Description
One more version of the script provided some weeks ago. This is a minor update but it can be helpful. In that version, the duplicated valid certificates are listed and two options are shown : keep or revoke. It is based on the certificate expiration date (property “NotAfter”). The most recent expiration date is shown as keep. The others are shown as revoke.
I think I will add soon a function in the script to ask to keep or revoke the duplicated certificates.
All of this cmdlets are member of the Powershell module PSPKI that can downloaded here
This useful module offers a lot of cmdlets to manage your Microsoft PKI. Some examples:
Add-AuthorityInformationAccess (Alias: Add-AIA) Add-CAAccessControlEntry (Alias: Add-CAACL) Add-CAKRACertificate Add-CATemplate Add-CertificateEnrollmentPolicyService Add-CertificateEnrollmentService Add-CertificateTemplateAcl Add-CRLDistributionPoint (Alias: Add-CDP) Add-ExtensionList Approve-CertificateRequest Connect-CertificationAuthority (Alias: Connect-CA) Convert-PemToPfx Convert-PfxToPem Deny-CertificateRequest Disable-CertificateRevocationListFlag (Alias: Disable-CRLFlag) Disable-InterfaceFlag Disable-KeyRecoveryAgentFlag (Alias: Disable-KRAFlag) Disable-PolicyModuleFlag Enable-CertificateRevocationListFlag (Alias: Enable-CRLFlag) Enable-InterfaceFlag Enable-KeyRecoveryAgentFlag (Alias: Enable-KRAFlag) Enable-PolicyModuleFlag Get-ADKRACertificate Get-AuthorityInformationAccess (Alias: Get-AIA) Get-CACryptographyConfig Get-CAExchangeCertificate Get-CAKRACertificate Get-CASchema Get-CASecurityDescriptor (Alias: Get-CAACL) Get-CATemplate Get-CertificateContextProperty Get-CertificateRequest
… and more here
The script has been successfully tested on a Microsoft PKI running on a Windows 2012R2 Server Standard edition
The script
cls # list CA $CAlist = Get-CertificationAuthority Write-Host "The following CA have been found:" $CAlist write-host "" # Array def $issuedcerts_arr = @() $duplicateValidCerts = @() # list expired certificates $CAlist | % { $CAName = $_.DisplayName write-host "Listing all issued certificates for $CAName..." $issuedcerts_arr += Get-CertificationAuthority -name $CAName | Get-IssuedRequest | select *,@{n='IssuingCAName';e={$CAName}} } #check valid duplicated certificates $ValidCertificates_arr = @($issuedcerts_arr | ?{$_.NotAfter -gt (Get-Date)}) $ValidCertificatesCN_arr = $ValidCertificates_arr.CommonName | select -Unique $ValidCertificatesCN_arr | % { $ValidCertCN = $_ @($issuedcerts_arr | ?{$_.CommonName -eq $ValidCertCN -and $_.NotAfter -gt (Get-Date)}).CertificateTemplate | select -unique | % { $DuplValidCertTempl = $_ $DuplValidCert = @($issuedcerts_arr | ?{$_.CommonName -eq $ValidCertCN -and $_.NotAfter -gt (Get-Date) -and $_.CertificateTemplate -eq $DuplValidCertTempl}) if ($DuplValidCert.count -gt 1) { write-host "Duplicate valid certs have been found for the CommonName : $ValidCertCN" -ForegroundColor Yellow $DuplValidCert_sorted = $DuplValidCert | Sort-Object -Descending NotAfter for ($i=0; $i -lt $DuplValidCert_sorted.Length; $i++){ $reqid = ($DuplValidCert_sorted[$i]).RequestID $certempl = ($DuplValidCert_sorted[$i]).CertificateTemplate $issuingcaname = ($DuplValidCert_sorted[$i]).IssuingCAName $expdate = ($DuplValidCert_sorted[$i]).NotAfter if ($i -eq 0) { write-host "`t KEEP: RequestID: $reqid / Expires on: $expdate / CA: $issuingcaname / Cert Template: $certempl" -ForegroundColor Green } else { write-host "`t REVOKE: RequestID: $reqid / Expires on: $expdate / CA: $issuingcaname / Cert Template: $certempl" -ForegroundColor Magenta } } } } }
My Powershell script categories
- Active Directory
- Cluster
- Database
- Exchange
- Files and folders
- Hardware
- Network
- Operating System
- PKI
- SCCM
- Service and process
- Tips
- VMWare