#region just examples and placeholders for debug
#storeName: fullpath or just name. E.g.: "My" / c:\SOMEHWRE\store.bin / "WinNTServiceName\MY" etc...
#storeProvider: System (a summary map) / SystemRegistry (really is in registry) / File / LDAP
#storeType: LocalMachine / CurrentUser / Services / Users
#region variables and constants
# get script name
# SCOM agent calls them dynamically, assigning random names
#$scriptName = $MyInvocation.MyCommand.Name
$scriptName = "Certificate_Verify_Script_V4.ps1"
#parameter from string (override param from SCOM) to boolean
if ($debugParam -eq 'true') { $debugScript = $true}
else {$debugScript = $false}
# check if running in native PoSh ConsoleHost
if ($Host.Name -imatch '^ConsoleHost$') {$psHostConsole = $true}
else {$psHostConsole = $false}
#see on input parameters - default to LocalSystem store My (personal computer store), SystemRegistry provider (registry) and LocalSystem storetype
if ($storeName -eq "") { $storeName = "My"}
# system reflect a map (includes Third-Party, Group, Enterprise etc.)
if ($storeProvider -eq "System") { $storeProv = $CERT_STORE_PROV_SYSTEM}
# systemregistry only returns the certificates physically present in the local registry
elseif ($storeProvider -eq "SystemRegistry") { $storeProv = $CERT_STORE_PROV_SYSTEM_REGISTRY}
elseif ($storeProvider -eq "File") { $storeProv = $CERT_STORE_PROV_FILE}
elseif ($storeProvider -eq "LDAP") { $storeProv = $CERT_STORE_PROV_LDAP}
else {$storeProv = $CERT_STORE_PROV_SYSTEM_REGISTRY}
if ($storeType -eq "LocalSystem") { $storeTp = $CERT_SYSTEM_STORE_LOCAL_MACHINE}
elseif ($storeType -eq "CurrentUser") { $storeTp = $CERT_SYSTEM_STORE_CURRENT_USER}
elseif ($storeType -eq "Services") { $storeTp = $CERT_SYSTEM_STORE_SERVICES}
elseif ($storeType -eq "Users") { $storeTp = $CERT_SYSTEM_STORE_USERS}
else { $storeTp = $CERT_SYSTEM_STORE_LOCAL_MACHINE}
#set open_existing and readonly
$storeTp = $storeTp + $CERT_STORE_OPEN_EXISTING_FLAG + $CERT_STORE_READONLY_FLAG
#PoSh 2.0 was shipped with 2008R2/Win7. In order to have as little dependency on later updates
# as possible this script only uses 2.0 cmdlets
$minimalPSVersion = "2.0"
$CERTVALID = "IsVerified"
$CERTTIMEVALID = "IsTimeValid"
#region C# Signature
# C# module imports and types where-type variable
# as CRLs are not implemented in System.Security.Cryptography.X509Certificates
$x509HelperSignature = @"
using System;
using System.Runtime.InteropServices;
using System.Security;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
namespace System
{
namespace Security
{
namespace Cryptography
{
namespace X509Certificates
{
public class X509CRL2
{
public int Version;
public string Type;
public X500DistinguishedName IssuerDN;
public string Issuer;
public DateTime ThisUpdate;
public DateTime NextUpdate;
public Oid SignatureAlgorithm;
public X509ExtensionCollection Extensions;
// no need to know every single entry
// public X509CRLEntry[] RevokedCertificates;
public uint RevokedCertificateCount;
//public byte[] RawData;
}
//no need for CRL entries at the moment
//public class X509CRLEntry
//{
// public string SerialNumber;
// public DateTime RevocationDate;
// public int ReasonCode;
// public string ReasonMessage;
//}
public class Helpers {
[DllImport("crypt32.dll", CharSet = CharSet.Auto, SetLastError = true)]
