1. PDQ Deploy & Inventory Help Center
  2. Community
  3. PDQ Inventory

How to scan Certificates from ADFS with pdq?

Avatar
Daniel Ritter
Updated

Hello,

I know this is a bit of a wild question, but how would one use this for ADFS Certificates? Cause they are not stored in the regular Local Machine or Current User.

My goal is to get the expiration date and the effective date to build a inventory group that lists token signed and token encrypted ADFS Certificates that will expire soon and at best notify us.

 

You can use the PS command  to get it manually, but how would I be able to rewrite the script from below to be able to also account for our ADFS Server?

Get-AdfsCertificate –CertificateType token-signing

Get-AdfsCertificate –CertificateType token-decrypting
[CmdletBinding()]
param (
    [ValidateSet('Archived', 'DnsNameList', 'EnhancedKeyUsageList', 'EnrollmentPolicyEndPoint',
        'EnrollmentServerEndPoint', 'Extensions', 'FriendlyName', 'Handle', 'HasPrivateKey', 'Issuer', 'IssuerName',
        'NotAfter', 'NotBefore', 'PolicyId', 'PrivateKey', 'PSChildName', 'PSDrive', 'PSIsContainer', 'PSParentPath',
        'PSPath', 'PSProvider', 'PublicKey', 'RawData', 'SendAsTrustedIssuer', 'SerialNumber', 'SignatureAlgorithm',
        'Subject', 'SubjectName', 'Thumbprint', 'Version', '*')]
    [String[]]$Property = [String[]]('FriendlyName', 'NotBefore', 'NotAfter', 'IssuerName', 'Issuer', 'Thumbprint', 'SerialNumber', 'Subject', 'PSParentPath'),

    [ValidateSet('CurrentUser', 'LocalMachine', 'AD FS')]
    [String[]]$StoreLocation = @('CurrentUser', 'LocalMachine', 'AD FS'),

    [String[]]$StoreName
)

$CertType = [System.Security.Cryptography.X509Certificates.X509Certificate2]

# Replace PSPath and PSParentPath with expressions that will trim their output.
$Properties = @()
foreach ( $PropertyIterator in $Property ) {

    if ( $PropertyIterator -eq 'PSPath' ) {

        $Properties += @{Label = 'PSPath'; Expression = { ($_.PSPath -split ':')[-1] } }

    } elseif ($PropertyIterator -eq 'PSParentPath') {
        
        $Properties += @{Label = 'PSParentPath'; Expression = { ($_.PSParentPath -split ':')[-1] } }
    
    } else {

        $Properties += $PropertyIterator

    } else

}

foreach ( $StoreLocationIterator in $StoreLocation ) {

    if ( $StoreName ) {

        foreach ( $StoreNameIterator in $StoreName ) {

            $Param = @{
                'Path'        = "Cert:\$StoreLocationIterator\$StoreNameIterator"
                'ErrorAction' = 'SilentlyContinue'
            }
            Get-ChildItem @Param | Where-Object { $_ -is $CertType } | Select-Object $Properties

        }

    } else {

        $Param = @{
            'Path'        = "Cert:\$StoreLocationIterator"
            'ErrorAction' = 'SilentlyContinue'
            'Recurse'     = $true
        }
        Get-ChildItem @Param | Where-Object { $_ -is $CertType } | Select-Object $Properties

    }

}
1

Comments

1 comment
Date Votes

Please sign in to leave a comment.

Didn't find what you were looking for?

New post