PowerShell: Audit Domain Controller Certificates

function auditDcCerts{    
    
    try{
        write-host "Gathering Domain Controller Names..."
        Import-Module ActiveDirectory
        $osInfo = Get-CimInstance -ClassName Win32_OperatingSystem
        $osInfo.ProductType
        $dcs=if($osInfo.ProductType -eq 2){ # Product Type 2 is Domain Controller
            ((Get-ADForest -Server $env:computername).Domains|%{Get-ADDomainController -server $_ -Filter *}).Name
        }else{
            ((Get-ADForest).Domains|%{Get-ADDomainController -server $_ -Filter *}).Name
        }
        $certs=New-Object -TypeName "System.Collections.ArrayList"
        $today=Get-Date
        foreach($dc in $dcs){
            write-host "Scanning $dc..."
            $certStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("\\$dc\My", "LocalMachine")  
            $certStore.Open("ReadOnly")
            if($certStore.certificates){
                    $certStore.certificates | %{  
                        $object = "" | Select-Object DC,Subject,Issuer,CertTemplate,ValidUntil,Status
                        $object.DC = $dc
                        $object.Issuer = .{[void]($_.Issuer -match '^CN=([A-Za-z0-9\-_]+),');$matches[1]}
                        $object.CertTemplate = try{($_.extensions | ?{$_.oid.friendlyname -match "template"}).format(0) -replace "(.+)?=(.+)\((.+)?", '$2'}catch{$null} 
                        $object.Subject = .{
                            $x=($_.extensions | ?{$_.oid.friendlyname -match "Subject Alternative Name"})
                            if($x){
                                return $x.format(0) -replace "^.+=", ""
                            }elseif($object.CertTemplate -match '^CA'){
                                return "Certification Authority"                                
                            }elseif($object.CertTemplate -match '^SubCA'){
                                return "Subordinate CA"
                            }
                        }
                        $object.ValidUntil = ($_.NotAfter).ToString('MM-dd-yyyy')
                        if((get-date $_.NotAfter) -gt $today){  
                            $object.Status = "Valid"  
                        }else{  
                            $object.Status = "Expired"  
                        }
                        $certs+=$object                  
                    }
            }else{
                write-host " => Result: No Certs Detected!" -ForegroundColor 'Red'
                $certs+=[pscustomobject]@{
                            subject=$dc
                            CertTemplate=$false
                            ValidUntil=$false
                            Status=$false
                            Issuer='Unknown'
                            }
            }
        }  
        return $certs
        }
    catch{
        return "$($error[0])"
        }
}
auditDcCerts|ft -AutoSize
<# Sample Output
Gathering Domain Controller Names...
Scanning DEESEE1...
Scanning DEESEE2...
Scanning DEESEE3...
Scanning DEESEE4...
Scanning DEESEE5...

DC          Subject                   CertTemplate                     ValidUntil Status
--          -------                   ------------                     ---------- ------
DEESEE1    DEESEE1.kimconnect.net    Domain Controller 5 Years        09-05-2022 Valid
DEESEE1    DEESEE1.kimconnect.net    Domain Controller Authentication 09-03-2021 Valid
DEESEE1    INTRANET                Kerberos Authentication          09-03-2021 Valid
DEESEE1    DEESEE1.kimconnect.net    Directory Email Replication      09-03-2021 Valid
DEESEE2 DEESEE2.kimconnect.net Domain Controller Authentication 09-03-2021 Valid
DEESEE2 INTRANET                Kerberos Authentication          09-03-2021 Valid
DEESEE2 DEESEE2.kimconnect.net Domain Controller 5 Years        09-04-2025 Valid
DEESEE2 DEESEE2.kimconnect.net Directory Email Replication      09-03-2021 Valid
DEESEE3 DEESEE3.kimconnect.net Domain Controller 5 Years        09-04-2025 Valid
DEESEE3 DEESEE3.kimconnect.net Directory Email Replication      09-05-2021 Valid
DEESEE3 INTRANET                Kerberos Authentication          09-05-2021 Valid
DEESEE3 Certification Authority   CA                               09-04-2025 Valid
DEESEE3 DEESEE3.kimconnect.net Domain Controller Authentication 09-05-2021 Valid
DEESEE4 DEESEE4.kimconnect.net Domain Controller 5 Years        09-05-2022 Valid
DEESEE4 DEESEE4.kimconnect.net Directory Email Replication      09-03-2021 Valid
DEESEE4 DEESEE4.kimconnect.net Domain Controller Authentication 09-03-2021 Valid
DEESEE4 INTRANET                Kerberos Authentication          09-03-2021 Valid
DEESEE5 DEESEE5.kimconnect.net Directory Email Replication      09-04-2021 Valid
DEESEE5 INTRANET                Kerberos Authentication          09-04-2021 Valid
DEESEE5 Subordinate CA            SubCA                            09-03-2025 Valid
DEESEE5 DEESEE5.kimconnect.net Domain Controller 5 Years        09-05-2022 Valid
DEESEE5 DEESEE5.kimconnect.net Domain Controller Authentication 09-04-2021 Valid
#>

Leave a Reply

Your email address will not be published. Required fields are marked *