public static extern int CertCreateCRLContext(
int dwCertEncodingType,
IntPtr pbCrlEncoded,
int cbCrlEncoded
);
[DllImport("crypt32.dll", CharSet = CharSet.Auto, SetLastError = true)]
public static extern int CertNameToStr(
int dwCertEncodingType,
ref CRYPTOAPI_BLOB pName,
int dwStrType,
System.Text.StringBuilder psz,
int csz
);
[DllImport("crypt32.dll", CharSet = CharSet.Auto, SetLastError = true)]
public static extern IntPtr CertFindExtension(
[MarshalAs(UnmanagedType.LPStr)]String pszObjId,
int cExtensions,
IntPtr rgExtensions
);
[DllImport("crypt32.dll", EntryPoint="CertOpenStore", CharSet=CharSet.Auto, SetLastError=true)]
public static extern IntPtr CertOpenStoreStringPara(
int storeProvider,
int encodingType,
IntPtr hcryptProv,
int flags,
String pvPara);
[DllImport("crypt32.dll", EntryPoint="CertCloseStore", CharSet=CharSet.Auto, SetLastError=true)]
[return : MarshalAs(UnmanagedType.Bool)]
public static extern bool CertCloseStore(
IntPtr storeProvider,
int flags);
}
[StructLayout(LayoutKind.Sequential)]
public struct CRL_CONTEXT
{
public int dwCertEncodingType;
// TODO: This should be marshalled right, as BYTE[]
// [MarshalAs(UnmanagedType.LPArray, SizeParamIndex=2)]
public IntPtr pbCrlEncoded;
public uint cbCrlEncoded;
// TODO: You can marshal this as CRL_INFO directly
public IntPtr pCrlInfo;
public IntPtr hCertStore;
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto)]
public struct CRL_INFO
{
public int dwVersion;
public CRYPT_ALGORITHM_IDENTIFIER SignatureAlgorithm;
public CRYPTOAPI_BLOB Issuer;
public Int64 ThisUpdate;
public Int64 NextUpdate;
public int cCRLEntry;
// TODO: This should be marshalled right, as CRL_ENTRY[] ??
public IntPtr rgCRLEntry;
public int cExtension;
public IntPtr rgExtension;
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto)]
public struct CRYPT_ALGORITHM_IDENTIFIER
{
[MarshalAs(UnmanagedType.LPStr)]public String pszObjId;
public CRYPTOAPI_BLOB Parameters;
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto)]
public struct CRYPTOAPI_BLOB
{
public int cbData;
public IntPtr pbData;
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto)]
public struct CRL_ENTRY
{
public CRYPTOAPI_BLOB SerialNumber;
public Int64 RevocationDate;
public int cExtension;
public IntPtr rgExtension;
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto)]
public struct CERT_EXTENSION
{
[MarshalAs(UnmanagedType.LPStr)]public String pszObjId;
public Boolean fCritical;
public CRYPTOAPI_BLOB Value;
}
}
}
}
}
"@
#endregion
# Get access to the scripting API
$scomAPI = new-object -comObject "MOM.ScriptAPI"
# check if Powershell >= 2.0 is running
if( ($PSVersionTable.PSCompatibleVersions) -contains $minimalPSVersion)
{
Write-Host Powershell installed: ( $PSVersionTable.PSVersion.ToString() )
Write-Host It is compatible with version $minimalPSVersion required by this script
}
else
{
Write-Host Powershell installed: $PSVersionTable.PSVersion.ToString() `t`t`t`t`t`t`t`t -BackgroundColor red
Write-Host `tIt is not compatible with version $minimalPSVersion required by this script `t -BackgroundColor red
exit
}
function main
{
# loading crypt32.dll type to [System.Security.Cryptography.X509Certificates.Helpers]
try
{Add-Type $x509HelperSignature}
catch
{
#throw "Unable to load and extend System.Security.Cryptography.X509Certificates namespace with X509CRL2 and X509CRL2Entry."
$scomAPI.LogScriptEvent($scriptName, 119, 2, "Unable to load and extend System.Security.Cryptography.X509Certificates namespace with X509CRL2. Retrying on the next script run.")
exit
}
#ready to rumble
#get certificate store
$certStorePt = [System.Security.Cryptography.X509Certificates.Helpers]::CertOpenStoreStringPara($storeProv, 0, 0, $storeTp, $storeName)
if ($certStorePt -ne 0)
{
# first see about certificates
#take it from store pointer to full .NET as certificates are exposed there and easier to handle.
# this works perfectly for File, LDAP or WinNT service stores.
$certStore = [System.Security.Cryptography.X509Certificates.X509Store]$certStorePt
$certificateObjects += @(Get-CertificateProperties -store $certStore -revocationFlag $revocationFlag -revocationMode $revocationMode -verificationFlags $verificationFlags -subjectInclude $subjectIncludeRegEx -issuerInclude $issuerIncludeRegEx -subjectExclude $subjectExcludeRegEx -issuerExclude $issuerExcludeRegEx -enhKeyUseExclude $enhKeyUseExcludeRegEx)
if ($certificateObjects.Count -gt 0) {Write-CertificatePropertyBags -certificateObjects $certificateObjects}
# now proceed with CRLs - this requires crypt32.dll P/Invoke
$crlPt = [System.Security.Cryptography.X509Certificates.Helpers]::CertEnumCRLsInStore($certStorePt, 0)
While ($crlPt -ne 0) {
$crlObjects += @(Get-X509CRL2 -context $crlPt)
$crlPt = [System.Security.Cryptography.X509Certificates.Helpers]::CertEnumCRLsInStore($certStorePt, $crlPt)
}
if ($crlObjects.Count -gt 0) { Write-CRLPropertyBags -crlObjects $crlObjects -issuerInclude $issuerIncludeRegEx -issuerExclude $issuerExcludeRegEx }
# close store
$closeStore = [System.Security.Cryptography.X509Certificates.Helpers]::CertCloseStore($certStorePt, 0)
}
else
{
$scomAPI.LogScriptEvent($scriptName, 113, 2, ("Failed to open certificate store.`n`nstoreName: {0}`nstoreProvider: {1}`nstoreType: {2}" -f $storeName,$storeProvider,$storeType))
}
#return an empty bag if no objects were found
if (($certificateObjects.Count -lt 1) -and ($crlObjects.count -lt 1))
{
$objVoidBag = $scomAPI.CreatePropertyBag()
#when running outside native SCOM host, use AddItem as in legacy days to have console output
if ($psHostConsole -eq $true) { $scomAPI.AddItem($objVoidBag) }
else { $objVoidBag }
}
#when running from command line forcing the return (legacy)
if ($psHostConsole -eq $true) { $scomAPI.ReturnItems() }
#write summary event
$scomAPI.LogScriptEvent($scriptName, 112, 4, ("Script enumerated certificates and CLRs from store '{0}\{1}\{2}'`n`nN° of certs: {3}`nN° of CRLs: {4}`n`nThe property bags of this script are being consumed by discovery as well as monitoring workflows.`n`nFilters applied:`nsubject match {5} and notmatch {6}`nissuer match {7} and notmatch {8}`nenhanced key usage OIDs notmatch {9}"-f $storeType,$storeProvider,$storeName,[int]($certificateObjects.Count),[int]($crlObjects.Count),[string]$subjectIncludeRegEx, [string]$subjectExcludeRegEx, [string]$issuerIncludeRegEx, [string]$issuerExcludeRegEx, [string]$enhKeyUseExcludeRegEx))
}
function Validate-X509Certificate2
# using pure .NET for certificate validation
{
param($X509Certificate2, $X509RevocationFlag, $X509RevocationMode, $X509VerificationFlags)
# EndCertificateOnly: Only the end certificate is checked for revocation.
# EntireChain: The entire chain of certificates is checked for revocation.
# ExcludeRoot: The entire chain, except the root certificate, is checked for revocation.
$X509Chain.ChainPolicy.RevocationFlag = $X509RevocationFlag
# NoCheck: No revocation check is performed on the certificate.
# Offline: A revocation check is made using a cached certificate revocation list (CRL).
# Online: A revocation check is made using an online certificate revocation list (CRL).
$X509Chain.ChainPolicy.RevocationMode = $X509RevocationMode
# AllFlags: All flags pertaining to verification are included.
# AllowUnknownCertificateAuthority: Ignore that the chain cannot be verified due to an unknown certificate authority (CA).
# IgnoreCertificateAuthorityRevocationUnknown: Ignore that the certificate authority revocation is unknown when determining certificate verification.
# IgnoreCtlNotTimeValid: Ignore that the certificate trust list (CTL) is not valid, for reasons such as the CTL has expired, when determining certificate verification.
# IgnoreCtlSignerRevocationUnknown: Ignore that the certificate trust list (CTL) signer revocation is unknown when determining certificate verification.
# IgnoreEndRevocationUnknown: Ignore that the end certificate (the user certificate) revocation is unknown when determining certificate verification.
# IgnoreInvalidBasicConstraints: Ignore that the basic constraints are not valid when determining certificate verification.
# IgnoreInvalidName: Ignore that the certificate has an invalid name when determining certificate verification.
# IgnoreInvalidPolicy: Ignore that the certificate has invalid policy when determining certificate verification.
# IgnoreNotTimeNested: Ignore that the CA (certificate authority) certificate and the issued certificate have validity periods that are not nested when verifying the certificate. For example, the CA cert can be valid from January 1 to December 1 and the issued certificate from January 2 to December 2, which would mean the validity periods are not nested.
# IgnoreNotTimeValid: Ignore certificates in the chain that are not valid either because they have expired or they are not yet in effect when determining certificate validity.
# IgnoreRootRevocationUnknown: Ignore that the root revocation is unknown when determining certificate verification.
# IgnoreWrongUsage: Ignore that the certificate was not issued for the current use when determining certificate verification.
# NoFlag: No flags pertaining to verification are included.
$X509Chain.ChainPolicy.VerificationFlags = $X509VerificationFlags
#Builds an X.509 chain using the policy specified
# true if the X.509 certificate is valid; otherwise, false
if ($X509Chain.Build($X509Certificate2))
{
#Write-Host -BackgroundColor Green Certificate $_.Subject is valid
$valid = $true
$statusSummary = $null
}
else
{
#Write-Host -BackgroundColor Red Certificate $_.Subject is invalid
$valid = $false
$statusSummary = $X509Chain.ChainStatus | %{($_.Status.ToString() + ": " + $_.StatusInformation.trim())}
}
function Get-CertificateProperties
# call validate and aggregate certificate information with CA version
{
param ($store,
$revocationFlag = "EntireChain",
$revocationMode = "Online",
$verificationFlags = "NoFlag",
$subjectInclude = "^.*$",
$issuerInclude = "^.*$",
$subjectExclude = "^$",
$issuerExclude = "^$",
$enhKeyUseExclude = "^$")
$certificateList = $null
$certificateList = @()
#get and validate all certificates found in the store - except archived ones,
# certs that match the subject and issuer filters
# and certificates to be excluded via Enhanced Key Usage (2.5.29.37)
$store.Certificates | where {$_.Archived -eq $false} | % { `
$certExluded = $false
#seen certificates with an empty subject. Use 1st SAN line for those
if ($_.Subject.length -eq 0) {
if ($_.Extensions | where { $_.OID.Value -eq "2.5.29.17"}) {
$_.Extensions | where { $_.OID.Value -eq "2.5.29.17"} | % {
$subjectChecked = (($_.Format($true)).Split("`n")[0]).Trim()
}
}
else { $subjectChecked = "" }
}
else { $subjectChecked = $_.Subject }
if (($subjectChecked -inotmatch $subjectInclude) -or ($subjectChecked -imatch $subjectExclude)) { $certExluded = $true }
