Last active
July 4, 2018 00:18
-
-
Save theagreeablecow/21701aa7361fe7260cf5 to your computer and use it in GitHub Desktop.
SAMReport Module for SSL Certificates
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ############################################################################################################ | |
| # Module Variables - Certificates # | |
| #-------------------------------------# | |
| # Customise report Variables | |
| $EmailTo = $EmailTo | |
| $EmailSubject = $EmailSubject | |
| $ReportTitle = $ReportTitle | |
| $ReportSubTitle = $ReportSubTitle | |
| # Load required plug-ins | |
| import-module ActiveDirectory | |
| # Load server and array information | |
| $Servers = Get-ADComputer -Filter {OperatingSystem -Like "Windows *Server*"} | select-object -expandproperty name | |
| <# | |
| $OU = "OU=MyServers,DC=mydomain,DC=com,DC=au" | |
| $Servers = Get-ADComputer -Filter {OperatingSystem -Like "Windows *Server*"} -SearchBase $OU | Select-Object –ExpandProperty Name | |
| $Servers = @("Server1","Server2","Server3") | |
| $Servers = Get-Content .\<path>\servers.txt | |
| $Servers = ($env:COMPUTERNAME) | |
| #> | |
| #Miscellaneous | |
| $Logfile = $OutputFolder + "PurgedCerts_$Date.txt" | |
| Add-content -path $Logfile -value "#############################################################################" | |
| Add-content -path $Logfile -value "New Script Run on $Date" | |
| Add-content -path $Logfile -value "Started by $ScriptUser on $ScriptComputer" | |
| Add-content -path $Logfile -value "#############################################################################" | |
| Add-content -path $Logfile -value " " | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ############################################################################################################ | |
| # Info # | |
| #------------------------ | |
| $Title = "Personal Certificates" | |
| $Comment = "This script lists all personal certificates and highlights those that have expired or are expiring soon." | |
| $Author = "The Agreeable Cow" | |
| $PluginDate = "21/08/2014" | |
| $Version = "v1.1" | |
| # 1.0 23/06/2014 The Agreeable Cow Original Build | |
| # 1.1 21/08/2014 The Agreeable Cow Added Key length check | |
| ############################################################################################################ | |
| # Main Script # | |
| #------------------------ | |
| #Reset Variables | |
| $stores = $null | |
| $Certificates = $null | |
| $ResultsText = $null | |
| $AlertText = $null | |
| $WarningText = $null | |
| $ResultsData = $null | |
| $AlertData = $null | |
| $WarningData = $null | |
| $AlertCount = 0 | |
| $WarningCount = 0 | |
| #Reporting variables | |
| $MaxDays = 1095 | |
| $WarnDays = 90 | |
| $AlertDays = 30 | |
| $WarnKeySize = 2048 | |
| #Certificate Store Properties | |
| $StoreLocation = "LocalMachine" #"LocalMachine","CurrentUser" | |
| $StoreName = "My" #"My","CA","AuthRoot","Root" | |
| $OpenFlag = "ReadWrite" #"ReadOnly","ReadWrite" | |
| #Purge Variable | |
| $PurgeExpired = $False #$True or $False | |
| $PurgeDays = -90 | |
| #Create an Array and run query | |
| $ResultsData = @() | |
| foreach ($Server in $Servers) { | |
| if (Test-Connection -computername $Server -count 1 -quiet){ | |
| $stores = New-Object System.Security.Cryptography.X509Certificates.X509Store("\\$Server\$StoreName",$StoreLocation) | |
| $stores.Open($OpenFlag) | |
