Vérification des certificats arrivant à expiration

Vérification des certificats arrivant à expiration

Une  mauvaise surprise est un jour arrivé, un certificat de la PKI venait d’expirer, paralysant pas mal de choses.

Voici une fonction permettant de lister les certificats arrivant à expiration dans X jours.

function get-ExpiringCerts ([String]$duedays,[String]$CAlocation,[String]$server) {
	$resultpath="$pwd\results\pkicheckresult-$server.csv"
	If(Test-Path $resultpath){
		remove-item $resultpath -force -confirm:$false
	}
  add-content -path $resultpath -value "`"Server`";`"ID`";`"Issued Common Name`";`"Certificate Template`";`"Expiration Date`";`"Effective Date`""
  $certs = @()
  $now = get-Date;
  $expirationdate = $now.AddDays($duedays)
  $CaView = New-Object -Com CertificateAuthority.View.1
  [void]$CaView.OpenConnection($CAlocation)
  $CaView.SetResultColumnCount(6)
  $index0 = $CaView.GetColumnIndex($false, "Request ID")
  #$index1 = $CaView.GetColumnIndex($false, "Certificate Expiration Date")
  $index1 = $CaView.GetColumnIndex($false, "Certificate Template")
  $index2 = $CaView.GetColumnIndex($false, "Certificate Expiration Date")
  #$index2 = $CaView.GetColumnIndex($false, "Issued Email Address")
  #$index3 = $CaView.GetColumnIndex($false, "Certificate Template")
  $index3 = $CaView.GetColumnIndex($false, "Certificate Effective Date")
  $index4 = $CaView.GetColumnIndex($false, "Issued Common Name")
  $index5 = $CaView.GetColumnIndex($false, "Request Disposition")
  
  $index0, $index1, $index2, $index3, $index4, $index5 | %{$CAView.SetResultColumn($_) }

  # CVR_SORT_NONE 0
  # CVR_SEEK_EQ  1
  # CVR_SEEK_LT  2
  # CVR_SEEK_GT  16


  $index2 = $CaView.GetColumnIndex($false, "Certificate Expiration Date")
  $CAView.SetRestriction($index2,16,0,$now)
  $CAView.SetRestriction($index2,2,0,$expirationdate)

  # brief disposition code explanation:
  # 9 - pending for approval
  # 15 - CA certificate renewal
  # 16 - CA certificate chain
  # 20 - issued certificates
  # 21 - revoked certificates
  # all other - failed requests
  $CAView.SetRestriction($index5,1,0,20)

  $RowObj= $CAView.OpenView() 

  while ($Rowobj.Next() -ne -1){
    $Cert = New-Object PsObject
    $ColObj = $RowObj.EnumCertViewColumn()
    [void]$ColObj.Next()
    do {
      $current = $ColObj.GetName()
      $Cert | Add-Member -MemberType NoteProperty $($ColObj.GetDisplayName()) -Value $($ColObj.GetValue(1)) -Force  
    } until ($ColObj.Next() -eq -1)
    Clear-Variable ColObj
    $datediff = New-TimeSpan -Start ($now) -End ($cert."Certificate Expiration Date")
    If($cert."Certificate Template" -like "WebServer"){
	$result=$null
	$result="`"$server`""
	$result+=";"
	$result+="`"$($cert."Request ID")`""
	$result+=";"
	$result+="`"$($cert."Issued Common Name")`""
	$result+=";"
	$result+="`"$($cert."Certificate Template")`""
	$result+=";"
	$result+="`"$($cert."Certificate Expiration Date")`""
	$result+=";"
	$result+="`"$($cert."Certificate Effective Date")`""

    add-content -path $resultpath -value $result
    }
  }
  $RowObj.Reset()
  $CaView = $null
  [GC]::Collect()
}

L’appel de la fonction se fait comme dans l’exemple ci-après :

get-ExpiringCerts -duedays 60 -CAlocation "PKI2\LOCATION"  -server "PKIServer"

Un peu de scripting en plus, une petite tâche plannifiée, et nous voilà avec un système de surveillance des certificats arrivant à expiration.

Comments are closed.
How to whitelist website on AdBlocker?

How to whitelist website on AdBlocker?

  1. 1 Click on the AdBlock Plus icon on the top right corner of your browser
  2. 2 Click on "Enabled on this site" from the AdBlock Plus option
  3. 3 Refresh the page and start browsing the site