if (($_.Issuer -inotmatch $issuerInclude) -or ($_.Issuer -imatch $issuerExclude)) { $certExluded = $true }
if ($_.Extensions | where { $_.OID.Value -eq "2.5.29.37"})
{
$_.Extensions | where { $_.OID.Value -eq "2.5.29.37"} | % {
if ($_.EnhancedKeyUsages | where { $_.Value -match $enhKeyUseExclude}) { $certExluded = $true }
}
}
if ($certExluded -eq $false)
{
# get service properties from various sources
$caVersionByte = 0
$certificateObj = New-Object psobject
$certificateObj | Add-Member -MemberType NoteProperty -Name certSubjectChk -Value $subjectChecked
$certificateObj | Add-Member -MemberType NoteProperty -Name cert -Value $_
# checking "EntireChain", "Online" and not using any tolerate flags "NoFlag"
# that's as picky as one can get
$validCert = Validate-X509Certificate2 -X509Certificate2 $_ -X509RevocationFlag $X509RevocationFlag -X509RevocationMode $X509RevocationMode -X509VerificationFlags $X509VerificationFlags
# check if the szOID_CERTSRV_CA_VERSION - 1.3.6.1.4.1.311.21.1 extension is used
# and learn the CA version
# CA certificates will return either version number (e.g. 2.0) or "n/a" if
# no version number extension was found
# normal certs will have an empty string ""
if ($_.Extensions | where { $_.OID.Value -eq "2.5.29.19"})
{
if ($_.Extensions | where { $_.OID.Value -eq "1.3.6.1.4.1.311.21.1"})
{
# ASN.1 decoded format of CAVersion will return V1.0 or similar
$caVersion = [double]((($_.Extensions | where { $_.OID.Value -eq "1.3.6.1.4.1.311.21.1"}).Format($false)).Replace('V',''))
}
else {$caVersion = "n/a"}
}
else {$caVersion = ""}
#add SANs if present
if ($_.Extensions | where { $_.OID.Value -eq "2.5.29.17"}) {
$_.Extensions | where { $_.OID.Value -eq "2.5.29.17"} | % {
$certificateObj | Add-Member -MemberType NoteProperty -Name certSAN -Value ($_.Format($false))
}
}
else { $certificateObj | Add-Member -MemberType NoteProperty -Name certSAN -Value "" }
$objCertBag.AddValue("CertDaysStillValid", [long]($_.cert.NotAfter - (Get-Date)).Days)
#descriptive string used in expiry alert descriptions
if (((($_.cert.NotAfter - (Get-Date)).TotalDays) -ge 0) -and ((($_.cert.NotBefore - (Get-Date)).TotalDays) -lt 0)) {$lifetimeMessage = " expires in " + [string]($_.cert.NotAfter - (Get-Date)).Days + " days on " + [string]$_.cert.NotAfter.ToUniversalTime() + " UTC"}
if ((($_.cert.NotAfter - (Get-Date)).TotalDays) -lt 0) {$lifetimeMessage = " has expired on " + [string]$_.cert.NotAfter.ToUniversalTime() + " UTC"}
if ((($_.cert.NotBefore - (Get-Date)).TotalDays) -ge 0) {$lifetimeMessage = " is not valid until on or after " + [string]$_.cert.NotBefore.ToUniversalTime() + " UTC"}
#check a rare case when not the certificate but the chain's lifetime has expired or it isn't nested
if($_.certValidationString -match "CtlNotTimeValid:"){$lifetimeMessage = "'s chain is not in a valid time range. Check if intermediate or root certificates have to be renewed."}
if($_.certValidationString -match "NotTimeNested:"){$lifetimeMessage = " and the CA (certificate authority) certificate have validity periods that are not nested. For example, the CA cert can be valid from January 1 to December 1 and the issued certificate from January 2 to December 2, which would mean the validity periods are not nested."}
$objCertBag.AddValue("CertLifeTimeMessage", $lifetimeMessage)
#static flag set to true if the certificate expires in less than a month.
if ((($_.cert.NotAfter - (Get-Date)).Days -le 31) -and (($_.cert.NotAfter - (Get-Date)).Days -gt 0)) {$objCertBag.AddValue("CertExpiresWithin31Days", "true")}
else {$objCertBag.AddValue("CertExpiresWithin31Days", "false")}
#descriptive string informing why the validation failed
# filter 'NotTimeValid:' as this is being taken care of by the time properties
#despite setting the revocation flags, chain build still seems to return "RevocationStatusUnknown" and "OfflineRevocation"
# treat these as valid
#filtering status 'UntrustedRoot' as an option for self-signed certificates in personal stores
# caveat: it would still show as an error in certmgr GUI...
$validationStatusMatch = '^(NotTimeValid:|CtlNotTimeValid:|NotTimeNested:|RevocationStatusUnknown:|OfflineRevocation:)'
$validationStatusMatchIgnoreUntrustedRoot = '^(NotTimeValid:|CtlNotTimeValid:|NotTimeNested:|RevocationStatusUnknown:|OfflineRevocation:|UntrustedRoot:)'
$validationTimeStatusMatch = '^(NotTimeValid:|CtlNotTimeValid:|NotTimeNested:)'
if ($_.certValidationString -ne $null)
{
$certStatusString = [string]($_.certValidationString | where {$_ -notmatch $validationStatusMatch}| % {(($_).trim() + " ### ")})
$certStatusIgnoreUntrustedRootString = [string]($_.certValidationString | where {$_ -notmatch $validationStatusMatchIgnoreUntrustedRoot}| % {(($_).trim() + " ### ")})
$certTimeStatusString = [string]($_.certValidationString | where {$_ -match $validationTimeStatusMatch}| % {(($_).trim() + " ### ")})
}
#set valid strings respectively clean ending separator
if (($certStatusString -eq $null) -or ($certStatusString -eq '')) {$certStatusString = $CERTVALID}
else {$certStatusString = ($certStatusString.Substring(0,$certStatusString.length - 5)).trim()}
if (($certStatusIgnoreUntrustedRootString -eq $null) -or ($certStatusIgnoreUntrustedRootString -eq '')) {$certStatusIgnoreUntrustedRootString = $CERTVALID}
else {$certStatusIgnoreUntrustedRootString = ($certStatusIgnoreUntrustedRootString.Substring(0,$certStatusIgnoreUntrustedRootString.length - 5)).trim()}
if (($certTimeStatusString -eq $null) -or ($certTimeStatusString -eq '')) {$certTimeStatusString = $CERTTIMEVALID}
else {$certTimeStatusString = ($certTimeStatusString.Substring(0,$certTimeStatusString.length - 5)).trim()}
# szOID_CERTSRV_CA_VERSION - 1.3.6.1.4.1.311.21.1
# flag all but the most recent CA certificate as replaced
if (($_.certCAVersion -ne 'n/a') -and ($_.certCAVersion -ge 0))
{
#if superseded then flag
if ($_.certCAVersion -ne ($versionedCACertHigh.get_Item($_.cert.Issuer)))
{
# set version string so that discovery can filter
$certCAVersionString = ([string]$_.certCAVersion + " (superseded)")
}
else {$certCAVersionString = ([string]$_.certCAVersion + " (current)")}
}
else {$certCAVersionString = ([string]$_.certCAVersion) }
$objCertBag.AddValue("CAVersion", $certCAVersionString)
#when running outside native SCOM host, use AddItem as in legacy days to have console output
if ($psHostConsole -eq $true) { $scomAPI.AddItem($objCertBag)}
else { $objCertBag }
}
}
function Write-CRLPropertyBags
{
#only return the latest CRL(s) with the highest caVersion extension
