Download Self-Signed Certificates from Remote Server with PowerSell

POWERSHELL-DOWNLOAD-SELF-SIGNED-SSL.md

# Function to download a self-signed certificate and save it as a PEM file
function Get-SelfSignedCertAsPem {
    param (
        [Parameter(Mandatory=$true)]
        [Uri]$Uri,                # The internal domain URL (e.g., https://internal.domain.com)
        [string]$OutputPath = "C:\Temp\certificate.pem"  # Where to save the PEM file
    )

    # Ensure the URI uses HTTPS
    if ($Uri.Scheme -ne "https") {
        Write-Error "The URI must use HTTPS (e.g., https://internal.domain.com)"
        return
    }

    try {
        # Create a web request to the internal domain
        $request = [System.Net.HttpWebRequest]::Create($Uri)

        # Ignore the response; we just need the certificate
        $request.GetResponse().Dispose()

        # Get the certificate from the ServicePoint
        $cert = $request.ServicePoint.Certificate

        if ($null -eq $cert) {
            Write-Error "No certificate was retrieved from $Uri"
            return
        }

        # Convert to X509Certificate2 object
        $x509Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($cert)

        # Export the certificate as a byte array (DER format)
        $certBytes = $x509Cert.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert)

        # Convert the byte array to Base64 string
        $base64String = [System.Convert]::ToBase64String($certBytes, [System.Base64FormattingOptions]::InsertLineBreaks)

        # Create the PEM format with headers
        $pemContent = "-----BEGIN CERTIFICATE-----`n" + $base64String + "`n-----END CERTIFICATE-----"

        # Save the PEM content to the specified file
        $pemContent | Out-File -FilePath $OutputPath -Encoding ASCII

        Write-Host "Certificate successfully downloaded as PEM to $OutputPath"
    }
    catch [System.Net.WebException] {
        if ($_.Exception.Status -eq [System.Net.WebExceptionStatus]::TrustFailure) {
            # Handle self-signed cert trust failure
            $cert = $request.ServicePoint.Certificate
            if ($cert) {
                $x509Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($cert)
                $certBytes = $x509Cert.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert)
                $base64String = [System.Convert]::ToBase64String($certBytes, [System.Base64FormattingOptions]::InsertLineBreaks)
                $pemContent = "-----BEGIN CERTIFICATE-----`n" + $base64String + "`n-----END CERTIFICATE-----"
                $pemContent | Out-File -FilePath $OutputPath -Encoding ASCII
                Write-Host "Self-signed certificate downloaded as PEM despite trust failure to $OutputPath"
            } else {
                Write-Error "Failed to retrieve the certificate due to trust failure."
            }
        } else {
            Write-Error "An error occurred: $_"
        }
    }
    catch {
        Write-Error "Unexpected error: $_"
    }
}

Replace this with your domain and desired file location

Get-SelfSignedCert -Uri "https://your.internal.domain.com" -OutputPath "C:\Temp\selfsigned.cer"

Example Walkthrough Let’s say: Your internal domain is https://server1.company.local.

You want the certificate saved to C:\Certificates.

Here’s what you do: Open PowerShell.

Paste the full script and press Enter.

Create the C:\Certificates folder if it doesn’t exist:

New-Item -Path "C:\Certificates" -ItemType Directory -Force

Run this command:

Get-SelfSignedCert -Uri "https://server1.company.local" -OutputPath "C:\Certificates\selfsigned.cer"

Check C:\Certificates for selfsigned.cer.