Script to retrieve AD CA expired certificates

This topic contains 0 replies, has 1 voice, and was last updated by  Forums Archives 5 years, 8 months ago.

  • Author
    Posts
  • #6327

    by tommygun at 2013-04-18 21:37:35

    Hi there,
    I have the code below that I can point to my local Active Directory Certificate Authority and it will pull back expiring certificates, based on a set number of days.
    How do i run this script? I have copied the script and created a cascript.ps1 file and changed the $CAlocation="CAServer\Some Root CA" to my CA server and name and $duedays=365 though when I run it in powershell ./cascript.ps1 it doesn't output anything.... any help will be greatly appreciated. Thanks

    function get-ExpiringCerts ($duedays=60,$CAlocation="CAServer\Some Root CA") {
    $certs = @()
    $now = get-Date;
    $expirationdate = $now.AddDays($duedays)
    $CaView = New-Object -Com CertificateAuthority.View.1
    [void]$CaView.OpenConnection($CAlocation)
    $CaView.SetResultColumnCount(5)
    $index0 = $CaView.GetColumnIndex($false, "Issued Common Name")
    $index1 = $CaView.GetColumnIndex($false, "Certificate Expiration Date")
    $index2 = $CaView.GetColumnIndex($false, "Issued Email Address")
    $index3 = $CaView.GetColumnIndex($false, "Certificate Template")
    $index4 = $CaView.GetColumnIndex($false, "Request Disposition")
    $index0, $index1, $index2, $index3, $index4 | %{$CAView.SetResultColumn($_) }

    # CVR_SORT_NONE 0
    # CVR_SEEK_EQ 1
    # CVR_SEEK_LT 2
    # CVR_SEEK_GT 16

    $index1 = $CaView.GetColumnIndex($false, "Certificate Expiration Date")
    $CAView.SetRestriction($index1,16,0,$now)
    $CAView.SetRestriction($index1,2,0,$expirationdate)

    # brief disposition code explanation:
    # 9 - pending for approval
    # 15 - CA certificate renewal
    # 16 - CA certificate chain
    # 20 - issued certificates
    # 21 - revoked certificates
    # all other - failed requests
    $CAView.SetRestriction($index4,1,0,20)

    $RowObj= $CAView.OpenView()

    while ($Rowobj.Next() -ne -1){
    $Cert = New-Object PsObject
    $ColObj = $RowObj.EnumCertViewColumn()
    [void]$ColObj.Next()
    do {
    $current = $ColObj.GetName()
    $Cert | Add-Member -MemberType NoteProperty $($ColObj.GetDisplayName()) -Value $($ColObj.GetValue(1)) -Force
    } until ($ColObj.Next() -eq -1)
    Clear-Variable ColObj
    $datediff = New-TimeSpan -Start ($now) -End ($cert."Certificate Expiration Date")

    "Certificate " + $cert."Issued Common Name" + " will expire in " + $dateDiff.Days + " days at " + $cert."Certificate Expiration Date"
    #"Send email to : " + $cert."Issued Email Address"
    "------------------------"
    }
    $RowObj.Reset()
    $CaView = $null
    [GC]::Collect()
    }

    get-ExpiringCerts -duedays 365 -CAlocation "CAServer\Some Root CA"

    by DonJ at 2013-04-19 08:32:53

    You'll have to add some debugging code to this, and see what's happening.

    First, at the very top of the function, add:

    [CmdletBinding()]
    Param($duedays=60,$CAlocation="CAServer\Some Root CA")

    Remove the existing

    ($duedays=60,$CAlocation="CAServer\Some Root CA")

    that's after the function keyword and function name.

    Modify the last line to add -Verbose to the function call.... put it after the -duedays and -calocation parameters.

    Then, in the function, you can start adding Write-Verbose statements.

    For example, I might do this:


    do {
    $current = $ColObj.GetName()
    Write-Verbose "Current is $current"

    In other words, just getting some output to tell me what the script is doing, and what's going inside the variables.

    If it's not producing ANY output, then I suspect it's not executing either the while loop. Which means $RowObj never has anything in it. So, I might just run some of those lines manually, from the console – everything up to the while loop, for example, to see what happened.

    Sorry, it's tough for me to debug a script I can't run, but that's the approach I'd take if I were sitting down with you. Run each command one at a time, just like the script is doing, and see what you get after each line.

You must be logged in to reply to this topic.