List duplicated valid certificates on a MS PKI
The following script will give you the possibility to list the valid certificates on your Active Directory PKI that are duplicated. By “duplicated”, I mean at least two valid certificates for the same Common Name.
New versions of this script are available here and here.
$allcert_arr = Get-CertificationAuthority -name "CAname" | Get-IssuedRequest $ht = @{} $allcert_arr | % { $cn = $_.CommonName $ht["$cn"] += 1 } $ht.keys | where {$ht["$_"] -gt 1 -and $_} | % { $tag = 0 $currentdate = Get-Date $dupcn = $_ $dup_arr = $allcert_arr | ? {$_.CommonName -match $dupcn} $dup_arr | % { if (($_.NotAfter - $currentdate) -gt 0) { $tag += 1 } } if ($tag -gt 1) { write-host "duplicate valid certs" $dup_arr |select CommonName,NotBefore,NotAfter,SerialNumber | ft -AutoSize write-host "-----------------------------------------------------------" } }
The PKI powershell cmdlet used for this script are member of the Powershell module PSPKI that can downloaded here
This useful module offers a lot of cmdlets to manage your Microsoft PKI. Some examples:
Add-AuthorityInformationAccess (Alias: Add-AIA)
Add-CAAccessControlEntry (Alias: Add-CAACL)
Add-CAKRACertificate
Add-CATemplate
Add-CertificateEnrollmentPolicyService
Add-CertificateEnrollmentService
Add-CertificateTemplateAcl
Add-CRLDistributionPoint (Alias: Add-CDP)
Add-ExtensionList
Approve-CertificateRequest
Connect-CertificationAuthority (Alias: Connect-CA)
Convert-PemToPfx
Convert-PfxToPem
Deny-CertificateRequest
Disable-CertificateRevocationListFlag (Alias: Disable-CRLFlag)
Disable-InterfaceFlag
Disable-KeyRecoveryAgentFlag (Alias: Disable-KRAFlag)
Disable-PolicyModuleFlag
Enable-CertificateRevocationListFlag (Alias: Enable-CRLFlag)
Enable-InterfaceFlag
Enable-KeyRecoveryAgentFlag (Alias: Enable-KRAFlag)
Enable-PolicyModuleFlag
Get-ADKRACertificate
Get-AuthorityInformationAccess (Alias: Get-AIA)
Get-CACryptographyConfig
Get-CAExchangeCertificate
Get-CAKRACertificate
Get-CASchema
Get-CASecurityDescriptor (Alias: Get-CAACL)
Get-CATemplate
Get-CertificateContextProperty
Get-CertificateRequest
… and more here
The script has been successfully tested on a Microsoft PKI running on a Windows 2012R2 Server Standard edition
My Powershell script categories
- Active Directory
- Cluster
- Database
- Exchange
- Files and folders
- Hardware
- Network
- Operating System
- PKI
- SCCM
- Service and process
- Tips
- VMWare