List duplicated valid certificates on a MS PKI

The following script will give you the possibility to list the valid certificates on your Active Directory PKI that are duplicated. By “duplicated”, I mean at least two valid certificates for the same Common Name.

$allcert_arr = Get-CertificationAuthority -name "CAname" | Get-IssuedRequest
$ht = @{}
$allcert_arr | % {
    $cn = $_.CommonName
    $ht["$cn"] += 1
}

$ht.keys | where {$ht["$_"] -gt 1 -and $_} | % { 
    $tag = 0
    $currentdate = Get-Date
    $dupcn = $_
    $dup_arr = $allcert_arr | ? {$_.CommonName -match $dupcn}
    $dup_arr | % {
        if (($_.NotAfter - $currentdate) -gt 0) { 
            $tag += 1
        }
    }
    if ($tag -gt 1) {
        write-host "duplicate valid certs"
        $dup_arr |select CommonName,NotBefore,NotAfter,SerialNumber | ft -AutoSize
        write-host "-----------------------------------------------------------" 
    }
}

$allcert_arr = Get-CertificationAuthority -name "CAname" | Get-IssuedRequest

$ht = @{}

$allcert_arr | % {

$cn = $_.CommonName

$ht["$cn"] += 1

}

$ht.keys | where {$ht["$_"] -gt 1 -and $_} | % {

$tag = 0

$currentdate = Get-Date

$dupcn = $_

$dup_arr = $allcert_arr | ? {$_.CommonName -match $dupcn}

$dup_arr | % {

if (($_.NotAfter - $currentdate) -gt 0) {

$tag += 1

}

if ($tag -gt 1) {

write-host "duplicate valid certs"

$dup_arr |select CommonName,NotBefore,NotAfter,SerialNumber | ft -AutoSize

write-host "-----------------------------------------------------------"

}

My Powershell script categories…

Request and remove a certificate using Active Directory templates

You can request from Powershell a certificate from your Active Directory PKI. In that case you will use the cmdlet Get-Certificate. If you already know the template you want to use (for example Enhanced Web Server), you can use this…

List AD domain controller KDC certificates

Kerberos uses certificates to encrypt communication between the Kerberos client and the Kerberos Key Distribution Center (KDC). If you’re domain controllers use certificate for KDC you can list them by runnning this script:

$domains = (Get-ADForest).domains
$dcs = (Get-ADForest).globalcatalogs

$list = @()

$domains | Sort-Object  | % {
    $domain = $_
    $list += $dcs | ? {($_.split(".")[1..($_.split(".").length -1)] -join ".") -eq $domain} | Sort-Object 
}

$list | % { 
    Invoke-Command -ComputerName $_ -ScriptBlock {
        $certinfo = gci -path Cert:\LocalMachine\My | select * | ? { $_.EnhancedKeyUsageList -match "KDC Authentication" }

        if ($certinfo){
            if ($certinfo.length -gt 1){
		$certinfo | % {
			$cert = $_
			write-host -ForegroundColor Green "$env:COMPUTERNAME : existing KDC cert (Thumbprint="$cert.Thumbprint" / issuer="$cert.Issuer" / expires after:"$cert.NotAfter")"
		}
            }
            else {
		write-host -ForegroundColor Green "$env:COMPUTERNAME : existing KRB cert (Thumbprint="$certinfo.Thumbprint" / issuer="$certinfo.Issuer" / expires after:"$certinfo.NotAfter")"
            }
        }
        else {
            write-host -ForegroundColor DarkCyan "$env:COMPUTERNAME : no Kerberos certificate found"
        }
    }
}

$domains = (Get-ADForest).domains

$dcs = (Get-ADForest).globalcatalogs

$list = @()

$domains | Sort-Object | % {

$domain = $_

$list += $dcs | ? {($_.split(".")[1..($_.split(".").length -1)] -join ".") -eq $domain} | Sort-Object

}

$list | % {

Invoke-Command -ComputerName $_ -ScriptBlock {

$certinfo = gci -path Cert:\LocalMachine\My | select * | ? { $_.EnhancedKeyUsageList -match "KDC Authentication" }

if ($certinfo){

if ($certinfo.length -gt 1){

$certinfo | % {

$cert = $_

write-host -ForegroundColor Green "$env:COMPUTERNAME : existing KDC cert (Thumbprint="$cert.Thumbprint" / issuer="$cert.Issuer" / expires after:"$cert.NotAfter")"

