List duplicated valid certificates on a MS PKI version 2
List duplicated valid certificates on a MS PKI version 2
Description

I have written another version of the script provided some weeks ago. This new version is looking for duplicated valid certificates based on both CommonName and Certificate template. The first version checked only the CommonName.

All of this cmdlets are member of the Powershell module PSPKI that can downloaded here
This useful module offers a lot of cmdlets to manage your Microsoft PKI. Some examples:

Add-AuthorityInformationAccess (Alias: Add-AIA)
Add-CAAccessControlEntry (Alias: Add-CAACL)
Add-CAKRACertificate
Add-CATemplate
Add-CertificateEnrollmentPolicyService
Add-CertificateEnrollmentService
Add-CertificateTemplateAcl
Add-CRLDistributionPoint (Alias: Add-CDP)
Add-ExtensionList
Approve-CertificateRequest
Connect-CertificationAuthority (Alias: Connect-CA)
Convert-PemToPfx
Convert-PfxToPem
Deny-CertificateRequest
Disable-CertificateRevocationListFlag (Alias: Disable-CRLFlag)
Disable-InterfaceFlag
Disable-KeyRecoveryAgentFlag (Alias: Disable-KRAFlag)
Disable-PolicyModuleFlag
Enable-CertificateRevocationListFlag (Alias: Enable-CRLFlag)
Enable-InterfaceFlag
Enable-KeyRecoveryAgentFlag (Alias: Enable-KRAFlag)
Enable-PolicyModuleFlag
Get-ADKRACertificate
Get-AuthorityInformationAccess (Alias: Get-AIA)
Get-CACryptographyConfig
Get-CAExchangeCertificate
Get-CAKRACertificate
Get-CASchema
Get-CASecurityDescriptor (Alias: Get-CAACL)
Get-CATemplate
Get-CertificateContextProperty
Get-CertificateRequest

… and more here

The script has been successfully tested on a Microsoft PKI running on a Windows 2012R2 Server Standard edition

The script
cls
# list CA
$CAlist = Get-CertificationAuthority
Write-Host "The following CA have been found:"
$CAlist
write-host ""

# Array def
$issuedcerts_arr = @()
$duplicateValidCerts = @()

# list expired certificates
$CAlist | % {
	$CAName = $_.DisplayName
	write-host "Listing all issued certificates for $CAName..."
	$issuedcerts_arr += Get-CertificationAuthority -name $CAName | Get-IssuedRequest | select *,@{n='IssuingCAName';e={$CAName}}
}

#check valid duplicated certificates
$ValidCertificates_arr = @($issuedcerts_arr | ?{$_.NotAfter -gt (Get-Date)})
$ValidCertificatesCN_arr = $ValidCertificates_arr.CommonName | select -Unique

$ValidCertificatesCN_arr | % {
	$ValidCertCN = $_
	@($issuedcerts_arr | ?{$_.CommonName -eq $ValidCertCN -and $_.NotAfter -gt (Get-Date)}).CertificateTemplate | select -unique | % {
		$DuplValidCertTempl = $_
		$DuplValidCert = @($issuedcerts_arr | ?{$_.CommonName -eq $ValidCertCN -and $_.NotAfter -gt (Get-Date) -and $_.CertificateTemplate -eq $DuplValidCertTempl})
		if ($DuplValidCert.count -gt 1) {
			write-host "Duplicate valid certs have been found for the CommonName : $ValidCertCN"
			$DuplValidCert |% {
				write-host "`t RequestID: "$_.RequestID" / Cert Template: "$_.CertificateTemplate
			}
		}
	}
}

<>

My Powershell script categories

List duplicated valid certificates on a MS PKI version 2

Leave a Reply

Your email address will not be published.