Created
June 1, 2014 03:10
-
-
Save robertchong/032da878a91c4dce9353 to your computer and use it in GitHub Desktop.
Get-PKICertificates
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Function Get-PKICertificates { | |
<# | |
.SYNOPSIS | |
Gets all X.509 Certificates on a local or remote computers | |
Source: http://gallery.technet.microsoft.com/scriptcenter/a2a500e5-1dd2-4898-9721-ed677399679c | |
.DESCRIPTION | |
Gets all X.509 Certificates on a local or remote computers that are from Trusted Root CAs, revoked certificates, person, etc... | |
This also allows you to look at certificates for the LocalMachine or CurrentUser stores. | |
The CurrentUser store can only be accessed on the local machine from where this script is being run. | |
The LocalMachine can be accessed on either the local system or a remote system. | |
.PARAMETER Computer | |
Name of the computer to query for X.509 certificates | |
.PARAMETER StoreLocation | |
Specifies the location of the X.509 certificate store. Acceptable values are "LocalMachine","CurrentUser". | |
The CurrentUser store location can only be accessed on the local machine. | |
LocalMachine can be accessed at either the local machine or a remote machine. | |
.PARAMETER StoreName | |
Specifies the name of the X.509 certificate store to open. Acceptable values are "AddressBook","AuthRoot","CertificateAuthority", | |
"Disallowed","My","Root","TrustedPeople","TrustedPublisher". | |
.PARAMETER OpenFlag | |
Specifies the way to open the X.509 certificate store Acceptable values are "ReadOnly","ReadWrite","MaxAllowed", | |
"OpenExistingOnly","IncludeArchived". | |
.PARAMETER ShowExpired | |
List all certificates that have expired | |
.PARAMETER ExpiresIn | |
Show all certificates that are expiring withing a given number of days | |
.NOTES | |
Author : Boe Prox | |
Created : 03/23/2010 | |
.LINK | |
http://boeprox.wordpress.com | |
http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.openflags.aspx | |
http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.storelocation.aspx | |
http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.storename.aspx | |
http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509certificate.aspx | |
.EXAMPLE | |
Get-PKICertificates -computer 'server1' -StoreLocation LocalMachine -StoreName My -OpenFlag ReadOnly | |
Description | |
----------- | |
This command will return all of the certificates in the My (personal) store for 'server1' on the LocalMachine store location. | |
.EXAMPLE | |
Get-PKICertificates -computer 'server1' -StoreLocation LocalMachine -StoreName My -OpenFlag ReadOnly -ListExpired | |
Description | |
----------- | |
This command will return all of the certificates in the My (personal) store for 'server1' on the LocalMachine store location that has expired. | |
.EXAMPLE | |
Get-PKICertificates -computer 'server1' -StoreLocation LocalMachine -StoreName My -OpenFlag ReadOnly -ExpiresIn 14 | |
Description | |
----------- | |
This command will return all of the certificates in the My (personal) store for 'server1' on the LocalMachine store location that will expire withing 14 days. | |
#> | |
[cmdletbinding( | |
DefaultParameterSetName = 'PKI' | |
)] | |
param( | |
[Parameter( | |
Mandatory = $False, | |
ParameterSetName = '', | |
HelpMessage = "Computer to query certificates.", | |
ValueFromPipeline = $True)] | |
[string[]]$Computer = $Env:Computername, | |
[Parameter( | |
ParameterSetName = '', | |
HelpMessage = "Acceptable values are 'LocalMachine','CurrentUser'. ` | |
CurrentUser can only be access on local machine. LocalMachine can be accessed on local or remote machine.", | |
ValueFromPipeline = $False)] | |
[string][ValidateSet("LocalMachine","CurrentUser")] | |
$StoreLocation = "LocalMachine", | |
[Parameter( | |
ParameterSetName = '', | |
