florian-obradovic · December 27, 2021 10:53
diff --git a/SetCertificate_AzureApplicationProxy.ps1 b/SetCertificate_AzureApplicationProxy.ps1
 <#
 "Written" by Florian Obradovic #Not_A_Coder #not_pretty
 This script exports a given certificate from Azure key vault and assigns it to all Azure Application Proxy Applications

 It will NOT work in Azure Cloud Shell:
 $certCollection.Import($kvSecretBytes,$null,[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
 MethodInvocationException: Exception calling "Import" with "3" argument(s): "ASN1 corrupted data."

 #>

 # Connect to AAD
 Connect-AzureAD

 # Show all Application Proxies
 foreach ($a in (Get-AzureADApplication -All:$true))
    {
        try
        {
            $p = Get-AzureADApplicationProxyApplication -ObjectId $a.ObjectId
            [pscustomobject]@{ObjectID=$a.ObjectId; DisplayName=$a.DisplayName; ExternalUrl=$p.ExternalUrl; InternalUrl=$p.InternalUrl; Thumbprint=$p.VerifiedCustomDomainCertificatesMetadata.Thumbprint; IssueDate=$p.VerifiedCustomDomainCertificatesMetadata.IssueDate; ExpiryDate=$p.VerifiedCustomDomainCertificatesMetadata.ExpiryDate}
        }
        catch
        {
            continue
        }
 }
  
  
 # Retrieve Certificate from key-vault
 $vaultName = Read-Host -Prompt "Enter vault name (Example: Letsencrypt-Key-Vault)"
 $secretName = Read-Host -Prompt "Enter certifcate name (Example: wildcard-my-domain-com)"
 $kvSecret = Get-AzureKeyVaultSecret -VaultName $vaultName -Name $secretName
 $kvSecretBytes = [System.Convert]::FromBase64String($kvSecret.SecretValueText)
 $certCollection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection
 $certCollection.Import($kvSecretBytes,$null,[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
  
 # Generate a password
 Add-Type -AssemblyName 'System.Web'
 $length = 15
 $nonAlphaChars = 5
 $password = [System.Web.Security.Membership]::GeneratePassword($length, $nonAlphaChars)
 $secure = ConvertTo-SecureString -String $password -AsPlainText -Force
 Write-Host "Generated Password for PFX File: " $password -BackgroundColor "Black" -ForegroundColor "Cyan"
  
 # Get the file created
 $protectedCertificateBytes = $certCollection.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $password)
 $pfxPath = [Environment]::GetFolderPath("Desktop") + "\" + $secretName +".pfx"
 [System.IO.File]::WriteAllBytes($pfxPath, $protectedCertificateBytes)
  
 # Set certificate for all Application Proxies
 foreach ($a in (Get-AzureADApplication -All:$true))
    {
        try
        {
            # List Current Settings
            $p = Get-AzureADApplicationProxyApplication -ObjectId $a.ObjectId
            [pscustomobject]@{ObjectID=$a.ObjectId; DisplayName=$a.DisplayName; ExternalUrl=$p.ExternalUrl; InternalUrl=$p.InternalUrl; Thumbprint=$p.VerifiedCustomDomainCertificatesMetadata.Thumbprint; IssueDate=$p.VerifiedCustomDomainCertificatesMetadata.IssueDate; ExpiryDate=$p.VerifiedCustomDomainCertificatesMetadata.ExpiryDate}
 
            # Set new certificate
            Set-AzureADApplicationProxyApplicationCustomDomainCertificate -ObjectId $a.ObjectId -PfxFilePath $pfxPath -Password $secure
             
            # List Current Settings again
            $AppProxy = Get-AzureADApplicationProxyApplication -ObjectId $a.ObjectId       
            Write-Host "ExternalURL: " $AppProxy.ExternalURL -BackgroundColor "Black" -ForegroundColor "Cyan"
            Write-Host "SubjectName: " $AppProxy.VerifiedCustomDomainCertificatesMetadata.SubjectName -BackgroundColor "Black" -ForegroundColor "Yellow"
            Write-Host "ThumbPrint: " $AppProxy.VerifiedCustomDomainCertificatesMetadata.Thumbprint -BackgroundColor "Black" -ForegroundColor "Yellow"
            Write-Host "IssueDate: " $AppProxy.VerifiedCustomDomainCertificatesMetadata.IssueDate -BackgroundColor "Black" -ForegroundColor "Yellow"
            Write-Host "ExpiryDate: " $AppProxy.VerifiedCustomDomainCertificatesMetadata.ExpiryDate -BackgroundColor "Black" -ForegroundColor "Green"
            Write-Host "############################" $AppProxy.ExternalURL "############################"
            Write-Host ""
                         
 
        }
        catch
        {
            continue
        }
 }
	<#
	"Written" by Florian Obradovic #Not_A_Coder #not_pretty
	This script exports a given certificate from Azure key vault and assigns it to all Azure Application Proxy Applications

	It will NOT work in Azure Cloud Shell:
	$certCollection.Import($kvSecretBytes,$null,[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
	MethodInvocationException: Exception calling "Import" with "3" argument(s): "ASN1 corrupted data."

