return to top
In the Task Scheduler there is a new task category called Notifications in the Task Scheduler Library, Microsoft, Windows, CertificateServicesClient.
# # This script will have these parameters passed to it: # # OldCertHash - thumbprint of the certificate that has been renewed # NewCertHash - thumbprint of the certificate that renewed the old certificate # param([string]$OldCertHash, [string]$NewCertHash) import-module webadministration # get a binding that is using the old cert $res = (dir IIS:\SslBindings | where-Object {$_.Thumbprint -match $OldCertHash}) #find new cert $newCert = dir “cert:\LocalMachine\My\$NewCertHash” #for each binding that was using the cert if($newCert -ne $null) { $res | ForEach-Object {$_.Thumbprint = $newCert.Thumbprint; $_ | set-item;} }
New-CertificateNotificationTask -Type Replace -PSScript "c:\Scripts\UpdateIISCert.ps1" -Name UpdateIISCert -Channel System
Certificate services notifications are designed to trigger Windows PowerShell scripts to perform administrative tasks, such as binding a renewed certificate to an application. Since these Windows PowerShell scripts are run with system privileges, they could be a target for an attacker to run malicious code. Administrators should be cautious to ensure they set the appropriate permissions on the scripts to help prevent the scripts from being used for other than their intended purposes. To prevent scripts from being tampered with, you can use digital signing on your PowerShell scripts. For information about signing PowerShell scripts, see Windows PowerShell Sign Here, Please. return to top
Events that are logged in the Event Viewer CertificateServicesClient-Lifecycle-User log can trigger scripts that run for all users. Since a certificate services lifecycle notification event can trigger a script, when the script is run, it could affect other users on that computer. This could become an issue on a shared computer, such as when multiple users are using a remote desktop services (RDS) server. This is unlikely to be a problem because the scripts that are triggered by certificate services lifecycle notification events should not consume enough computer resources to severely affect other users of that computer. System administrators should be aware of the potential for this issue and take appropriate steps to mitigate this issue, such as:
The CertificateServicesClient-Lifecycle-User Event log channel is shared by any logged on user. Any logged on user can write an event log entry that appears to have been generated by another user. Therefore, you should not rely on this log to prove that a particular user performed a particular action.
Maheshkumar S Tiwari edited Revision 11. Comment: Added Tag
Ed Price - MSFT edited Revision 8. Comment: Removed false link. Added whitespace. Tags.
lovely tapan edited Revision 6. Comment: good
alem-pc edited Revision 5. Comment: KKkkkk
Kurt L Hudson edited Revision 4. Comment: removed the en-US from the title as I am linking to this document from the TechNet Library
Kurt L Hudson edited Revision 3. Comment: completed initial update to article
Kurt L Hudson edited Revision 1. Comment: adding to the article
Kurt L Hudson edited Original. Comment: Adding to the article
great
Nominating this article to be featured
Good Article.