Vérification des certificats arrivant à expiration
Une mauvaise surprise est un jour arrivé, un certificat de la PKI venait d’expirer, paralysant pas mal de choses.
Voici une fonction permettant de lister les certificats arrivant à expiration dans X jours.
function get-ExpiringCerts ([String]$duedays,[String]$CAlocation,[String]$server) {
$resultpath="$pwd\results\pkicheckresult-$server.csv"
If(Test-Path $resultpath){
remove-item $resultpath -force -confirm:$false
}
add-content -path $resultpath -value "`"Server`";`"ID`";`"Issued Common Name`";`"Certificate Template`";`"Expiration Date`";`"Effective Date`""
$certs = @()
$now = get-Date;
$expirationdate = $now.AddDays($duedays)
$CaView = New-Object -Com CertificateAuthority.View.1
[void]$CaView.OpenConnection($CAlocation)
$CaView.SetResultColumnCount(6)
$index0 = $CaView.GetColumnIndex($false, "Request ID")
#$index1 = $CaView.GetColumnIndex($false, "Certificate Expiration Date")
$index1 = $CaView.GetColumnIndex($false, "Certificate Template")
$index2 = $CaView.GetColumnIndex($false, "Certificate Expiration Date")
#$index2 = $CaView.GetColumnIndex($false, "Issued Email Address")
#$index3 = $CaView.GetColumnIndex($false, "Certificate Template")
$index3 = $CaView.GetColumnIndex($false, "Certificate Effective Date")
$index4 = $CaView.GetColumnIndex($false, "Issued Common Name")
$index5 = $CaView.GetColumnIndex($false, "Request Disposition")
$index0, $index1, $index2, $index3, $index4, $index5 | %{$CAView.SetResultColumn($_) }
# CVR_SORT_NONE 0
# CVR_SEEK_EQ 1
# CVR_SEEK_LT 2
# CVR_SEEK_GT 16
$index2 = $CaView.GetColumnIndex($false, "Certificate Expiration Date")
$CAView.SetRestriction($index2,16,0,$now)
$CAView.SetRestriction($index2,2,0,$expirationdate)
# brief disposition code explanation:
# 9 - pending for approval
# 15 - CA certificate renewal
# 16 - CA certificate chain
# 20 - issued certificates
# 21 - revoked certificates
# all other - failed requests
$CAView.SetRestriction($index5,1,0,20)
$RowObj= $CAView.OpenView()
while ($Rowobj.Next() -ne -1){
$Cert = New-Object PsObject
$ColObj = $RowObj.EnumCertViewColumn()
[void]$ColObj.Next()
do {
$current = $ColObj.GetName()
$Cert | Add-Member -MemberType NoteProperty $($ColObj.GetDisplayName()) -Value $($ColObj.GetValue(1)) -Force
} until ($ColObj.Next() -eq -1)
Clear-Variable ColObj
$datediff = New-TimeSpan -Start ($now) -End ($cert."Certificate Expiration Date")
If($cert."Certificate Template" -like "WebServer"){
$result=$null
$result="`"$server`""
$result+=";"
$result+="`"$($cert."Request ID")`""
$result+=";"
$result+="`"$($cert."Issued Common Name")`""
$result+=";"
$result+="`"$($cert."Certificate Template")`""
$result+=";"
$result+="`"$($cert."Certificate Expiration Date")`""
$result+=";"
$result+="`"$($cert."Certificate Effective Date")`""
add-content -path $resultpath -value $result
}
}
$RowObj.Reset()
$CaView = $null
[GC]::Collect()
}
L’appel de la fonction se fait comme dans l’exemple ci-après :
get-ExpiringCerts -duedays 60 -CAlocation "PKI2\LOCATION" -server "PKIServer"
Un peu de scripting en plus, une petite tâche plannifiée, et nous voilà avec un système de surveillance des certificats arrivant à expiration.