	#>

	# Connect to AAD
	Connect-AzureAD

	# Show all Application Proxies
	foreach ($a in (Get-AzureADApplication -All:$true))
	{
	try
	{
	$p = Get-AzureADApplicationProxyApplication -ObjectId $a.ObjectId
	[pscustomobject]@{ObjectID=$a.ObjectId; DisplayName=$a.DisplayName; ExternalUrl=$p.ExternalUrl; InternalUrl=$p.InternalUrl; Thumbprint=$p.VerifiedCustomDomainCertificatesMetadata.Thumbprint; IssueDate=$p.VerifiedCustomDomainCertificatesMetadata.IssueDate; ExpiryDate=$p.VerifiedCustomDomainCertificatesMetadata.ExpiryDate}
	}
	catch
	{
	continue
	}
	}


	# Retrieve Certificate from key-vault
	$vaultName = Read-Host -Prompt "Enter vault name (Example: Letsencrypt-Key-Vault)"
	$secretName = Read-Host -Prompt "Enter certifcate name (Example: wildcard-my-domain-com)"
	$kvSecret = Get-AzureKeyVaultSecret -VaultName $vaultName -Name $secretName
	$kvSecretBytes = [System.Convert]::FromBase64String($kvSecret.SecretValueText)
	$certCollection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection
	$certCollection.Import($kvSecretBytes,$null,[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)

	# Generate a password
	Add-Type -AssemblyName 'System.Web'
	$length = 15
	$nonAlphaChars = 5
	$password = [System.Web.Security.Membership]::GeneratePassword($length, $nonAlphaChars)
	$secure = ConvertTo-SecureString -String $password -AsPlainText -Force
	Write-Host "Generated Password for PFX File: " $password -BackgroundColor "Black" -ForegroundColor "Cyan"

	# Get the file created
	$protectedCertificateBytes = $certCollection.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $password)
	$pfxPath = [Environment]::GetFolderPath("Desktop") + "\" + $secretName +".pfx"
	[System.IO.File]::WriteAllBytes($pfxPath, $protectedCertificateBytes)

	# Set certificate for all Application Proxies
	foreach ($a in (Get-AzureADApplication -All:$true))
	{
	try
	{
	# List Current Settings
	$p = Get-AzureADApplicationProxyApplication -ObjectId $a.ObjectId
	[pscustomobject]@{ObjectID=$a.ObjectId; DisplayName=$a.DisplayName; ExternalUrl=$p.ExternalUrl; InternalUrl=$p.InternalUrl; Thumbprint=$p.VerifiedCustomDomainCertificatesMetadata.Thumbprint; IssueDate=$p.VerifiedCustomDomainCertificatesMetadata.IssueDate; ExpiryDate=$p.VerifiedCustomDomainCertificatesMetadata.ExpiryDate}

	# Set new certificate
	Set-AzureADApplicationProxyApplicationCustomDomainCertificate -ObjectId $a.ObjectId -PfxFilePath $pfxPath -Password $secure

	# List Current Settings again
	$AppProxy = Get-AzureADApplicationProxyApplication -ObjectId $a.ObjectId
	Write-Host "ExternalURL: " $AppProxy.ExternalURL -BackgroundColor "Black" -ForegroundColor "Cyan"
	Write-Host "SubjectName: " $AppProxy.VerifiedCustomDomainCertificatesMetadata.SubjectName -BackgroundColor "Black" -ForegroundColor "Yellow"
	Write-Host "ThumbPrint: " $AppProxy.VerifiedCustomDomainCertificatesMetadata.Thumbprint -BackgroundColor "Black" -ForegroundColor "Yellow"
	Write-Host "IssueDate: " $AppProxy.VerifiedCustomDomainCertificatesMetadata.IssueDate -BackgroundColor "Black" -ForegroundColor "Yellow"
	Write-Host "ExpiryDate: " $AppProxy.VerifiedCustomDomainCertificatesMetadata.ExpiryDate -BackgroundColor "Black" -ForegroundColor "Green"
	Write-Host "############################" $AppProxy.ExternalURL "############################"
	Write-Host ""


	}
	catch
	{
	continue
	}
	}