}

else {

write-host -ForegroundColor Green "$env:COMPUTERNAME : existing KRB cert (Thumbprint="$certinfo.Thumbprint" / issuer="$certinfo.Issuer" / expires after:"$certinfo.NotAfter")"

}

else {

write-host -ForegroundColor DarkCyan "$env:COMPUTERNAME : no Kerberos certificate found"

}

First of all the script will…

Certificate renewal with Powershell

With the following function, it is possible to renew a Local machine certificate by providing the certificate thumbprint to the function. To simply get a certificate thumbprint, you can run this command:

gci -path Cert:\LocalMachine\My | select Thumbprint

1	gci -path Cert:\LocalMachine\My \| select Thumbprint

If you want more information (Subject,Issuer, Validity…

Revoke a certificate that has specific properties

In the next days, I will show you how to perform specific tasks on your Microsoft PKI using Powershell. In this post, you will be able to revoke a certificate that matches your criteria. In the following example, I will…

Play with the Windows Task Scheduler and XML

You will find in this post two scripts to : create scheduled tasks on remote computers get scheduled tasks on remote computers These actions will be performed using xml and the COM object Schedule.Service. I will write another article on…

Deploy Petya vaccination files on AD domain members

I have written the following script to deploy Petya vaccination files on all Active Directory domain members. These files are simple text file deployed on the destination system folder C:\Windows. This technic has been discovered by Amit Serper and it…

Get the free space on remote computer disks

With this simple script, you will be able to get the free space available on the C: drive on a list of remote computers. I’m using WMI to request the remote computers. You can use two different ways for the…

Automatically install and renew Let’s Encrypt certificates

Automatically install and renew Let’s Encrypt certificates The Electronic Frontier Foundation is the leading nonprofit organization defending civil liberties in the digital world. Founded in 1990, EFF champions user privacy, free expression, and innovation through impact litigation, policy analysis, grassroots…

List domain controllers forest wide with OS version

This powershell script will allow you to get a list of your domain controllers and their operating system versions. This script uses information stored in the Active Directory database using the cmdlet get-adcomputer

$list = (Get-ADForest).GlobalCatalogs
$domainnames = (Get-ADForest).Domains

$domainnames_arr = $domainnames| % {
    $domname = $_
    "$domname;" + (($_.split(".") | % {"DC=" + $_ }) -join "," )
}

$DCarray=$domainnames_arr | % {
    $myADobjects = New-Object System.Object
    $dn = $_.split(";")[1]
    $dns = $_.split(";")[0]
    Get-ADComputer -SearchBase "OU=Domain Controllers,$dn" -server "$dns" -Properties OperatingSystem -filter * | `
    select DNSHostName,name,@{l="Domain";e={$dns}},OperatingSystem, @{l="OS Name";e={((($_.OperatingSystem).split(" ")[0..2]) -join " ")}}
}

$DCarray

$list = (Get-ADForest).GlobalCatalogs

$domainnames = (Get-ADForest).Domains

$domainnames_arr = $domainnames| % {

$domname = $_

"$domname;" + (($_.split(".") | % {"DC=" + $_ }) -join "," )

}

$DCarray=$domainnames_arr | % {

$myADobjects = New-Object System.Object

$dn = $_.split(";")[1]

$dns = $_.split(";")[0]

Get-ADComputer -SearchBase "OU=Domain Controllers,$dn" -server "$dns" -Properties OperatingSystem -filter * | `

select DNSHostName,name,@{l="Domain";e={$dns}},OperatingSystem, @{l="OS Name";e={((($_.OperatingSystem).split(" ")[0..2]) -join " ")}}

}

$DCarray

My Powershell script categories Active Directory…

« Previous

DNS Monitoring

Active Directory Audit FREE

Active Directory Dashboard

Monitor the Active Directory authentication with Splunk

Password database

List duplicated valid certificates on a MS PKI

Request and remove a certificate using Active Directory templates

List AD domain controller KDC certificates

Certificate renewal with Powershell

Revoke a certificate that has specific properties

Play with the Windows Task Scheduler and XML

Deploy Petya vaccination files on AD domain members

Get the free space on remote computer disks

Automatically install and renew Let’s Encrypt certificates

List domain controllers forest wide with OS version

Share :

Share :

Share :

Share :

Share :

Share :

Share :

Share :

Share :

Share :