Peter Kloep

A+ R A-

Auflisten der RootCA-Zertifikate im AD und Auslesen der Gültigkeiten

  • Hauptkategorie: ROOT
  • Kategorie: Bücher
  • Zuletzt aktualisiert: Samstag, 03. März 2018 10:56
  • Veröffentlicht: Sonntag, 21. Januar 2018 10:46
  • Geschrieben von Peter Kloep
  • Zugriffe: 94684

Dieses Skript liest und dekodiert die Stammzertifizierungsstellen-Zertifikate, die im Konfigurationscontainer des Active Directory gespeichert sind (Konfigurationscontainer\Services\Public Key Services\Certification Authorities

<# 
.SYNOPSIS 
   Script reads all RootCA-certificates in AD-configuration partition, decodes and lists start and end-date of certificate
.DESCRIPTION 
   Script uses AD-PowerShell-module to read CA-certificates. certutil.exe ist used to decode cert-content and read data
   tested on Windows Server 2012 R2 and Windows Server 2016 on de-DE and en-US
   CAName.tmp is created to get a "hex-based"-certificate file which is then decoded into text file (.dec)
.PREREQUISITES
   PowerShell AD-Module needed

.EXAMPLE 
   .\CheckAD-RootCerts.ps1 
   This Example will read all certificates and display expiration date.
#> 
 
 
$tempfolder="c:\temp" 
$DomainDN=(Get-ADDomain (get-adforest).RootDomain).distinguishedname

[array]$RootCAs = Get-ADObject -filter * -SearchBase "CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,$($DomainDN)" -Properties * | Where-Object {$_.ObjectClass -eq "certificationAuthority"} 
Write-Host "RootCAs - Certification Authorities" -BackgroundColor Green
foreach ($ca in $RootCAs) 
{ 
  $hex="" 
  for ($i=0; $i -lt $ca.cACertificate[0].count; $i++) 
  { 
    $hex+="{0:X2}" -f $ca.cACertificate[0][$i] +" " #decode binary value of AD-attribute to 2-character hex value
  } 
  Out-File -FilePath "$($tempfolder)\$($ca.name).tmp" -InputObject $hex 
  $string = "Certutil -decodehex `"$($tempfolder)\$($ca.name).tmp`" `"$($tempfolder)\$($ca.name).dec`"" 
  Invoke-Expression $string | Out-Null 
  $string = "Certutil -dump `"$($tempfolder)\$($ca.name).dec`"" 
  $Certdata=Invoke-Expression $string 
  Write-host "Checking Certificate: $($Ca.Name)" 

  for ($j=0; $j -lt $Certdata.count; $j++) 
  {
    if (([cultureInfo]::InstalledUICulture).Name -eq "de-DE") #Installed os = german
    {
      if ($Certdata[$j] -like "*nicht vor:*") {[datetime]$validfrom="$(get-date $Certdata[$j].Split([string[]]": ","None")[1])"} 
      if ($Certdata[$j] -like "*nicht nach:*") {[datetime]$validto="$(get-date $Certdata[$j].Split([string[]]": ","None")[1])"} 
    }
    elseif (([cultureInfo]::InstalledUICulture).Name -eq "en-US") #Installed os = english (US)
    {
      if ($Certdata[$j] -like "*NotBefore:*") {[datetime]$validfrom="$(get-date $Certdata[$j].Split([string[]]": ","None")[1])"} 
      if ($Certdata[$j] -like "*NotAfter:*") {[datetime]$validto="$(get-date $Certdata[$j].Split([string[]]": ","None")[1])"} 
    }
    else
    {
      Write-Warning "Operating system locale not supported. Please check Certutil output and modify header if needed"
      Exit
    }
  } 
  Write-Host "Valid from:"$validfrom 
  Write-Host "Valid to: " -NoNewline 
  if ((New-TimeSpan -Start (get-date) -End $validto).ticks -lt 0) {Write-Host $validto -BackgroundColor Red} 
  else {Write-Host $validto} 
  Write-Host 
    
  Remove-Item "$($tempfolder)\$($ca.name).dec" 
  Remove-Item "$($tempfolder)\$($ca.name).tmp" 
} 

### SubCAs
[array]$SubCAs = Get-ADObject -filter * -SearchBase "CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,$($DomainDN)" -Properties * | Where-Object {$_.ObjectClass -eq "certificationAuthority"} 
Write-Host "Subordinate CAs - Authority Information Access" -BackgroundColor Green
foreach ($ca in $SubCAs) 
{ 
  $hex="" 
  for ($i=0; $i -lt $ca.cACertificate[0].count; $i++) 
  { 
    $hex+="{0:X2}" -f $ca.cACertificate[0][$i] +" " #decode binary value of AD-attribute to 2-character hex value
  } 
  Out-File -FilePath "$($tempfolder)\$($ca.name).tmp" -InputObject $hex 
  $string = "Certutil -decodehex `"$($tempfolder)\$($ca.name).tmp`" `"$($tempfolder)\$($ca.name).dec`"" 
  Invoke-Expression $string | Out-Null 
  $string = "Certutil -dump `"$($tempfolder)\$($ca.name).dec`"" 
  $Certdata=Invoke-Expression $string 
  Write-host "Checking Certificate: $($Ca.Name)" 

