Vérification des certificats arrivant à expiration
Une mauvaise surprise est un jour arrivé, un certificat de la PKI venait d’expirer, paralysant pas mal de choses.
Voici une fonction permettant de lister les certificats arrivant à expiration dans X jours.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 | function get-ExpiringCerts ([String]$duedays,[String]$CAlocation,[String]$server) { $resultpath="$pwd\results\pkicheckresult-$server.csv" If(Test-Path $resultpath){ remove-item $resultpath -force -confirm:$false } add-content -path $resultpath -value "`"Server`";`"ID`";`"Issued Common Name`";`"Certificate Template`";`"Expiration Date`";`"Effective Date`"" $certs = @() $now = get-Date; $expirationdate = $now.AddDays($duedays) $CaView = New-Object -Com CertificateAuthority.View.1 [void]$CaView.OpenConnection($CAlocation) $CaView.SetResultColumnCount(6) $index0 = $CaView.GetColumnIndex($false, "Request ID") #$index1 = $CaView.GetColumnIndex($false, "Certificate Expiration Date") $index1 = $CaView.GetColumnIndex($false, "Certificate Template") $index2 = $CaView.GetColumnIndex($false, "Certificate Expiration Date") #$index2 = $CaView.GetColumnIndex($false, "Issued Email Address") #$index3 = $CaView.GetColumnIndex($false, "Certificate Template") $index3 = $CaView.GetColumnIndex($false, "Certificate Effective Date") $index4 = $CaView.GetColumnIndex($false, "Issued Common Name") $index5 = $CaView.GetColumnIndex($false, "Request Disposition") $index0, $index1, $index2, $index3, $index4, $index5 | %{$CAView.SetResultColumn($_) } # CVR_SORT_NONE 0 # CVR_SEEK_EQ 1 # CVR_SEEK_LT 2 # CVR_SEEK_GT 16 $index2 = $CaView.GetColumnIndex($false, "Certificate Expiration Date") $CAView.SetRestriction($index2,16,0,$now) $CAView.SetRestriction($index2,2,0,$expirationdate) # brief disposition code explanation: # 9 - pending for approval # 15 - CA certificate renewal # 16 - CA certificate chain # 20 - issued certificates # 21 - revoked certificates # all other - failed requests $CAView.SetRestriction($index5,1,0,20) $RowObj= $CAView.OpenView() while ($Rowobj.Next() -ne -1){ $Cert = New-Object PsObject $ColObj = $RowObj.EnumCertViewColumn() [void]$ColObj.Next() do { $current = $ColObj.GetName() $Cert | Add-Member -MemberType NoteProperty $($ColObj.GetDisplayName()) -Value $($ColObj.GetValue(1)) -Force } until ($ColObj.Next() -eq -1) Clear-Variable ColObj $datediff = New-TimeSpan -Start ($now) -End ($cert."Certificate Expiration Date") If($cert."Certificate Template" -like "WebServer"){ $result=$null $result="`"$server`"" $result+=";" $result+="`"$($cert."Request ID")`"" $result+=";" $result+="`"$($cert."Issued Common Name")`"" $result+=";" $result+="`"$($cert."Certificate Template")`"" $result+=";" $result+="`"$($cert."Certificate Expiration Date")`"" $result+=";" $result+="`"$($cert."Certificate Effective Date")`"" add-content -path $resultpath -value $result } } $RowObj.Reset() $CaView = $null [GC]::Collect() } |
L’appel de la fonction se fait comme dans l’exemple ci-après :
1 | get-ExpiringCerts -duedays 60 -CAlocation "PKI2\LOCATION" -server "PKIServer" |
Un peu de scripting en plus, une petite tâche plannifiée, et nous voilà avec un système de surveillance des certificats arrivant à expiration.