| $Certificates = $stores.Certificates | Select FriendlyName, serialNumber, Issuer, Subject, PublicKey, @{Label="Expires";Expression={($_.NotAfter)}}, @{Label="Days";Expression={($_.NotAfter - (Get-Date)).Days}} | |
| Add-content -path $Logfile -value "Server: $Server" | |
| Add-content -path $Logfile -value "Store: $StoreLocation\$StoreName" | |
| Add-content -path $Logfile -value " " | |
| foreach ($Certificate in $Certificates) { | |
| #Build Report | |
| if ($Certificate.Issuer -ne $null -and $Certificate.days -lt $MaxDays){ | |
| $obj = New-Object PSobject | |
| $obj | Add-Member -MemberType NoteProperty -name "Server" -value $Server | |
| $obj | Add-Member -MemberType NoteProperty -name "Name" -value $Certificate.FriendlyName | |
| $obj | Add-Member -MemberType NoteProperty -name "Issuer" -value $Certificate.Issuer | |
| $obj | Add-Member -MemberType NoteProperty -name "Subject" -value $Certificate.Subject | |
| $obj | Add-Member -MemberType NoteProperty -name "Key Size" -value $Certificate.PublicKey.key.KeySize | |
| $obj | Add-Member -MemberType NoteProperty -name "Expires" -value $Certificate.Expires | |
| $obj | Add-Member -MemberType NoteProperty -name "Days" -value $Certificate.Days | |
| $ResultsData += $obj | |
| # Update Text and Alert count based on your criteria | |
| $Name = $Certificate.FriendlyName | |
| $Days = $Certificate.Days | |
| $Size = $Certificate.PublicKey.key.KeySize | |
| if ($Days -lt 0){ | |
| $AlertText += "!RED!Alert: Certificate $Name on $Server has expired </br>" | |
| $AlertCount += $AlertCount.count + 1 | |
| } | |
| elseif ($Days -lt $AlertDays){ | |
| $AlertText += "!RED!Alert: Certificate $Name on $Server is expiring in $Days days</br>" | |
| $AlertCount += $AlertCount.count + 1 | |
| } | |
| elseif ($Days -lt $WarnDays){ | |
| $WarningText += "!ORANGE!Warning: Certificate $Name on $Server is expiring in $Days days</br>" | |
| $WarningCount += $WarningCount.count + 1 | |
| } | |
| if ($Size -lt $WarnKeySize){ | |
| $WarningText += "!ORANGE!Warning: Certificate $Name on $Server does not meet minimum key size of $WarnKeySize</br>" | |
| $WarningCount += $WarningCount.count + 1 | |
| } | |
| } | |
| #Log and Purge Old Certs | |
| If ($PurgeExpired -eq $True){ | |
| $Name = $Certificate.FriendlyName | |
| $Issuer = $Certificate.Issuer | |
| $Subject = $Certificate.Subject | |
| $Expired = $Certificate.Expires | |
| $Days = $Certificate.Days | |
| $SerialNumber = $Certificate.serialNumber | |
| if ($Certificate.Issuer -ne $null -and $Certificate.days -lt $PurgeDays){ | |
| Add-content -path $Logfile -value "Name: $Name" | |
| Add-content -path $Logfile -value "Issuer: $Issuer" | |
| Add-content -path $Logfile -value "Subject: $Subject" | |
| Add-content -path $Logfile -value "Expired: $Expired" | |
| Add-content -path $Logfile -value "Days: $Days" | |
| Add-content -path $Logfile -value " " | |
| $PurgeCert = $stores.Certificates.Find("FindBySerialNumber",$SerialNumber,$FALSE)[0] | |
| $stores.Remove($PurgeCert) | |
| $ExpiredCount += $ExpiredCount.count + 1 | |
| } | |
| } | |
| } | |
| Add-content -path $Logfile -value "$Server Completed (Purge = $PurgeExpired). $ExpiredCount expired certificates deleted." | |
| Add-content -path $Logfile -value "-------------------------------------------------------------------" | |
| Add-content -path $Logfile -value " " | |
| $ExpiredCount = 0 | |
| $stores.Close() | |
| } | |
| } | |
| If ($PurgeExpired -eq $True){ | |
