Auflisten der RootCA-Zertifikate im AD und Auslesen der Gültigkeiten
- Hauptkategorie: ROOT
- Kategorie: Bücher
- Zuletzt aktualisiert: Samstag, 03. März 2018 10:56
- Veröffentlicht: Sonntag, 21. Januar 2018 10:46
- Geschrieben von Peter Kloep
- Zugriffe: 94684
Dieses Skript liest und dekodiert die Stammzertifizierungsstellen-Zertifikate, die im Konfigurationscontainer des Active Directory gespeichert sind (Konfigurationscontainer\Services\Public Key Services\Certification Authorities
<#
.SYNOPSIS
Script reads all RootCA-certificates in AD-configuration partition, decodes and lists start and end-date of certificate
.DESCRIPTION
Script uses AD-PowerShell-module to read CA-certificates. certutil.exe ist used to decode cert-content and read data
tested on Windows Server 2012 R2 and Windows Server 2016 on de-DE and en-US
CAName.tmp is created to get a "hex-based"-certificate file which is then decoded into text file (.dec)
.PREREQUISITES
PowerShell AD-Module needed
.EXAMPLE
.\CheckAD-RootCerts.ps1
This Example will read all certificates and display expiration date.
#>
$tempfolder="c:\temp"
$DomainDN=(Get-ADDomain (get-adforest).RootDomain).distinguishedname
[array]$RootCAs = Get-ADObject -filter * -SearchBase "CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,$($DomainDN)" -Properties * | Where-Object {$_.ObjectClass -eq "certificationAuthority"}
Write-Host "RootCAs - Certification Authorities" -BackgroundColor Green
foreach ($ca in $RootCAs)
{
$hex=""
for ($i=0; $i -lt $ca.cACertificate[0].count; $i++)
{
$hex+="{0:X2}" -f $ca.cACertificate[0][$i] +" " #decode binary value of AD-attribute to 2-character hex value
}
Out-File -FilePath "$($tempfolder)\$($ca.name).tmp" -InputObject $hex
$string = "Certutil -decodehex `"$($tempfolder)\$($ca.name).tmp`" `"$($tempfolder)\$($ca.name).dec`""
Invoke-Expression $string | Out-Null
$string = "Certutil -dump `"$($tempfolder)\$($ca.name).dec`""
$Certdata=Invoke-Expression $string
Write-host "Checking Certificate: $($Ca.Name)"
for ($j=0; $j -lt $Certdata.count; $j++)
{
if (([cultureInfo]::InstalledUICulture).Name -eq "de-DE") #Installed os = german
{
if ($Certdata[$j] -like "*nicht vor:*") {[datetime]$validfrom="$(get-date $Certdata[$j].Split([string[]]": ","None")[1])"}
if ($Certdata[$j] -like "*nicht nach:*") {[datetime]$validto="$(get-date $Certdata[$j].Split([string[]]": ","None")[1])"}
}
elseif (([cultureInfo]::InstalledUICulture).Name -eq "en-US") #Installed os = english (US)
{
if ($Certdata[$j] -like "*NotBefore:*") {[datetime]$validfrom="$(get-date $Certdata[$j].Split([string[]]": ","None")[1])"}
if ($Certdata[$j] -like "*NotAfter:*") {[datetime]$validto="$(get-date $Certdata[$j].Split([string[]]": ","None")[1])"}
}
else
{
Write-Warning "Operating system locale not supported. Please check Certutil output and modify header if needed"
Exit
}
}
Write-Host "Valid from:"$validfrom
Write-Host "Valid to: " -NoNewline
if ((New-TimeSpan -Start (get-date) -End $validto).ticks -lt 0) {Write-Host $validto -BackgroundColor Red}
else {Write-Host $validto}
Write-Host
Remove-Item "$($tempfolder)\$($ca.name).dec"
Remove-Item "$($tempfolder)\$($ca.name).tmp"
}
### SubCAs
[array]$SubCAs = Get-ADObject -filter * -SearchBase "CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,$($DomainDN)" -Properties * | Where-Object {$_.ObjectClass -eq "certificationAuthority"}
Write-Host "Subordinate CAs - Authority Information Access" -BackgroundColor Green
foreach ($ca in $SubCAs)
{
$hex=""
for ($i=0; $i -lt $ca.cACertificate[0].count; $i++)
{
$hex+="{0:X2}" -f $ca.cACertificate[0][$i] +" " #decode binary value of AD-attribute to 2-character hex value
}
Out-File -FilePath "$($tempfolder)\$($ca.name).tmp" -InputObject $hex
