-
Notifications
You must be signed in to change notification settings - Fork 25
/
AlwaysOnTLS.ps1
92 lines (73 loc) · 3.77 KB
/
AlwaysOnTLS.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
Function Set-SQL_Cert {
$Subject = "CN=" + [net.dns]::GetHostEntry($env:computername).Hostname + ", O=Lab, C=GB"
# Check if cluster
$cluster = (Get-WindowsFeature -Name Failover-Clustering).Installed
$ClusterStatus = Get-Service -Name ClusSvc -ErrorAction SilentlyContinue
if($cluster -eq $true -and $($ClusterStatus.status) -eq "Running"){ $cluster = $true } Else {$cluster = $false}
if($cluster -eq $true){
# Build Array
$Array1 =@()
$AG = (Get-ClusterResource | Where-Object {$_.ResourceType -eq "Network Name" -AND $_.name -ne "Cluster Name"} | Get-ClusterParameter -Name DnsName).value
foreach($listener in $AG) {
$DNS = $listener + "." + $env:USERDNSDOMAIN
$array1 += $DNS
}
$string = [net.dns]::GetHostEntry($env:computername).Hostname
foreach($i in $array1)
{
$string += "," + $i
}
#Create Certificate
New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -subject $Subject -DnsName $string -FriendlyName SQLServer -NotAfter (Get-Date).AddMonths(24) -KeySpec KeyExchange
} else {
$dnsname = ([System.Net.Dns]::GetHostByName((hostname)).HostName)
#Create SSL Certificate (replace with PKI function)
New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -subject $Subject -DnsName $dnsname -FriendlyName SQLServer -NotAfter (Get-Date).AddMonths(24) -KeySpec KeyExchange
}
}
$Instance = "MSSQLServer"
# check if cluster
$cluster = (Get-WindowsFeature -Name Failover-Clustering).Installed
$ClusterStatus = Get-Service -Name ClusSvc -ErrorAction SilentlyContinue
# Set default status
$CertValide = $true
# Cert selection
$Subject = "CN=" + [net.dns]::GetHostEntry($env:computername).Hostname + ", O=Lab, C=GB"
$certs = Get-Childitem -Path Cert:\LocalMachine\My | Where-Object {$_.subject -eq $Subject} |
Sort-Object -Property NotBefore -Descending | Select-Object NotAfter, FriendlyName, DnsNameList, thumbprint -First 1
# Check if this is a cluster and if yes does the cert match the packages
if($cluster -eq $true -and $($ClusterStatus.status) -eq "Running"){
write-output "this is cluster"
$Array1 =@()
$AG = (Get-ClusterResource | Where-Object {$_.ResourceType -eq "Network Name" -AND $_.name -ne "Cluster Name"} | Get-ClusterParameter -Name DnsName).value
foreach($listener in $AG) {
$DNS = $listener + "." + $env:USERDNSDOMAIN
$array1 += $DNS
}
$same = [net.dns]::GetHostEntry($env:computername).Hostname
foreach($p in $array1){
$same += "," + $p
}
if($certs){
$notsame = Compare-Object -ReferenceObject $same -DifferenceObject $certs.DnsNameList.Unicode
if($notsame){
$CertValide = $false
} else {write-output "no cert"}
}
} else {write-output "Cluster isn't running"}
# check certificate is valid
if($($certs.NotAfter) -lt (Get-Date).AddDays(120)){
$CertValide = $false
}
If($CertValide -eq $false){
# Get new Cert
Write-Output "Getting new cert"
Set-SQL_Cert
}
$Subject = "CN=" + [net.dns]::GetHostEntry($env:computername).Hostname + ", O=Lab, C=GB"
$certs = Get-Childitem -Path Cert:\LocalMachine\My | Where-Object {$_.subject -eq $Subject} |
Sort-Object -Property NotBefore -Descending | Select-Object NotAfter, FriendlyName, DnsNameList, thumbprint -First 1
# Set Thumbprint
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL14.$Instance\MSSQLServer\SuperSocketNetLib" -Name "Certificate" -Type String -Value "$($certs.thumbprint.ToLower())"
# Set Forced Encryption
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL14.$instance\MSSQLServer\SuperSocketNetLib" -Name "ForceEncryption" -Type DWord -Value "1"