none
What commands i could use to fetch the info of all internal certs that are about to expire within a CA RRS feed

  • Question

  • In a ADCS environment, What commands i could use to fetch the info of all internal certs that are about to expire within a CA?

    e.g List of all CAs, List of certificates due to expire in xx days, list of certain category certs.

    Tuesday, March 24, 2020 7:18 AM

All replies

  • Do you own the CA?  Is it a corporate CA or are you asking about certs in each users cert store?

    Get-ChildItem cert:\ -Recurse

    This will gat all certs in all stores on any machine.


    \_(ツ)_/

    Tuesday, March 24, 2020 7:30 AM
  • If you are asking about Microsoft Certificate Server then review the administration module for CA server for commands to manage the server.

    https://docs.microsoft.com/en-us/powershell/module/adcsadministration/?view=win10-ps


    \_(ツ)_/

    Tuesday, March 24, 2020 7:33 AM
  • Its a corporate Issuing CA.
    Tuesday, March 24, 2020 8:53 AM
  • Look in the Gallery for scripts that use the COM object to list issued certifica5tes.


    \_(ツ)_/

    Tuesday, March 24, 2020 9:57 AM
  • function get-IssuedCerts { 
        [CmdletBinding()]
        Param (
            [Parameter()]
            [Int]$duedays=60,
            [Parameter()]
            [String]$CAlocation
        ) 
        $certs = @()
        $now = get-Date;
        $expirationdate = $now.AddDays($duedays)
        $CaView = New-Object -Com CertificateAuthority.View.1
        [void]$CaView.OpenConnection($CAlocation)
        $CaView.SetResultColumnCount(6)
        $index0 = $CaView.GetColumnIndex($false, "Issued Common Name")
        $index1 = $CaView.GetColumnIndex($false, "Certificate Expiration Date")
        $index2 = $CaView.GetColumnIndex($false, "Certificate Effective Date")
        $index3 = $CaView.GetColumnIndex($false, "Certificate Template")
        $index4 = $CaView.GetColumnIndex($false, "Request Disposition")
        $index5 = $CaView.GetColumnIndex($false, "Requester Name")
        $index0, $index1, $index2, $index3, $index4, $index5 | %{$CAView.SetResultColumn($_) }
    
        # CVR_SORT_NONE 0
        # CVR_SEEK_EQ  1
        # CVR_SEEK_LT  2
        # CVR_SEEK_GT  16
    
        $index1 = $CaView.GetColumnIndex($false, "Certificate Expiration Date")
        $CAView.SetRestriction($index1,16,0,$now)
        $CAView.SetRestriction($index1,2,0,$expirationdate)
    
        # brief disposition code explanation:
        # 9 - pending for approval
        # 15 - CA certificate renewal
        # 16 - CA certificate chain
        # 20 - issued certificates
        # 21 - revoked certificates
        # all other - failed requests
        $CAView.SetRestriction($index4,1,0,20)
    
        $RowObj= $CAView.OpenView() 
    
        while ($Rowobj.Next() -ne -1){
            $Cert = New-Object PsObject
            $ColObj = $RowObj.EnumCertViewColumn()
            [void]$ColObj.Next()
            do {
              $current = $ColObj.GetName()
              $Cert | Add-Member -MemberType NoteProperty $($ColObj.GetDisplayName()) -Value $($ColObj.GetValue(1)) -Force  
            } until ($ColObj.Next() -eq -1)
        }
    }
    
    Get-IssuedCerts -duedays 200 -CAlocation  SBS01.TESTNET.local\TESTNET-SBS01-CA


    \_(ツ)_/



    • Edited by jrv Tuesday, March 24, 2020 10:02 AM
    Tuesday, March 24, 2020 10:00 AM