DeployCertificate.ps1

#
# DeployCertificate v1.1 (2026-01-19)
#
# Deploys certificates to Personal (My) and Intermediate (CA) Windows certificate stores
# Rebinds certificate with existing private key, so key export is not needed
# Assigns certificate to IIS Binding (list available bindings using Get-WebBinding on IIS server)
# Supports remote deployment (run as admin user of remote machine with ComputerName value)
#

Param (
    [string] $CertificatePath,
    [string] $IntermediateCertificatePath,
    [string] $IisBindingName,
    [string] $ComputerName
)

Function Load-X509Certificate(){
    $text = Get-Content ($args[0])
    $bytes = [System.Text.Encoding]::UTF8.GetBytes($text)
    $cert = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new($bytes)
    return $cert
}

Function Import-CertificateToStore(){
    $cert = $args[0]
    $store = $args[1]
    $computer = $args[2]
    if (-not ($computer)) {
        Import-Certificate -FilePath "$Using:localpath" -CertStoreLocation "$Using:store"
    } else {
        $localpath = "C:\Windows\Temp\import.crt"
        $remotepath =  "\\$computer\$localpath" -replace (":","`$")
        Copy-Item "$cert" "$remotepath"
        Invoke-Command -ComputerName "$computer" -ScriptBlock {Import-Certificate -FilePath "$Using:localpath" -CertStoreLocation "$Using:store"}
        Remove-Item "$remotepath"
    }
}

$do_remote = $False
$do_intermediate = $False
$do_iis = $False

if (-not ($CertificatePath)) {
    Write-Host " [!!] CertificatePath is required"
    Exit(1)
}
$certificate_path = $CertificatePath
if (-not (Test-Path -Path $certificate_path)) {
    Write-Host " [!!] Certificate file '$certificate_path' not found"
    Exit(1)
}
$certificate = Load-X509Certificate($certificate_path)
$certificate_thumbprint = $certificate.Thumbprint
if (-not ($certificate_thumbprint)) {
    Write-Host " [!!] Cannot load intermediate certificate from file '$certificate_path'"
    Exit(1)
}
$intermediate_certificate_path = $IntermediateCertificatePath
if ($intermediate_certificate_path) {
    if (-not (Test-Path -Path $intermediate_certificate_path)) {
        Write-Host " [!!] Intermediate certificate file '$intermediate_certificate_path' not found"
        Exit(1)
    }
    $intermediate_certificate = Load-X509Certificate($intermediate_certificate_path)
    $intermediate_thumbprint = $intermediate_certificate.Thumbprint
    if (-not ($intermediate_thumbprint)) {
        Write-Host " [!!] Cannot load intermediate certificate from file '$intermediate_certificate_path'"
        Exit(1)
    }
    $do_intermediate = $True
}
$remote_computer = $ComputerName
if ($remote_computer) {
    $do_remote = $True
}
$iis_binding_name = $IisBindingName
if ($iis_binding_name) {
    $do_iis = $True
}

Write-Host ""
Write-Host " Certificate: '$certificate_path'"
if ($do_intermediate) { 
    Write-Host " Intermediate Certificate: '$intermediate_certificate_path'"
}
if ($do_iis) {
    Write-Host " IIS Binding: '$iis_binding_name'"
}
if ($do_remote) {
    Write-Host " Target Computer: '$remote_computer'"
} else {
    Write-Host " Target Computer: LOCAL SYSTEM"
}
Write-Host ""

if ($do_intermediate) {
    if ($do_remote) {
        $intermediate_certs = Invoke-Command -ComputerName $remote_computer -ScriptBlock {Get-ChildItem Cert:\LocalMachine\CA}
    } else {
        $intermediate_certs = Get-ChildItem Cert:\LocalMachine\CA
    }
    if (($intermediate_certs | Select-Object -ExpandProperty Thumbprint) -contains $intermediate_thumbprint) {
        Write-Host " [!] Intermediate certificate with thumbprint '$intermediate_thumbprint' already exists"
    } else {
        Write-Host " [-] Intermediate certificate with thumbprint '$intermediate_thumbprint' will be imported"
        Import-CertificateToStore "$intermediate_certificate_path" "Cert:\LocalMachine\CA" "$remote_computer" 
    }
}

if ($do_remote) {
    $personal_certs = Invoke-Command -ComputerName $remote_computer -ScriptBlock {Get-ChildItem Cert:\LocalMachine\My}
} else {
    $personal_certs = Get-ChildItem Cert:\LocalMachine\My
}
if (($personal_certs | Select-Object -ExpandProperty Thumbprint) -contains $certificate_thumbprint) {
    Write-Host " [!] Certificate with thumbprint '$certificate_thumbprint' already exists"
} else {
    Write-Host " [-] Certificate with thumbprint '$certificate_thumbprint' will be imported"
    Import-CertificateToStore "$certificate_path" "Cert:\LocalMachine\My" "$remote_computer"
    Write-Host " [-] Certificate with thumbprint '$certificate_thumbprint' will be re-paired with key"
    if ($do_remote) {
        Invoke-Command -ComputerName "$remote_computer" -ScriptBlock {C:\Windows\System32\certutil.exe -repairstore my "$Using:certificate_thumbprint"}    
    } else {
        C:\Windows\System32\certutil.exe -repairstore my "$certificate_thumbprint"
    }
}

if ($do_iis) {
    if ($do_remote) {
        $iis_binding = Invoke-Command -ComputerName $remote_computer -ScriptBlock {Get-WebBinding -Protocol "https" -Name "$Using:iis_binding_name"}
    } else {
        $iis_binding = Get-WebBinding -Protocol "https" -Name "$iis_binding_name"
    }
    if (-not ($iis_binding)) {
        Write-Host " [!!] IIS binding '$iis_binding_name' not found"
        Exit(2)
    }
    if ($iis_binding.certificateHash -eq $certificate_thumbprint) {
        Write-Host " [!] Certificate with thumbprint '$certificate_thumbprint' is already assigned to IIS Binding '$iis_binding_name'"
    } else {
        Write-Host " [-] Certificate with thumbprint '$certificate_thumbprint' will be assigned to IIS Binding"
        if ($do_remote) {
            Invoke-Command -ComputerName "$remote_computer" -ScriptBlock {Get-WebBinding -Protocol "https" -Name "$Using:iis_binding" | ForEach-Object { $_.AddSslCertificate($Using:certificate_thumbprint, "My") }}
        } else {
            Get-WebBinding -Protocol "https" -Name "$iis_binding_name" | ForEach-Object { $_.AddSslCertificate($certificate_thumbprint, "My") }
        }
    }
}