke-Command -ComputerName $Server -ScriptBlock {
 $name = $env:COMPUTERNAME
 Write-Host "====================== $name ======================"
 $NonTRCA = Get-Childitem cert:\LocalMachine\Root -Recurse | Where-Object {$_.Issuer -ne $_.Subject}
 $NonICA = Get-Childitem cert:\LocalMachine\Ca -Recurse | Where-Object {$_.Issuer -eq $_.Subject}
 $NonTRCACount = $NonTRCA.Count
 $NonICACount = $NonICA.Count
 Write-Host "Misplaced Certs in Trusted Root Store: $NonTRCACount"
 Write-Host "Misplaced Certs in Intermediate Store: $NonICACount"
 If ($NonTRCACount -ne 0) {
 ForEach ($cert in $NonTRCA) {
 Move-Item -Path $cert.PSPath -Destination Cert:\LocalMachine\Ca
 Write-Host "Move Cert from Trusted Store to Intermediate" $cert.PSPath
 }
 } Else {
 Write-Host "Trusted Certificates Confirmed Clean"
 }
 If ($NonICACount -ne 0) {
 ForEach ($cert in $NonICA) {
 Move-Item -Path $cert.PSPath -Destination Cert:\LocalMachine\Root
 Write-Host "Move Cert from Intermediate to Trusted Store" $cert.PSPath
 }
 } Else {
 Write-Host "Intermediate Certificates Confirmed Clean"
 }
 Write-Host "====================== LyncLead.com ======================"
 }
}

Leave a Reply