Can you update a certificate hash using powershell?

I am attempting to write a script that gets the thumbprint\hash value from a certificate in the certificate store, puts that value in a variable.

So far:

#Declare variables at string type

#Get the Thumbprint of the trusted cert from the personal store

[string]$CertHash = wmic /namespace:\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Get SSLCertificateSHA1Hash

#Trim the variable value to strip out header and whitespace before the hash value

[string]$TrustedHash = $CertHash.TrimStart(“SSLCertificateSHA1Hash”)

[string]$TrustedHash = $TRustedHash.TrimStart( )

#Assign the trimmed value of $TrustedHash to the RDP certificate

wmic /namespace:\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash=$TrustedHash

However I run into a problem at the last line. the wmic command used to set the SSLCertificateSHA1Hash won't accept a variable as an argument to update the hash value. If you type the thumbprint by hand, it works as expected.
I've already found a better way to get the thumbprint value without having to trim the string value:
$Thumbprint = (Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -match "<SubjectName>"}).Thumbprint;
BUT, I have not been able to locate a way to use the PowerShell certificate provider to update that SSLCertificateSHA1Hash value for a specific cert.
Eventually I will put this into a loop that cycles through a list of servers from a .txt file, but first I need to make the individual set of commands do what I need it to do.
Thanks in advance for your help!

In a nutshell, what I’m trying to do step by step:

  1. Get the thumbprint of the trusted cert in Cert:\LocalMachine\My and place that value in a variable.
  2. Set the thumbprint/hash of the Remote Desktop certificate to match that of the trusted cert in Cert:\LocalMachine\my
 

SSLCertificateSHA1HashType is a read-only property, hence IMO, it cannot be changed via WMI

https://docs.microsoft.com/en-us/windows/win32/termserv/win32-tsgeneralsetting#members

wmic can be used to update that thumbprint value.

wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="THUMBPRINT"

however as this is to eventually be placed into a loop through all servers in a txt file, I need to find a the P$ equivalent of that wmic command, or find a way to pass a variable declared in PowerShell as the “THUMBPRINT” value.

 

 

 

@Kvprasoon is correct. The thumbprint of a certificate cannot be changed. The WMIC command you want to run is not changing the thumbprint. The thumbprint is used to identify which certificate should be installed into Terminal Services.

Thanks for clarifying.

So, in fact this is what we want to accomplish:

  1. Collect the thumbprint from the trusted cert in the personal store.

  2. Install the cert with the matching thumbprint into Terminal services.

 

Ideally I’d like to be able to put the hostnames of all servers that need this fix into a txt file and have it loop through the list of servers, performing this for each one.

 

So, for example:

$Servers = Get-Content C:\temp\servers.txt

ForEach ($Server in $Servers)

{

#Declare variables at string type

#Get the Thumbprint of the trusted cert from the personal store

[string]$CertHash = wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Get SSLCertificateSHA1Hash

#Trim the variable value to strip out header and whitespace before the hash value

[string]$TrustedHash = $CertHash.TrimStart("SSLCertificateSHA1Hash")

[string]$TrustedHash = $TRustedHash.TrimStart( )

#Assign the certificate with the $TrustedHash value to Terminal Services

wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash=$TrustedHash

 

Apologies for my confusion about the specific functionality, and thanks in advance for any help.