| $AlertText += "NB. Purging is enabled for expired Certificates older than $PurgeDays days. See $logfile for details. </br>" | |
| } | |
| # Results Text | |
| if ($AlertText -ne $null -or $WarningText -ne $null){ | |
| $ResultsText = $AlertText + $WarningText | |
| } | |
| else{ | |
| $ResultsText = "All $StoreLocation certificates are not due to expire for more than $MaxDays days." | |
| } | |
| # Results Data | |
| $ResultsData = $ResultsData | sort -Property "Days" | |
| # Results Alert | |
| if ($AlertCount -ge 1){ | |
| $ResultsAlert = "Alert" | |
| } | |
| elseif ($WarningCount -ge 1){ | |
| $ResultsAlert = "Warning" | |
| } | |
| else{ | |
| $ResultsAlert = "Good" | |
| } | |
| ############################################################################################################ | |
| # Output # | |
| #------------------------ | |
| $OutText = $ResultsText # $OutText MUST be either $ResultsText or "" Valid $ResultsText is any text string | |
| $OutData = $ResultsData # $OutData MUST be either $ResultsData or "" Valid $ResultsData is any data array | |
| $OutAlert = $ResultsAlert # $OutAlert MUST be either $ResultsAlert or "" Valid $ResultsAlert are 'Good', 'Warning' or 'Alert' | |
| $Attachment = "" # $Attachment MUST be either UNC path or "" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ############################################################################################################ | |
| # Info # | |
| #------------------------ | |
| $Title = "Intermediate Certificates" | |
| $Comment = "This script lists intermediate certificates and highlights those that have expired or are expiring soon." | |
| $Author = "The Agreeable Cow" | |
| $PluginDate = "21/08/2014" | |
| $Version = "v1.1" | |
| # 1.0 23/06/2014 The Agreeable Cow Original Build | |
| # 1.1 21/08/2014 The Agreeable Cow Added Key length check | |
| ############################################################################################################ | |
| # Main Script # | |
| #------------------------ | |
| #Reset Variables | |
| $stores = $null | |
| $Certificates = $null | |
| $ResultsText = $null | |
| $AlertText = $null | |
| $WarningText = $null | |
| $ResultsData = $null | |
| $AlertData = $null | |
| $WarningData = $null | |
| $AlertCount = 0 | |
| $WarningCount = 0 | |
| #Reporting variables | |
| $MaxDays = 1095 | |
| $WarnDays = 90 | |
| $AlertDays = 30 | |
| $WarnKeySize = 2048 | |
| #Certificate Store Properties | |
| $StoreLocation = "LocalMachine" #"LocalMachine","CurrentUser" | |
| $StoreName = "CA" #"My","CA","AuthRoot","Root" | |
| $OpenFlag = "ReadWrite" #"ReadOnly","ReadWrite" | |
| #Purge Variable | |
| $PurgeExpired = $Fasle #$True or $False | |
| $PurgeDays = -90 | |
| #Create an Array and run query | |
| $ResultsData = @() | |
| foreach ($Server in $Servers) { | |
| if (Test-Connection -computername $Server -count 1 -quiet){ | |
| $stores = New-Object System.Security.Cryptography.X509Certificates.X509Store("\\$Server\$StoreName",$StoreLocation) | |
| $stores.Open($OpenFlag) | |
| $Certificates = $stores.Certificates | Select FriendlyName, serialNumber, Issuer, Subject, PublicKey, @{Label="Expires";Expression={($_.NotAfter)}}, @{Label="Days";Expression={($_.NotAfter - (Get-Date)).Days}} | |
| Add-content -path $Logfile -value "Server: $Server" | |
| Add-content -path $Logfile -value "Store: $StoreLocation\$StoreName" | |
| Add-content -path $Logfile -value " " | |
| foreach ($Certificate in $Certificates) { | |
| #Build Report | |
| if ($Certificate.Issuer -ne $null -and $Certificate.days -lt $MaxDays){ | |
| $obj = New-Object PSobject | |
| $obj | Add-Member -MemberType NoteProperty -name "Server" -value $Server | |
| $obj | Add-Member -MemberType NoteProperty -name "Name" -value $Certificate.FriendlyName | |
| $obj | Add-Member -MemberType NoteProperty -name "Issuer" -value $Certificate.Issuer | |
| $obj | Add-Member -MemberType NoteProperty -name "Subject" -value $Certificate.Subject | |
| $obj | Add-Member -MemberType NoteProperty -name "Key Size" -value $Certificate.PublicKey.key.KeySize | |
| $obj | Add-Member -MemberType NoteProperty -name "Expires" -value $Certificate.Expires | |
| $obj | Add-Member -MemberType NoteProperty -name "Days" -value $Certificate.Days | |
| $ResultsData += $obj | |
| # Update Text and Alert count based on your criteria | |
| $Name = $Certificate.FriendlyName | |
| $Days = $Certificate.Days | |
| $Size = $Certificate.PublicKey.key.KeySize | |
| if ($Days -lt 0){ | |
| $AlertText += "!RED!Alert: Certificate $Name on $Server has expired </br>" | |
| $AlertCount += $AlertCount.count + 1 | |
| } | |
| elseif ($Days -lt $AlertDays){ | |
| $AlertText += "!RED!Alert: Certificate $Name on $Server is expiring in $Days days</br>" | |
| $AlertCount += $AlertCount.count + 1 | |
| } | |
| elseif ($Days -lt $WarnDays){ | |
| $WarningText += "!ORANGE!Warning: Certificate $Name on $Server is expiring in $Days days</br>" | |
| $WarningCount += $WarningCount.count + 1 | |
| } | |
| if ($Size -lt $WarnKeySize){ | |
| $WarningText += "!ORANGE!Warning: Certificate $Name on $Server does not meet minimum key size of $WarnKeySize</br>" | |
| $WarningCount += $WarningCount.count + 1 | |
| } | |
| } | |
| #Log and Purge Old Certs | |
| If ($PurgeExpired -eq $True){ | |
| $Name = $Certificate.FriendlyName | |
| $Issuer = $Certificate.Issuer | |
| $Subject = $Certificate.Subject | |
| $Expired = $Certificate.Expires | |
| $Days = $Certificate.Days | |
| $SerialNumber = $Certificate.serialNumber | |
| if ($Certificate.Issuer -ne $null -and $Certificate.days -lt $PurgeDays){ | |
| Add-content -path $Logfile -value "Name: $Name" | |
| Add-content -path $Logfile -value "Issuer: $Issuer" | |
| Add-content -path $Logfile -value "Subject: $Subject" | |
| Add-content -path $Logfile -value "Expired: $Expired" | |
| Add-content -path $Logfile -value "Days: $Days" | |
| Add-content -path $Logfile -value " " | |
| $PurgeCert = $stores.Certificates.Find("FindBySerialNumber",$SerialNumber,$FALSE)[0] | |
| $stores.Remove($PurgeCert) | |
| $ExpiredCount += $ExpiredCount.count + 1 | |
| } | |
| } | |
| } | |
| Add-content -path $Logfile -value "$Server Completed (Purge = $PurgeExpired). $ExpiredCount expired certificates deleted." | |
| Add-content -path $Logfile -value "-------------------------------------------------------------------" | |
| Add-content -path $Logfile -value " " | |
| $ExpiredCount = 0 | |
| $stores.Close() | |
| } | |
| } | |
| If ($PurgeExpired -eq $True){ | |
| $AlertText += "NB. Purging is enabled for expired Certificates older than $PurgeDays days. See $logfile for details. </br>" | |
| } | |
| # Results Text | |
| if ($AlertText -ne $null -or $WarningText -ne $null){ | |
| $ResultsText = $AlertText + $WarningText | |
| } | |
| else{ | |
| $ResultsText = "All $StoreLocation certificates are not due to expire for more than $MaxDays days." | |
| } | |
| # Results Data | |
| $ResultsData = $ResultsData | sort -Property "Days" | |
| # Results Alert | |
| if ($AlertCount -ge 1){ | |
| $ResultsAlert = "Alert" | |
| } | |
| elseif ($WarningCount -ge 1){ | |
| $ResultsAlert = "Warning" | |
| } | |
| else{ | |
| $ResultsAlert = "Good" | |
| } | |
| ############################################################################################################ | |
| # Output # | |
| #------------------------ | |
| $OutText = $ResultsText # $OutText MUST be either $ResultsText or "" Valid $ResultsText is any text string | |
| $OutData = $ResultsData # $OutData MUST be either $ResultsData or "" Valid $ResultsData is any data array | |
| $OutAlert = $ResultsAlert # $OutAlert MUST be either $ResultsAlert or "" Valid $ResultsAlert are 'Good', 'Warning' or 'Alert' | |
| $Attachment = "" # $Attachment MUST be either UNC path or "" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ############################################################################################################ | |
| # Info # | |
| #------------------------ | |
| $Title = "3rd Party Root Certificates" | |
| $Comment = "This script lists 3rd Party Root certificates and highlights those that have expired or are expiring soon." | |
| $Author = "The Agreeable Cow" | |
| $PluginDate = "21/08/2014" | |
| $Version = "v1.1" | |
| # 1.0 23/06/2014 The Agreeable Cow Original Build | |
| # 1.1 21/08/2014 The Agreeable Cow Added Key length check | |
| ############################################################################################################ | |
| # Main Script # | |
| #------------------------ | |
| #Reset Variables | |
| $stores = $null | |
| $Certificates = $null | |
| $ResultsText = $null | |
| $AlertText = $null | |
| $WarningText = $null | |
| $ResultsData = $null | |
| $AlertData = $null | |
| $WarningData = $null | |
| $AlertCount = 0 | |
| $WarningCount = 0 | |
| #Reporting variables | |
| $MaxDays = 1095 | |
| $WarnDays = 90 | |
| $AlertDays = 30 | |
| $WarnKeySize = 2048 | |
| #Certificate Store Properties | |
| $StoreLocation = "LocalMachine" #"LocalMachine","CurrentUser" | |
| $StoreName = "AuthRoot" #"My","CA","AuthRoot","Root" | |
| $OpenFlag = "ReadWrite" #"ReadOnly","ReadWrite" | |
| #Purge Variable | |
| $PurgeExpired = $False #$True or $False | |
| $PurgeDays = -90 | |
| #Create an Array and run query | |
| $ResultsData = @() | |
| foreach ($Server in $Servers) { | |
| if (Test-Connection -computername $Server -count 1 -quiet){ | |
| $stores = New-Object System.Security.Cryptography.X509Certificates.X509Store("\\$Server\$StoreName",$StoreLocation) | |
| $stores.Open($OpenFlag) | |
| $Certificates = $stores.Certificates | Select FriendlyName, serialNumber, Issuer, Subject, PublicKey, @{Label="Expires";Expression={($_.NotAfter)}}, @{Label="Days";Expression={($_.NotAfter - (Get-Date)).Days}} | |
| Add-content -path $Logfile -value "Server: $Server" | |
| Add-content -path $Logfile -value "Store: $StoreLocation\$StoreName" | |
| Add-content -path $Logfile -value " " | |
| foreach ($Certificate in $Certificates) { | |
| #Build Report | |
| if ($Certificate.Issuer -ne $null -and $Certificate.days -lt $MaxDays){ | |
| $obj = New-Object PSobject | |
| $obj | Add-Member -MemberType NoteProperty -name "Server" -value $Server | |
| $obj | Add-Member -MemberType NoteProperty -name "Name" -value $Certificate.FriendlyName | |
| $obj | Add-Member -MemberType NoteProperty -name "Issuer" -value $Certificate.Issuer | |
| $obj | Add-Member -MemberType NoteProperty -name "Subject" -value $Certificate.Subject | |
| $obj | Add-Member -MemberType NoteProperty -name "Key Size" -value $Certificate.PublicKey.key.KeySize | |
| $obj | Add-Member -MemberType NoteProperty -name "Expires" -value $Certificate.Expires | |
| $obj | Add-Member -MemberType NoteProperty -name "Days" -value $Certificate.Days | |
| $ResultsData += $obj | |
| # Update Text and Alert count based on your criteria | |
| $Name = $Certificate.FriendlyName | |
| $Days = $Certificate.Days | |
| $Size = $Certificate.PublicKey.key.KeySize | |
| if ($Days -lt 0){ | |
| $AlertText += "!RED!Alert: Certificate $Name on $Server has expired </br>" | |
| $AlertCount += $AlertCount.count + 1 | |
| } | |
| elseif ($Days -lt $AlertDays){ | |
| $AlertText += "!RED!Alert: Certificate $Name on $Server is expiring in $Days days</br>" | |
| $AlertCount += $AlertCount.count + 1 | |
| } | |
| elseif ($Days -lt $WarnDays){ | |
| $WarningText += "!ORANGE!Warning: Certificate $Name on $Server is expiring in $Days days</br>" | |
| $WarningCount += $WarningCount.count + 1 | |
| } | |
| if ($Size -lt $WarnKeySize){ | |
| $WarningText += "!ORANGE!Warning: Certificate $Name on $Server does not meet minimum key size of $WarnKeySize</br>" | |
| $WarningCount += $WarningCount.count + 1 | |
| } | |
| } | |
| #Log and Purge Old Certs | |
| If ($PurgeExpired -eq $True){ | |
| $Name = $Certificate.FriendlyName | |
| $Issuer = $Certificate.Issuer | |
| $Subject = $Certificate.Subject | |
| $Expired = $Certificate.Expires | |
| $Days = $Certificate.Days | |
| $SerialNumber = $Certificate.serialNumber | |
| if ($Certificate.Issuer -ne $null -and $Certificate.days -lt $PurgeDays){ | |
| Add-content -path $Logfile -value "Name: $Name" | |
| Add-content -path $Logfile -value "Issuer: $Issuer" | |
| Add-content -path $Logfile -value "Subject: $Subject" | |
| Add-content -path $Logfile -value "Expired: $Expired" | |
| Add-content -path $Logfile -value "Days: $Days" | |
| Add-content -path $Logfile -value " " | |
| $PurgeCert = $stores.Certificates.Find("FindBySerialNumber",$SerialNumber,$FALSE)[0] | |
| $stores.Remove($PurgeCert) | |
| $ExpiredCount += $ExpiredCount.count + 1 | |
| } | |
| } | |
| } | |
| Add-content -path $Logfile -value "$Server Completed (Purge = $PurgeExpired). $ExpiredCount expired certificates deleted." | |
| Add-content -path $Logfile -value "-------------------------------------------------------------------" | |
| Add-content -path $Logfile -value " " | |
| $ExpiredCount = 0 | |
| $stores.Close() | |
| } | |
| } | |
| If ($PurgeExpired -eq $True){ | |
| $AlertText += "NB. Purging is enabled for expired Certificates older than $PurgeDays days. See $logfile for details. </br>" | |
| } | |
| # Results Text | |
| if ($AlertText -ne $null -or $WarningText -ne $null){ | |
| $ResultsText = $AlertText + $WarningText | |
| } | |
| else{ | |
| $ResultsText = "All $StoreLocation certificates are not due to expire for more than $MaxDays days." | |
| } | |
| # Results Data | |
| $ResultsData = $ResultsData | sort -Property "Days" | |
| # Results Alert | |
| if ($AlertCount -ge 1){ | |
| $ResultsAlert = "Alert" | |
| } | |
| elseif ($WarningCount -ge 1){ | |
| $ResultsAlert = "Warning" | |
| } | |
| else{ | |
| $ResultsAlert = "Good" | |
| } | |
| ############################################################################################################ | |
| # Output # | |
| #------------------------ | |
| $OutText = $ResultsText # $OutText MUST be either $ResultsText or "" Valid $ResultsText is any text string | |
| $OutData = $ResultsData # $OutData MUST be either $ResultsData or "" Valid $ResultsData is any data array | |
| $OutAlert = $ResultsAlert # $OutAlert MUST be either $ResultsAlert or "" Valid $ResultsAlert are 'Good', 'Warning' or 'Alert' | |
| $Attachment = "" # $Attachment MUST be either UNC path or "" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ############################################################################################################ | |
| # Info # | |
| #------------------------ | |
| $Title = "Trusted Root Certificates" | |
| $Comment = "This script lists Trusted Root certificates and highlights those that have expired or are expiring soon." | |
| $Author = "The Agreeable Cow" | |
| $PluginDate = "21/08/2014" | |
| $Version = "v1.1" | |
| # 1.0 23/06/2014 The Agreeable Cow Original Build | |
| # 1.1 21/08/2014 The Agreeable Cow Added Key length check | |
| ############################################################################################################ | |
| # Main Script # | |
| #------------------------ | |
| #Reset Variables | |
| $stores = $null | |
| $Certificates = $null | |
| $ResultsText = $null | |
| $AlertText = $null | |
| $WarningText = $null | |
| $ResultsData = $null | |
| $AlertData = $null | |
| $WarningData = $null | |
| $AlertCount = 0 | |
| $WarningCount = 0 | |
| #Reporting variables | |
| $MaxDays = 1095 | |
| $WarnDays = 90 | |
| $AlertDays = 30 | |
| $WarnKeySize = 2048 | |
| #Certificate Store Properties | |
| $StoreLocation = "LocalMachine" #"LocalMachine","CurrentUser" | |
| $StoreName = "Root" #"My","CA","AuthRoot","Root" | |
| $OpenFlag = "ReadWrite" #"ReadOnly","ReadWrite" | |
| #Purge Variable | |
| $PurgeExpired = $False #$True or $False | |
| $PurgeDays = -90 | |
| #Create an Array and run query | |
| $ResultsData = @() | |
| foreach ($Server in $Servers) { | |
| if (Test-Connection -computername $Server -count 1 -quiet){ | |
| $stores = New-Object System.Security.Cryptography.X509Certificates.X509Store("\\$Server\$StoreName",$StoreLocation) | |
| $stores.Open($OpenFlag) | |
| $Certificates = $stores.Certificates | Select FriendlyName, serialNumber, Issuer, Subject, PublicKey, @{Label="Expires";Expression={($_.NotAfter)}}, @{Label="Days";Expression={($_.NotAfter - (Get-Date)).Days}} | |
| Add-content -path $Logfile -value "Server: $Server" | |
| Add-content -path $Logfile -value "Store: $StoreLocation\$StoreName" | |
| Add-content -path $Logfile -value " " | |
| foreach ($Certificate in $Certificates) { | |
| #Build Report | |
| if ($Certificate.Issuer -ne $null -and $Certificate.days -lt $MaxDays){ | |
| $obj = New-Object PSobject | |
| $obj | Add-Member -MemberType NoteProperty -name "Server" -value $Server | |
| $obj | Add-Member -MemberType NoteProperty -name "Name" -value $Certificate.FriendlyName | |
| $obj | Add-Member -MemberType NoteProperty -name "Issuer" -value $Certificate.Issuer | |
| $obj | Add-Member -MemberType NoteProperty -name "Subject" -value $Certificate.Subject | |
| $obj | Add-Member -MemberType NoteProperty -name "Key Size" -value $Certificate.PublicKey.key.KeySize | |
| $obj | Add-Member -MemberType NoteProperty -name "Expires" -value $Certificate.Expires | |
| $obj | Add-Member -MemberType NoteProperty -name "Days" -value $Certificate.Days | |
| $ResultsData += $obj | |
| # Update Text and Alert count based on your criteria | |
| $Name = $Certificate.FriendlyName | |
| $Days = $Certificate.Days | |
| $Size = $Certificate.PublicKey.key.KeySize | |
| if ($Days -lt 0){ | |
| $AlertText += "!RED!Alert: Certificate $Name on $Server has expired </br>" | |
| $AlertCount += $AlertCount.count + 1 | |
| } | |
| elseif ($Days -lt $AlertDays){ | |
| $AlertText += "!RED!Alert: Certificate $Name on $Server is expiring in $Days days</br>" | |
| $AlertCount += $AlertCount.count + 1 | |
| } | |
| elseif ($Days -lt $WarnDays){ | |
| $WarningText += "!ORANGE!Warning: Certificate $Name on $Server is expiring in $Days days</br>" | |
| $WarningCount += $WarningCount.count + 1 | |
| } | |
| if ($Size -lt $WarnKeySize){ | |
| $WarningText += "!ORANGE!Warning: Certificate $Name on $Server does not meet minimum key size of $WarnKeySize</br>" | |
| $WarningCount += $WarningCount.count + 1 | |
| } | |
| } | |
| #Log and Purge Old Certs | |
| If ($PurgeExpired -eq $True){ | |
| $Name = $Certificate.FriendlyName | |
| $Issuer = $Certificate.Issuer | |
| $Subject = $Certificate.Subject | |
| $Expired = $Certificate.Expires | |
| $Days = $Certificate.Days | |
| $SerialNumber = $Certificate.serialNumber | |
| if ($Certificate.Issuer -ne $null -and $Certificate.days -lt $PurgeDays){ | |
| Add-content -path $Logfile -value "Name: $Name" | |
| Add-content -path $Logfile -value "Issuer: $Issuer" | |
| Add-content -path $Logfile -value "Subject: $Subject" | |
| Add-content -path $Logfile -value "Expired: $Expired" | |
| Add-content -path $Logfile -value "Days: $Days" | |
| Add-content -path $Logfile -value " " | |
| $PurgeCert = $stores.Certificates.Find("FindBySerialNumber",$SerialNumber,$FALSE)[0] | |
| $stores.Remove($PurgeCert) | |
| $ExpiredCount += $ExpiredCount.count + 1 | |
| } | |
| } | |
| } | |
| Add-content -path $Logfile -value "$Server Completed (Purge = $PurgeExpired). $ExpiredCount expired certificates deleted." | |
| Add-content -path $Logfile -value "-------------------------------------------------------------------" | |
| Add-content -path $Logfile -value " " | |
| $ExpiredCount = 0 | |
| $stores.Close() | |
| } | |
| } | |
| If ($PurgeExpired -eq $True){ | |
| $AlertText += "NB. Purging is enabled for expired Certificates older than $PurgeDays days. See $logfile for details. </br>" | |
| } | |
| # Results Text | |
| if ($AlertText -ne $null -or $WarningText -ne $null){ | |
| $ResultsText = $AlertText + $WarningText | |
| } | |
| else{ | |
| $ResultsText = "All $StoreLocation certificates are not due to expire for more than $MaxDays days." | |
| } | |
| # Results Data | |
| $ResultsData = $ResultsData | sort -Property "Days" | |
| # Results Alert | |
| if ($AlertCount -ge 1){ | |
| $ResultsAlert = "Alert" | |
| } | |
| elseif ($WarningCount -ge 1){ | |
| $ResultsAlert = "Warning" | |
| } | |
| else{ | |
| $ResultsAlert = "Good" | |
| } | |
| ############################################################################################################ | |
| # Output # | |
| #------------------------ | |
| $OutText = $ResultsText # $OutText MUST be either $ResultsText or "" Valid $ResultsText is any text string | |
| $OutData = $ResultsData # $OutData MUST be either $ResultsData or "" Valid $ResultsData is any data array | |
| $OutAlert = $ResultsAlert # $OutAlert MUST be either $ResultsAlert or "" Valid $ResultsAlert are 'Good', 'Warning' or 'Alert' | |
| $Attachment = "" # $Attachment MUST be either UNC path or "" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment