Export a List of all AD users Certificates from Each user

Question

Hi,

I had to have export the User X509 Certificates from each User in a specific OU, with the Issuer and the Expiration Date.

the Export should be looks like in the AD User Object unter Published Certificates Tab.

thank you in advanced

Answer 1

Hello @Roland S ,

You can try the PS script below.

$ou = "ou=laps1,dc=b,dc=local"  
 $path ="C:\certs"  
 get-aduser -SearchBase $ou -Filter * -Properties displayname,usercertificate |ForEach-Object{  
    $displayname = $_.displayname  
    $_|select -ExpandProperty usercertificate | ForEach-Object{  
        $cert = [System.Security.Cryptography.X509Certificates.X509Certificate2]$_  
        [pscustomobject]@{  
            DisplayName = $displayname  
            IssuedTo = $cert.Subject  
            IssuedBy = $cert.Issuer  
            IntendedPurpose = $cert.EnhancedKeyUsageList  
            ExpiredData = $cert.NotAfter  
            SerialNumber = $cert.SerialNumber  
       }  
    }  
 } | Export-Csv -NoTypeInformation $path\certs.csv  

Here is the result:

--please don't forget to Accept as answer if the reply is helpful--

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Answer 2

Hello @Roland S ,

Thank you for your posting here.

After lots of test in my lab, I can get the result as below.

1.Here is my OU named LAPS1, there are three users in it.

2.Open Powershell ISE(run as administrator) and type the command below.

$ou = "ou=laps1,dc=b,dc=local"  
$path ="C:\certs"   
get-aduser -SearchBase $ou -Filter * -Properties usercertificate |ForEach-Object{  
 $_|select -ExpandProperty usercertificate | ForEach-Object{  
     [System.Security.Cryptography.X509Certificates.X509Certificate2]$_  | select -Property Serialnumber, EnhancedKeyUsageList, notafter, notbefore, issuer, subject  

} | Export-Csv -NoTypeInformation $path\$($_.name)_certs.csv  
}  

Tip:Please change the OU name and domain name and export path based on your AD environment.

3.We can see one csv file for one user

4.For example: we can see cert list for daisy11 and daisy22.
Daisy 11

Daisy22

You can try the PS command in your AD environment.

Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Answer 3

Hello @Roland S ,

Thank you for your update.

We can run PS script below.

$ou = "ou=laps1,dc=b,dc=local"  
$path ="C:\certs"   
get-aduser -SearchBase $ou -Filter * -Properties usercertificate |ForEach-Object{  
 $_|select -ExpandProperty usercertificate | ForEach-Object{  
     [System.Security.Cryptography.X509Certificates.X509Certificate2]$_  | select -Property Serialnumber, EnhancedKeyUsageList, notafter, notbefore, issuer, subject  
  
}  
} | Export-Csv -NoTypeInformation $path\certs.csv   

Tip: Change the last line.

The result (all users certificates within the OU in the same Excel file):

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Answer 4

Hi @Daisy Zhou ,

Many Many Thanks to you , it looks great , it works Well.

when i need all Certificate Lines in one Excel sheet, which Line is to change ?

Many thanks in advanced

Br
Roland

Answer 5

Hi @Daisy Zhou ,

Thanks a lot, it looks Good , one more think please can you add in the CSV Export please the Displayname from the AD User, like the Attached Picture , is eaisier to identify the User Object and their installed Certificates , and then it would be Perfect , and a lot of Thanks to you for your Support.