The one I created was to remove expired certs. it can be updated to check
different parts of certs as well as just gather information and insert it
into WMI to be inventory. Currently we are busy migrating 70+K clients so
don't have the time to add those options to the function. Below is the link
to the cert classes being used in the script.
http://msdn.microsoft.com/en-us/library/system.security.cryptography(v=vs.110).aspx
the code is not the best organized or written but it did the job for us :)
Thanks,
Cesar
On Wed, Jan 15, 2014 at 7:12 PM, Russ Rimmerman <
[email protected]> wrote:
> I blogged the other day on using compliance settings to check to see if
> a specific cert on clients, you can use similar powershell commands to
> inventory the specific properties of the certs you want and poke it back
> into wmi in a custom class.
>
>
> http://blogs.technet.com/b/configmgr_geek_speak/archive/2014/01/10/use-configuration-manager-2012-compliance-settings-to-check-for-the-existence-of-a-pki-certificate.aspx
>
>
>
> *From:* [email protected] [mailto:
> [email protected]] *On Behalf Of *Beardsley, James
> *Sent:* Wednesday, January 15, 2014 9:59 AM
>
> *To:* [email protected]
> *Subject:* [mssms] Certificate issues
>
>
>
> Is there any way to gather inventory on client certificates? Is
> certificate information in WMI? Or detectable with Powershell?
>
>
>
> I have auto-enrollment set up and most PC’s are successfully enrolling
> their client certificate but there are a handful here and there that don’t
> have the cert in the Personal store so I’m unable to upgrade them to the
> 2012 client.
>
>
>
> I tried running certutil.exe –pulse on ones that I’ve had a chance to get
> my hands on and most of the time it doesn’t help.
>
>
>
> Any pointers? Any logs or event’s I can use to track down the issue on
> individual computers?
> ------------------------------
>
> *IRS Compliance:* Any tax advice contained in this communication
> (including any attachments) is not intended or written to be used, and
> cannot be used, for the purpose of (i) avoiding penalties imposed under the
> Internal Revenue Code or applicable state or local tax law or (ii)
> promoting, marketing, or recommending to another party any transaction or
> matter addressed herein.
> ------------------------------
>
> *Confidentiality Notice:* This e-mail is intended only for the addressee
> named above. It contains information that is privileged, confidential or
> otherwise protected from use and disclosure. If you are not the intended
> recipient, you are hereby notified that any review, disclosure, copying, or
> dissemination of this transmission, or taking of any action in reliance on
> its contents, or other use is strictly prohibited. If you have received
> this transmission in error, please reply to the sender listed above
> immediately and permanently delete this message from your inbox. Thank you
> for your cooperation.
>
>
>
>
<#
.SYNOPSIS
Function Remove Certificates with specific issue date from
localmachine or localuser store.
Author: Cesar A
.DESCRIPTION
Remove Certificates with specific issue date from localmachine
or localuser store.
.PARAMETER -ComputerName
The description of a the Parameter1 parameter.
.EXAMPLE
PS C:\> Remove-Certs -computername hostname -IssueDate
1/21/2013 -LocalStore LocalMachine
.EXAMPLE
PS C:\> Remove-Certs -computername hostname -IssueDate
1/21/2013 -LocalStore LocalUser
.EXAMPLE
PS C:\> Get-Content c:\temp\certremoval.txt | foreach
{Remove-Certs -computername $_ -IssueDate 2/21/2013 -LocalStore LocalMachine }
Command runs the function on a list of systems in
"c:\temp\certremoval.txt"
.INPUTS
System.String
.OUTPUTS
System.String
.NOTES
For more information about advanced functions, call Get-Help
with any
of the topics in the links listed below.
http://msdn.microsoft.com/en-us/library/system.security.cryptography(v=vs.110).aspx
#>
Function Remove-Certs
{ [CmdletBinding()]
param (
[Parameter(Position=0, Mandatory=$true)]
[ValidateNotNullOrEmpty()][string]$computername,
[Parameter(Position=1, Mandatory=$true)]
[ValidateNotNullOrEmpty()][string]$IssueDate,
[ValidateSet("LocalMachine","LocalUser")][Parameter(Position=2,
Mandatory=$true)]
[ValidateNotNullOrEmpty()][string][string]$LocalStore
)
$computerstore = ("\\$computername\My")
Try{$store = New-Object
system.security.cryptography.X509Certificates.X509Store
$computerstore,$LocalStore #LocalMachine could also be LocalUser
$store.Open('ReadWrite') #To do the removal, this method need
read/write. for info Read can be used.
$certs = $store.Certificates
Write-Host ""
Write-Host "************* Removing Certs with $IssueDate from Host
$computername ****************************" -ForegroundColor Cyan
Write-Host ""
foreach ($cert in $certs) {
$certDate = $cert.Notbefore.ToShortDateString() #converting Date to
sort date and string to do comparinson
If ($certDate -eq $IssueDate)
{
Write-Host "Date Issued Matches.. DELETING CERT"
-BackgroundColor Red
Write-Host "Subject: "$cert.Subject " Serial:
"$cert.SerialNumber " Issue Date:" $cert.Notbefore " Expiration Date:"
$cert.NotAfter -ForegroundColor Red
$store.Remove($cert) #Deleting the cert that matches. Uncomment
this line to do the actual removal
}
Else
{
Write-Host "Date Issued OK.. KEEPING CERT" -BackgroundColor
Green #Writing out information of other certs. May be useful to see.
Write-Host "Subject: "$cert.Subject " Serial:
"$cert.SerialNumber " Issue Date:" $cert.Notbefore " Expiration Date:"
$cert.NotAfter -ForegroundColor Green
}
}
$store.Close()
Write-Host ""
Write-Host "************* Removed Certs with $IssueDate from Host
$computername ****************************" -ForegroundColor Cyan
}
Catch
{
Write-host $_.Exception.Message -NoNewline -BackgroundColor Red
}
}
#Export-ModuleMember -Function Remove-Certs
Remove-Certs -computername hostname -IssueDate 2/21/2013 -LocalStore
LocalMachine
Get-Content c:\temp\certremoval.txt | foreach {Remove-Certs -computername $_
-IssueDate 2/21/2013 -LocalStore LocalMachine }
