question

GaryVial-9918 avatar image
0 Votes"
GaryVial-9918 asked GaryVial-9918 commented

How to list ssl certificates installed on windows server

Tengo que listar todos los certificados SSL instalados en todo el forest (mas de 600 servers desde 2003 hasta 2019) Solo se ver esta informacion con el comando certlm de manera manual.
Requiero los campos: nombre de certificado, nombre servidor, fecha inicio, fecha termino, empresa certificadora. ¿Alguien tiene un script o comando que me pueda ayudar en esta tarea?

windows-server-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

IanXue-MSFT avatar image
0 Votes"
IanXue-MSFT answered GaryVial-9918 commented

Hi,

Please check to see if this works. Sorry I've got no environment to test it.

 $forest = "contoso.com"
 $file = "C:\temp\certs.csv"
 $cred = Get-Credential ""
 $out=(Get-ADForest -Identity $forest).Domains | ForEach-Object {
     (Get-ADcomputer -Filter * -server $_).DNSHostName | ForEach-Object {
         Invoke-Command -ComputerName $_ -credential $cred -HideComputerName -ScriptBlock { 
             Get-ChildItem -Path Cert:\LocalMachine -Recurse | Where-Object {$_.PSISContainer -eq $false} | 
                 Select-Object -Property Thumbprint,Subject,Issuer,NotBefore,NotAfter 
         } 
     } 
 } | Select-Object -Property * -ExcludeProperty RunSpaceID,PSShowComputerName | Export-Csv -Path $file -NoTypeInformation

Best Regards,
Ian Xue
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

This is completely wrong since it will get *all* certificates, including root CAs, intermediate CAs, publishers and everything else, not only SSL.

0 Votes 0 ·

effectively, it shows me all the certificates.
How would you improve the script so that it only shows SSL certificates?

0 Votes 0 ·

Gracias por el Script.
Pero, podrias indicarme como agregar al script que solo busque en la OU "contoso.com/Servers" , solo los certificados SSL?

0 Votes 0 ·
IanXue-MSFT avatar image
0 Votes"
IanXue-MSFT answered IanXue-MSFT edited

Hope this works.

 $forest = "contoso.com"
 $ou = "OU=servers,DC=contoso,DC=com"
 $file = "C:\temp\cert.csv"
 $cred = Get-Credential ""
 (Get-ADForest -Identity $forest).Domains | ForEach-Object {
     (Get-ADcomputer -Filter * -Server $_ -SearchBase $ou).DNSHostName | ForEach-Object {
         Invoke-Command -ComputerName $_ -credential $cred -ScriptBlock { 
             Get-ChildItem -Path Cert:\LocalMachine\My | Select-Object -Property Thumbprint,Subject,Issuer,NotBefore,NotAfter 
         } 
     } 
 } | Select-Object -Property * -ExcludeProperty RunSpaceID,PSShowComputerName | Export-Csv -Path $file -NoTypeInformation

Best Regards,
Ian Xue
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.