Looking for a way to inventory all SSL certificates

Comments

13 comments

  • Avi Solomon

    Am I allowed to comment on my own posts? ha. I found a way to do it in Powershell, so I ran the following:

    Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -match '*.{my_domain}.com'}

    That found all the wildcard certs on a server. I then ran that against all servers and looked at the results. It worked great....BUT.... I would like to be able to query using Powershell and bring back the results into the PDQ Database so I can report on the results, rather than run a tool in real-time. Any ideas? Any plans for allowing me to run a powershell query and bring the results back into a "Powershell results" tab so I can query for it? Thanks

    0
    Comment actions Permalink
  • Colby Bouma

    Any plans for allowing me to run a powershell query and bring the results back into a "Powershell results" tab so I can query for it?

    Yes! We are working on a PowerShell scanner that will do exactly this. I don't have an ETA on when it will be available, but I'm hopeful that it will be sometime this year.

    0
    Comment actions Permalink
  • Kenneth Brakefield

    Colby - I hate to bump an old thread, but is this feature closer to having an ETA?  This would be a great addition to the product!

    0
    Comment actions Permalink
  • Colby Bouma

    Sorry, no ETA. We're working on it, but it's difficult to say at this point when it will be ready.

    0
    Comment actions Permalink
  • Chad Eldridge

    We would also very much like this functionality.  I have not found any way to pull a certificate list through WMI and I can get it very easily through PS.

    0
    Comment actions Permalink
  • Dennis Rogers

    Here is a nice way to keep track of all your domain certs and the expiration.

    Get-ChildItem Cert:\ -Recurse | Where-Object {$_.Subject -Match '.youdomain.com'}|Select-Object Subject, NotAfter

     

    0
    Comment actions Permalink
  • Russell McIntire

    I know this is an old post but but is there a scanner for this yet?

    0
    Comment actions Permalink
  • Mike Kercher

    I just had to go through this.  I created a Powershell scanner:

    This one was specific for my domain, but could be easily modified

    Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Subject -Match ".mydomain.com"}|Select-Object Subject, Thumbprint, Issuer, NotBefore, NotAfter

    Something like this should get you all the certs for a machine

    Get-ChildItem Cert:\LocalMachine\My |Select-Object Subject, Thumbprint, Issuer, NotBefore, NotAfter

    Then I could build dynamic collections based on thumbprint, etc.

     

    1
    Comment actions Permalink
  • Avi Solomon

    Russell McIntire I have this working with Powershell and it brings back the info to PDQ. I use the Powershell scanner and the following code:

    Get-ChildItem Cert:\ -Recurse | Where-Object {$_.Subject -Match 'yourdomain.com'}|Select-Object Subject, Issuer, NotBefore, NotAfter

    Change "yourdomain.com" to your domain.

    This brings back all the certs into PDQ and then you can build reports based on things like names, start date, end date, cert issuer, etc.

    I have scheduled reports that let my team know, quarterly, when certs are coming due.

     

    1
    Comment actions Permalink
  • Russell McIntire

    Thank you Avi-Solomon and Mike Kercher. This is just what I needed.

    0
    Comment actions Permalink
  • Carl

    this is working good

     

    Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Subject -Match ".mydomain.com"}|Select-Object Subject, Thumbprint, Issuer, NotBefore, NotAfter

     

    How can I get a report now..   I can't find a way to build a report from output log.

    0
    Comment actions Permalink
  • Mike Kercher

    You can build collections based on the PS Scanner results and then generate reports on those collections.

    0
    Comment actions Permalink
  • Carl

    Thanks .. find it ! 

    0
    Comment actions Permalink

Please sign in to leave a comment.