$string = "Certutil -decodehex `"$($tempfolder)\$($ca.name).tmp`" `"$($tempfolder)\$($ca.name).dec`""
Invoke-Expression $string | Out-Null
$string = "Certutil -dump `"$($tempfolder)\$($ca.name).dec`""
$Certdata=Invoke-Expression $string
Write-host "Checking Certificate: $($Ca.Name)"
for ($j=0; $j -lt $Certdata.count; $j++)
{
if (([cultureInfo]::InstalledUICulture).Name -eq "de-DE") #Installed os = german
{
#if ($Certdata[$j] -like "*nicht vor:*") {[datetime]$validfrom="$(get-date $Certdata[$j].substring(12))"}
if ($Certdata[$j] -like "*nicht vor:*") {[datetime]$validfrom="$(get-date $Certdata[$j].Split([string[]]": ","None")[1])"}
if ($Certdata[$j] -like "*nicht nach:*") {[datetime]$validto="$(get-date $Certdata[$j].Split([string[]]": ","None")[1])"}
}
elseif (([cultureInfo]::InstalledUICulture).Name -eq "en-US") #Installed os = english (US)
{
if ($Certdata[$j] -like "*NotBefore:*") {[datetime]$validfrom="$(get-date $Certdata[$j].Split([string[]]": ","None")[1])"}
if ($Certdata[$j] -like "*NotAfter:*") {[datetime]$validto="$(get-date $Certdata[$j].Split([string[]]": ","None")[1])"}
}
else
{
Write-Warning "Operating system locale not supported. Please check Certutil output and modify header if needed"
Exit
}
}
Write-Host "Valid from:"$validfrom
Write-Host "Valid to: " -NoNewline
if ((New-TimeSpan -Start (get-date) -End $validto).ticks -lt 0) {Write-Host $validto -BackgroundColor Red}
else {Write-Host $validto}
Write-Host
Remove-Item "$($tempfolder)\$($ca.name).dec"
Remove-Item "$($tempfolder)\$($ca.name).tmp"
}
### NTAuthCA
[array]$NTAuthCAs = Get-ADObject -filter * -SearchBase "CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,$($DomainDN)" -Properties * | Where-Object {$_.ObjectClass -eq "certificationAuthority"}
Write-Host "CAs - NTAuthCAs" -BackgroundColor Green
for ($i=0; $i -lt $NTAuthCAs.cacertificate.count; $i++)
{
$ca=$NTAuthCAs.cacertificate[$i]
$hex=""
for ($j=0; $j -lt $ca.count; $j++)
{
$hex+="{0:X2}" -f $ca[$j] +" " #decode binary value of AD-attribute to 2-character hex value
}
Out-File -FilePath "$($tempfolder)\NTAuthCA.tmp" -InputObject $hex
$string = "Certutil -decodehex `"$($tempfolder)\NTAuthCA.tmp`" `"$($tempfolder)\NTAuthCA.dec`""
Invoke-Expression $string | Out-Null
$string = "Certutil -dump `"$($tempfolder)\NTAuthCA.dec`""
$Certdata=Invoke-Expression $string
if (([cultureInfo]::InstalledUICulture).Name -eq "de-DE") #Installed os = german
{
Write-host "Checking Certificate: $($certdata[$Certdata.IndexOf("Antragsteller:")+1].split("=")[1])"
}
else
{
Write-host "Checking Certificate: $($certdata[$Certdata.IndexOf("Subject:")+1].split("=")[1])"
}
for ($j=0; $j -lt $Certdata.count; $j++)
{
if (([cultureInfo]::InstalledUICulture).Name -eq "de-DE") #Installed os = german
{
if ($Certdata[$j] -like "*nicht vor:*") {[datetime]$validfrom="$(get-date $Certdata[$j].Split([string[]]": ","None")[1])"}
if ($Certdata[$j] -like "*nicht nach:*") {[datetime]$validto="$(get-date $Certdata[$j].Split([string[]]": ","None")[1])"}
}
elseif (([cultureInfo]::InstalledUICulture).Name -eq "en-US") #Installed os = english (US)
{
if ($Certdata[$j] -like "*NotBefore:*") {[datetime]$validfrom="$(get-date $Certdata[$j].Split([string[]]": ","None")[1])"}
if ($Certdata[$j] -like "*NotAfter:*") {[datetime]$validto="$(get-date $Certdata[$j].Split([string[]]": ","None")[1]))"}
}
else
{
Write-Warning "Operating system locale not supported. Please check Certutil output and modify header if needed"
Exit
}
}
Write-Host "Valid from:"$validfrom
Write-Host "Valid to: " -NoNewline
if ((New-TimeSpan -Start (get-date) -End $validto).ticks -lt 0) {Write-Host $validto -BackgroundColor Red}
else {Write-Host $validto}
Write-Host
Remove-Item "$($tempfolder)\NTAuthCA.dec"
Remove-Item "$($tempfolder)\NTAuthCA.tmp"
}