HelpMessage = "Acceptable values are 'AddressBook','AuthRoot','CertificateAuthority','Disallowed','My',` | |
'Root','TrustedPeople','TrustedPublisher'", | |
ValueFromPipeline = $False)] | |
[string][ValidateSet("AddressBook","AuthRoot","CA","Disallowed","My","Root","TrustedPeople","TrustedPublisher")] | |
$StoreName = "My", | |
[Parameter( | |
Mandatory = $False, | |
ParameterSetName = '', | |
HelpMessage = "Acceptable values are 'ReadOnly','ReadWrite','MaxAllowed','OpenExistingOnly','IncludeArchived'", | |
ValueFromPipeline = $False)] | |
[string][ValidateSet("ReadOnly","ReadWrite","MaxAllowed","OpenExistingOnly","IncludeArchived")]$OpenFlag = "ReadOnly", | |
[Parameter( | |
Mandatory = $False, | |
ParameterSetName = 'Expired', | |
HelpMessage = "Show expired certificates", | |
ValueFromPipeline = $False)] | |
[switch]$ListExpired, | |
[Parameter( | |
Mandatory = $False, | |
ParameterSetName = 'Expiring', | |
HelpMessage = "Enter a number to list certificates expiring in given number of days", | |
ValueFromPipeline = $False)] | |
[Int32]$ExpiresIn | |
) | |
Begin { | |
#Create variable that holds the OpenFlags object | |
Write-Verbose "Setting the OpenFlag variable" | |
$ro=[System.Security.Cryptography.X509Certificates.OpenFlags]"$OpenFlag" | |
#Create variable that holds the Store Location object | |
Write-Verbose "Setting the Store Location variable" | |
$cu=[System.Security.Cryptography.X509Certificates.StoreLocation]"$StoreLocation" | |
} | |
Process { | |
ForEach ($c in $computer) { | |
Try { | |
#Check to see if computer is remote or local | |
Write-Verbose "Checking to see if computer is local or remote." | |
If ($Env:Computername -ne $c) { | |
Write-Verbose "Computer is remote, verifying network connection" | |
If (!(Test-Connection -ComputerName $c -Count 1 -Quiet)) { | |
Write-Verbose "$($c): Unable to locate computer" | |
Continue | |
} | |
Else { | |
If ($StoreLocation -eq "CurrentUser") { | |
Write-Verbose "Attempting to access Remote Computer with CurrentUser store name." | |
Write-Verbose "Unable to access remote computer's CurrentUser store. ` | |
`nYou can only do this with the LocalMachine store name." | |
Continue | |
} | |
} | |
} | |
Switch ($StoreLocation) { | |
LocalMachine { | |
#Create new object and make connection to LocalMachine certificate store on computer | |
Write-Verbose "Attempting to make connection to certificate store" | |
$ce=new-object System.Security.Cryptography.X509Certificates.X509Store("\\$c\$StoreName",$cu) | |
} | |
CurrentUser { | |
#Create new object and make connection to CurrentUser certificate store on computer | |
Write-Verbose "Attempting to make connection to certificate store" | |
$ce=new-object System.Security.Cryptography.X509Certificates.X509Store("$StoreName") | |
} | |
} | |
#Open the store using defined flags | |
Write-Verbose "Opening certificate store using defined OpenFlags" | |
$ce.Open($ro) | |
#Determine what will be displayed based on parameter set name | |
Write-Verbose "Determining what certificates to display" | |
Switch ($Pscmdlet.ParameterSetName) { | |
"PKI" { | |
#List all certificates in the store | |
Write-Verbose "Listing all certificates in store" | |
$ce.certificates | |
} | |
"Expired" { | |
Write-Verbose "Listing all expired certificates" | |
$ce.Certificates | ? {$_.NotAfter -le (Get-Date)} | |
} | |
"Expiring" { | |
Write-Verbose "Listing certificates that expire in $ExpiresIn days" | |
#Create a datetime object with the expiration threshold to compare against certificate expiration timestamp | |
$deadline = (Get-Date).AddDays($ExpiresIn) | |
$ce.Certificates | ? {$_.NotAfter -le ($deadline)} | |
} | |
} | |
} | |
Catch { | |
#Write error that occurred with connection | |
Write-Host -foregroundcolor Yellow "$($c): $($error[0])" | |
} | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment