List duplicated valid certificates on a MS PKI

The following script will give you the possibility to list the valid certificates on your Active Directory PKI that are duplicated. By “duplicated”, I mean at least two valid certificates for the same Common Name.

New versions of this script are available here and here.

$allcert_arr = Get-CertificationAuthority -name "CAname" | Get-IssuedRequest
$ht = @{}
$allcert_arr | % {
    $cn = $_.CommonName
    $ht["$cn"] += 1
}

$ht.keys | where {$ht["$_"] -gt 1 -and $_} | % { 
    $tag = 0
    $currentdate = Get-Date
    $dupcn = $_
    $dup_arr = $allcert_arr | ? {$_.CommonName -match $dupcn}
    $dup_arr | % {
        if (($_.NotAfter - $currentdate) -gt 0) { 
            $tag += 1
        }
    }
    if ($tag -gt 1) {
        write-host "duplicate valid certs"
        $dup_arr |select CommonName,NotBefore,NotAfter,SerialNumber | ft -AutoSize
        write-host "-----------------------------------------------------------" 
    }
}

The PKI powershell cmdlet used for this script are member of the Powershell module PSPKI that can downloaded here
This useful module offers a lot of cmdlets to manage your Microsoft PKI. Some examples:
Add-AuthorityInformationAccess (Alias: Add-AIA)
Add-CAAccessControlEntry (Alias: Add-CAACL)
Add-CAKRACertificate
Add-CATemplate
Add-CertificateEnrollmentPolicyService
Add-CertificateEnrollmentService
Add-CertificateTemplateAcl
Add-CRLDistributionPoint (Alias: Add-CDP)
Add-ExtensionList
Approve-CertificateRequest
Connect-CertificationAuthority (Alias: Connect-CA)
Convert-PemToPfx
Convert-PfxToPem
Deny-CertificateRequest
Disable-CertificateRevocationListFlag (Alias: Disable-CRLFlag)
Disable-InterfaceFlag
Disable-KeyRecoveryAgentFlag (Alias: Disable-KRAFlag)
Disable-PolicyModuleFlag
Enable-CertificateRevocationListFlag (Alias: Enable-CRLFlag)
Enable-InterfaceFlag
Enable-KeyRecoveryAgentFlag (Alias: Enable-KRAFlag)
Enable-PolicyModuleFlag
Get-ADKRACertificate
Get-AuthorityInformationAccess (Alias: Get-AIA)
Get-CACryptographyConfig
Get-CAExchangeCertificate
Get-CAKRACertificate
Get-CASchema
Get-CASecurityDescriptor (Alias: Get-CAACL)
Get-CATemplate
Get-CertificateContextProperty
Get-CertificateRequest
… and more here

The script has been successfully tested on a Microsoft PKI running on a Windows 2012R2 Server Standard edition

---

My Powershell script categories

• Active Directory
• Cluster
• Database
• Exchange
• Files and folders
• Hardware
• Network
• Operating System
• PKI
• SCCM
• Service and process
• Tips
• VMWare