  for ($j=0; $j -lt $Certdata.count; $j++) 
  {
    if (([cultureInfo]::InstalledUICulture).Name -eq "de-DE") #Installed os = german
    {
      #if ($Certdata[$j] -like "*nicht vor:*") {[datetime]$validfrom="$(get-date $Certdata[$j].substring(12))"} 
      if ($Certdata[$j] -like "*nicht vor:*") {[datetime]$validfrom="$(get-date $Certdata[$j].Split([string[]]": ","None")[1])"} 
    

      if ($Certdata[$j] -like "*nicht nach:*") {[datetime]$validto="$(get-date $Certdata[$j].Split([string[]]": ","None")[1])"} 
    }
    elseif (([cultureInfo]::InstalledUICulture).Name -eq "en-US") #Installed os = english (US)
    {
      if ($Certdata[$j] -like "*NotBefore:*") {[datetime]$validfrom="$(get-date $Certdata[$j].Split([string[]]": ","None")[1])"} 
      if ($Certdata[$j] -like "*NotAfter:*") {[datetime]$validto="$(get-date $Certdata[$j].Split([string[]]": ","None")[1])"} 
    }
    else
    {
      Write-Warning "Operating system locale not supported. Please check Certutil output and modify header if needed"
      Exit
    }
  } 
  Write-Host "Valid from:"$validfrom 
  Write-Host "Valid to: " -NoNewline 
  if ((New-TimeSpan -Start (get-date) -End $validto).ticks -lt 0) {Write-Host $validto -BackgroundColor Red} 
  else {Write-Host $validto} 
  Write-Host 
    
  Remove-Item "$($tempfolder)\$($ca.name).dec" 
  Remove-Item "$($tempfolder)\$($ca.name).tmp" 
} 

### NTAuthCA
[array]$NTAuthCAs = Get-ADObject -filter * -SearchBase "CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,$($DomainDN)" -Properties * | Where-Object {$_.ObjectClass -eq "certificationAuthority"} 
Write-Host "CAs - NTAuthCAs" -BackgroundColor Green
for ($i=0; $i -lt $NTAuthCAs.cacertificate.count; $i++) 
{ 
  $ca=$NTAuthCAs.cacertificate[$i]
  $hex="" 
  for ($j=0; $j -lt $ca.count; $j++) 
  { 
    $hex+="{0:X2}" -f $ca[$j] +" " #decode binary value of AD-attribute to 2-character hex value
  } 
  Out-File -FilePath "$($tempfolder)\NTAuthCA.tmp" -InputObject $hex 
  $string = "Certutil -decodehex `"$($tempfolder)\NTAuthCA.tmp`" `"$($tempfolder)\NTAuthCA.dec`"" 
  Invoke-Expression $string | Out-Null 
  $string = "Certutil -dump `"$($tempfolder)\NTAuthCA.dec`"" 
  $Certdata=Invoke-Expression $string 
  if (([cultureInfo]::InstalledUICulture).Name -eq "de-DE") #Installed os = german
  {
    Write-host "Checking Certificate: $($certdata[$Certdata.IndexOf("Antragsteller:")+1].split("=")[1])" 
  }
  else 
  {
    Write-host "Checking Certificate: $($certdata[$Certdata.IndexOf("Subject:")+1].split("=")[1])" 
  }
  for ($j=0; $j -lt $Certdata.count; $j++) 
  {
    if (([cultureInfo]::InstalledUICulture).Name -eq "de-DE") #Installed os = german
    {
      if ($Certdata[$j] -like "*nicht vor:*") {[datetime]$validfrom="$(get-date $Certdata[$j].Split([string[]]": ","None")[1])"} 
      if ($Certdata[$j] -like "*nicht nach:*") {[datetime]$validto="$(get-date $Certdata[$j].Split([string[]]": ","None")[1])"} 
    }
    elseif (([cultureInfo]::InstalledUICulture).Name -eq "en-US") #Installed os = english (US)
    {
      if ($Certdata[$j] -like "*NotBefore:*") {[datetime]$validfrom="$(get-date $Certdata[$j].Split([string[]]": ","None")[1])"} 
      if ($Certdata[$j] -like "*NotAfter:*") {[datetime]$validto="$(get-date $Certdata[$j].Split([string[]]": ","None")[1]))"} 
    }
    else
    {
      Write-Warning "Operating system locale not supported. Please check Certutil output and modify header if needed"
      Exit
    }
  } 
  Write-Host "Valid from:"$validfrom 
  Write-Host "Valid to: " -NoNewline 
  if ((New-TimeSpan -Start (get-date) -End $validto).ticks -lt 0) {Write-Host $validto -BackgroundColor Red} 
  else {Write-Host $validto} 
  Write-Host 
    
  Remove-Item "$($tempfolder)\NTAuthCA.dec" 
  Remove-Item "$($tempfolder)\NTAuthCA.tmp" 
}