Share via

Powershell and certificate

matteu31 502 Reputation points
2020-12-10T16:13:48.127+00:00

Hello,

I would like to find how I can find information about certificate store in AD.
I can find CA Certificate here :

46840-2020-12-10-17h11-39.png

How can I use it to find certificate information ?

It's bytes encoded here. I would like to find what's the expiration data + algorithm used (sha1 / sha2).

Here it my powershell commandlet :
(get-item "AD:cn=ps-ca2-ca,cn=aia,cn=public key services,cn=services,$((Get-ADRootDSE).configurationNamingContext)" -properties *)
and certificate value is stored in cacertificate propertie

Thank you for your help.

Windows for business Windows Server User experience PowerShell
Windows for business Windows Server Devices and deployment Configure application groups
0 comments
Accepted answer
  1. Vadims Podāns 9,186 Reputation points MVP
    2020-12-10T16:29:25.343+00:00

    I see you already can get byte array from cACertificate DS attribute. Then you can construct X509Certificate2 object: 

    $dsAIA = get-item "AD:cn=ps-ca2-ca,cn=aia,cn=public key services,cn=services,$((Get-ADRootDSE).configurationNamingContext)" -properties cACertificate
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 @(,$dsAIA.cACertificate[0])

    then use $cert to access necessary certificate information.

    1 person found this answer helpful.
    0 comments

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vadims Podāns 9,186 Reputation points MVP
    2020-12-11T11:18:34.76+00:00

    [ADVERTISMENT]

    If you intend to work with CAs in PowerShell, then I would recommend to use my free and open-source PowerShell PKI module.

    Then fire Get-CertificationAuthority command and explore various properties, including CA certificate. There are 100+ ADCS-related cmdlets.

    1 person found this answer helpful.
    0 comments
  2. matteu31 502 Reputation points
    2020-12-11T09:02:09.507+00:00

    Hello, thanks a lot.
    It works perfectly :)

    How could I find this alone O_o ?

    Syntax is not very common to what I use to play with ...

    This is what I do with it : 

    Function Get-CAName  
{  
    $EnterpriseCA = (get-childitem "AD:\CN=Enrollment Services,CN=Public Key Services,CN=Services,$((Get-ADRootDSE).configurationNamingContext)" -property *)  
    if($null -eq $EnterpriseCA)  
    {  
        [PSCustomObject]@{  
            CAName = "<N/A>"  
            SignatureAlgorithm = "<N/A>"  
        }  
    }  
    else  
    {  
        foreach ($CA in $EnterpriseCA)  
        {   
            $CACert= New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 @(,$CA.cACertificate[0])  
            [PSCustomObject]@{  
                CAName = $CA.name  
                CAServer = $CA.dNSHostName  
                SignatureAlgorithm = $CACert.SignatureAlgorithm.FriendlyName  
                CertStartDate = $CACert.notbefore.ToString("dd/MM/yyyy")  
                CertEndDate = $CACert.notafter.ToString("dd/MM/yyyy")  
            }  
        }  
    }  
}

    And the html result :
    47160-2020-12-11-10h10-13.png

    0 comments
  3. matteu31 502 Reputation points
    2020-12-11T12:14:13.203+00:00

    Thank you for your answer and thank you for your module :)

    I will not need more commandlet I think. But if I need more, I will use it :)

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.