List duplicated valid certificates on a MS PKI version 3
List duplicated valid certificates on a MS PKI version 3
Description

One more version of the script provided some weeks ago. This is a minor update but it can be helpful. In that version, the duplicated valid certificates are listed and two options are shown : keep or revoke. It is based on the certificate expiration date (property “NotAfter”). The most recent expiration date is shown as keep. The others are shown as revoke.
I think I will add soon a function in the script to ask to keep or revoke the duplicated certificates.

All of this cmdlets are member of the Powershell module PSPKI that can downloaded here
This useful module offers a lot of cmdlets to manage your Microsoft PKI. Some examples:

Add-AuthorityInformationAccess (Alias: Add-AIA)
Add-CAAccessControlEntry (Alias: Add-CAACL)
Add-CAKRACertificate
Add-CATemplate
Add-CertificateEnrollmentPolicyService
Add-CertificateEnrollmentService
Add-CertificateTemplateAcl
Add-CRLDistributionPoint (Alias: Add-CDP)
Add-ExtensionList
Approve-CertificateRequest
Connect-CertificationAuthority (Alias: Connect-CA)
Convert-PemToPfx
Convert-PfxToPem
Deny-CertificateRequest
Disable-CertificateRevocationListFlag (Alias: Disable-CRLFlag)
Disable-InterfaceFlag
Disable-KeyRecoveryAgentFlag (Alias: Disable-KRAFlag)
Disable-PolicyModuleFlag
Enable-CertificateRevocationListFlag (Alias: Enable-CRLFlag)
Enable-InterfaceFlag
Enable-KeyRecoveryAgentFlag (Alias: Enable-KRAFlag)
Enable-PolicyModuleFlag
Get-ADKRACertificate
Get-AuthorityInformationAccess (Alias: Get-AIA)
Get-CACryptographyConfig
Get-CAExchangeCertificate
Get-CAKRACertificate
Get-CASchema
Get-CASecurityDescriptor (Alias: Get-CAACL)
Get-CATemplate
Get-CertificateContextProperty
Get-CertificateRequest

… and more here

The script has been successfully tested on a Microsoft PKI running on a Windows 2012R2 Server Standard edition

The script
cls
# list CA
$CAlist = Get-CertificationAuthority
Write-Host "The following CA have been found:"
$CAlist
write-host ""

# Array def
$issuedcerts_arr = @()
$duplicateValidCerts = @()

# list expired certificates
$CAlist | % {
	$CAName = $_.DisplayName
	write-host "Listing all issued certificates for $CAName..."
	$issuedcerts_arr += Get-CertificationAuthority -name $CAName | Get-IssuedRequest | select *,@{n='IssuingCAName';e={$CAName}}
}

#check valid duplicated certificates
$ValidCertificates_arr = @($issuedcerts_arr | ?{$_.NotAfter -gt (Get-Date)})
$ValidCertificatesCN_arr = $ValidCertificates_arr.CommonName | select -Unique
$ValidCertificatesCN_arr | % {
	$ValidCertCN = $_
	@($issuedcerts_arr | ?{$_.CommonName -eq $ValidCertCN -and $_.NotAfter -gt (Get-Date)}).CertificateTemplate | select -unique | % {
		$DuplValidCertTempl = $_
		$DuplValidCert = @($issuedcerts_arr | ?{$_.CommonName -eq $ValidCertCN -and $_.NotAfter -gt (Get-Date) -and $_.CertificateTemplate -eq $DuplValidCertTempl})
		if ($DuplValidCert.count -gt 1) {
			write-host "Duplicate valid certs have been found for the CommonName : $ValidCertCN" -ForegroundColor Yellow
			$DuplValidCert_sorted = $DuplValidCert | Sort-Object -Descending NotAfter
			for ($i=0; $i -lt $DuplValidCert_sorted.Length; $i++){
				$reqid = ($DuplValidCert_sorted[$i]).RequestID
				$certempl = ($DuplValidCert_sorted[$i]).CertificateTemplate
				$issuingcaname = ($DuplValidCert_sorted[$i]).IssuingCAName
				$expdate = ($DuplValidCert_sorted[$i]).NotAfter
				if ($i -eq 0) {
					write-host "`t KEEP: RequestID: $reqid / Expires on: $expdate / CA: $issuingcaname / Cert Template: $certempl" -ForegroundColor Green
				}
				else {
					write-host "`t REVOKE: RequestID: $reqid / Expires on: $expdate / CA: $issuingcaname / Cert Template: $certempl" -ForegroundColor Magenta
				}
			}
		}
	}
}

<>

My Powershell script categories


List duplicated valid certificates on a MS PKI version 3

Leave a Reply

Your email address will not be published.