1. PDQ Deploy & Inventory Help Center
  2. Community
  3. PDQ Inventory
 

Important Notice: On February 29th, this community was put into read-only mode. All existing posts will remain but customers are unable to add new posts or comment on existing. Please feel to join our Community Discord for any questions and discussions.

How to scan Certificates from ADFS with pdq?

Avatar
Daniel Ritter
Updated

Hello,

I know this is a bit of a wild question, but how would one use this for ADFS Certificates? Cause they are not stored in the regular Local Machine or Current User.

My goal is to get the expiration date and the effective date to build a inventory group that lists token signed and token encrypted ADFS Certificates that will expire soon and at best notify us.

 

You can use the PS command  to get it manually, but how would I be able to rewrite the script from below to be able to also account for our ADFS Server?

Get-AdfsCertificate –CertificateType token-signing

Get-AdfsCertificate –CertificateType token-decrypting
[CmdletBinding()]
param (
    [ValidateSet('Archived', 'DnsNameList', 'EnhancedKeyUsageList', 'EnrollmentPolicyEndPoint',
        'EnrollmentServerEndPoint', 'Extensions', 'FriendlyName', 'Handle', 'HasPrivateKey', 'Issuer', 'IssuerName',
        'NotAfter', 'NotBefore', 'PolicyId', 'PrivateKey', 'PSChildName', 'PSDrive', 'PSIsContainer', 'PSParentPath',
        'PSPath', 'PSProvider', 'PublicKey', 'RawData', 'SendAsTrustedIssuer', 'SerialNumber', 'SignatureAlgorithm',
        'Subject', 'SubjectName', 'Thumbprint', 'Version', '*')]
    [String[]]$Property = [String[]]('FriendlyName', 'NotBefore', 'NotAfter', 'IssuerName', 'Issuer', 'Thumbprint', 'SerialNumber', 'Subject', 'PSParentPath'),

    [ValidateSet('CurrentUser', 'LocalMachine', 'AD FS')]
    [String[]]$StoreLocation = @('CurrentUser', 'LocalMachine', 'AD FS'),

    [String[]]$StoreName
)

$CertType = [System.Security.Cryptography.X509Certificates.X509Certificate2]

# Replace PSPath and PSParentPath with expressions that will trim their output.
$Properties = @()
foreach ( $PropertyIterator in $Property ) {

    if ( $PropertyIterator -eq 'PSPath' ) {

        $Properties += @{Label = 'PSPath'; Expression = { ($_.PSPath -split ':')[-1] } }

    } elseif ($PropertyIterator -eq 'PSParentPath') {
        
        $Properties += @{Label = 'PSParentPath'; Expression = { ($_.PSParentPath -split ':')[-1] } }
    
    } else {

        $Properties += $PropertyIterator

    } else

}

foreach ( $StoreLocationIterator in $StoreLocation ) {

    if ( $StoreName ) {

        foreach ( $StoreNameIterator in $StoreName ) {

            $Param = @{
                'Path'        = "Cert:\$StoreLocationIterator\$StoreNameIterator"
                'ErrorAction' = 'SilentlyContinue'
            }
            Get-ChildItem @Param | Where-Object { $_ -is $CertType } | Select-Object $Properties

        }

    } else {

        $Param = @{
            'Path'        = "Cert:\$StoreLocationIterator"
            'ErrorAction' = 'SilentlyContinue'
            'Recurse'     = $true
        }
        Get-ChildItem @Param | Where-Object { $_ -is $CertType } | Select-Object $Properties

    }

}
1

Comments

1 comment
Date Votes