Check for expired certificates
Jump to navigation
Jump to search
powershell to get all certificates fromm ntauth/ntauthcertificates in Active Directory and see if they're still valid.
Removal can be done using certutil
Definitely bugs in it -> static parse on "sha1", more should be included here. And the amount of lines also has more variables...
$foundcertificates=@()
$allcerts=certutil -store -enterprise NTAuth
for($i=1;$i -lt $allcerts.count;$i++)
{
$tempObj = New-Object -TypeName PSObject
$tempObj | Add-Member -MemberType NoteProperty -Name Name -Value $allcerts[$i].replace("=","")
$i++
$tempObj | Add-Member -MemberType NoteProperty -Name Serial -Value $allcerts[$i].trimstart("Serial Number:")
$i++
$tempObj | Add-Member -MemberType NoteProperty -Name Issuer -Value $allcerts[$i].trimstart("Issuer:")
$i++
$tempObj | Add-Member -MemberType NoteProperty -Name NotBefore -Value $allcerts[$i].trimstart(" NotBefore:")
$i++
$tempObj | Add-Member -MemberType NoteProperty -Name NotAfter -Value $allcerts[$i].trimstart(" NotAfter:")
$i++
$tempObj | Add-Member -MemberType NoteProperty -Name Subject -Value $allcerts[$i].trimstart("Subject:")
$i++
if($allcerts[$i] -eq "Signature matches Public Key")
{
$i++
}
if($allcerts[$i] -eq "CA Version: V0.0")
{
$i++
$i++
}
$i++
$tempObj | Add-Member -MemberType NoteProperty -Name Hash -Value $allcerts[$i].trimstart("Cert Hash(sha1):")
if($allcerts[$i-3] -eq "CA Version: V0.0")
{
$i++
$i++
$i++
$i++
}
$i++
$i++
$i++
$foundcertificates+=$tempObj
}
$today = get-date
foreach($cert in $foundcertificates)
{
[datetime]$var=$cert.notafter
if($var -le $today)
{
write-host $cert.name" is expired since "$cert.notafter -BackgroundColor red -ForegroundColor black
}
else
{
write-host $cert.name" is still valid untill "$cert.notafter -BackgroundColor green -ForegroundColor black
}
}