param ($crlObjects, [string]$issuerInclude = "^.*$", [string]$issuerExclude = "^$")
#get additional properties from extensions - especially CA Version
$versionedCRLHigh = @{}
$crlList = $null
$crlList = @()
$crlObjects | % { `
#skip CRLs that match the issuer filter
if (($_.Issuer -imatch $issuerInclude) -and ($_.Issuer -inotmatch $issuerExclude))
{
# check if the szOID_CERTSRV_CA_VERSION - 1.3.6.1.4.1.311.21.1 extension is used
# and learn the CA version
if ($_.Extensions | where { $_.OID.Value -eq "1.3.6.1.4.1.311.21.1"})
{
# ASN.1 decoded format of CAVersion will return V1.0 or similar
$caVersion = [double]((($_.Extensions | where { $_.OID.Value -eq "1.3.6.1.4.1.311.21.1"}).Format($false)).Replace('V',''))
}
else {$caVersion = "n/a"}
# Authority Key Identier
if ($_.Extensions | where { $_.OID.Value -eq "2.5.29.35"})
{
# ASN.1 decoded format of Authority Key Identifier
$authKeyId = (($_.Extensions | where { $_.OID.Value -eq "2.5.29.35"}).Format($false)).Replace('KeyID=','')
}
else {$authKeyId = ""}
# CRL Number
if ($_.Extensions | where { $_.OID.Value -eq "2.5.29.20"})
{
# ASN.1 decoded format of Authority Key Identifier
$crlNumber = ($_.Extensions | where { $_.OID.Value -eq "2.5.29.20"}).Format($false)
}
else {$crlNumber = ""}
#evaluate the highest CAVersion number
if (($caVersion -ne 'n/a') -and ($caVersion -ge 0))
{
#add instance issues to hash
if (!$versionedCRLHigh.ContainsKey($_.Issuer)) {$versionedCRLHigh.Add($_.Issuer, $caVersion)}
else
{
if (($versionedCRLHigh.get_Item($_.Issuer)) -lt $caVersion) { $versionedCRLHigh.set_Item($_.Issuer, $caVersion) }
}
}
##skip all but the most recent caVersion CRL
if (($_.caVersion -eq 'n/a') -or ($_.caVersion -eq ($versionedCRLHigh.get_Item($_.crl.Issuer))))
{
#build a SCOM property bag
$objCRLBag = $scomAPI.CreatePropertyBag()
$objCRLBag.AddValue("InstanceType", "CRL")
$objCRLBag.AddValue("CRLVersion", [string]$_.crl.Version)
$objCRLBag.AddValue("CRLSigAlg", [string]$_.crl.SignatureAlgorithm.FriendlyName)
$objCRLBag.AddValue("CRLIssuedBy", [string]$_.crl.Issuer)
$objCRLBag.AddValue("CRLThisUpdate", [string]$_.crl.ThisUpdate.ToUniversalTime())
$objCRLBag.AddValue("CRLNextUpdate", [string]$_.crl.NextUpdate.ToUniversalTime())
$objCRLBag.AddValue("CRLEntries", [int64]$_.crl.RevokedCertificateCount)
#CERT_SHA1_HASH_PROP_ID is not exposed, hence build a key using various properties instead
# as this is used only to provide SCOM object key that's fine
$objCRLBag.AddValue("CRLHash", [string](Get-SHA1Hash -inputString ($_.crl.Issuer + $_.authKeyId)))
#properties from extensions
$objCRLBag.AddValue("CRLCAVersion", [string]$_.caVersion)
$objCRLBag.AddValue("CRLAuthKeyId", [string]$_.authKeyId)
$objCRLBag.AddValue("CRLNumber", [string]$_.crlNumber)
#when running outside native SCOM host, use AddItem as in legacy days to have console output
if ($psHostConsole -eq $true) { $scomAPI.AddItem($objCRLBag) }
else { $objCRLBag }
}
}
}
# enumerating CRLs using P/Invoke on crypt32.dll
function Get-X509CRL2
{
Param ([IntPtr]$context)
# This function and the here-string $x509CRL2Namespace are based on a script by
# Vadims Podāns - [email protected]
# http://www.sysadmins.lv/CategoryView,category,PowerShell,6.aspx
Home
Show References: