2828 Check all certificates on the local machine:
2929 PS C:\> .\Invoke-CheckSCOMCertificates.ps1 -All
3030 . NOTES
31- Update 02/2023 (Blake Drumm, https://github.com/blakedrumm/ )
31+ Update 05/2023 (Blake Drumm, https://blakedrumm.com/)
32+ Added ability to check certificates missing a common name.
33+ Update 02/2023 (Blake Drumm, https://github.com/blakedrumm/)
3234 Added the ability to check for duplicate subject common names.
3335 Update 01/2023 (Mike Kallhoff)
3436 Added the ability to output the certificate chain information.
35- Update 11/2022 (Blake Drumm, https://github.com/blakedrumm/ )
37+ Update 11/2022 (Blake Drumm, https://github.com/blakedrumm/)
3638 Script will now let you know if your registry key does not match any certificates in the local machine store.
37- Update 09/2022 (Blake Drumm, https://github.com/blakedrumm/ )
39+ Update 09/2022 (Blake Drumm, https://github.com/blakedrumm/)
3840 Fixed bug introduced in last update. Certificates are checked correctly now.
39- Update 09/2022 (Blake Drumm, https://github.com/blakedrumm/ )
41+ Update 09/2022 (Blake Drumm, https://github.com/blakedrumm/)
4042 Added ability to gather issuer. Fixed bug in output.
41- Update 03/2022 (Blake Drumm, https://github.com/blakedrumm/ )
43+ Update 03/2022 (Blake Drumm, https://github.com/blakedrumm/)
4244 Major Update / alot of changes to how this script acts remotely and locally and added remoting abilites that are much superior to previous versions
43- Update 02/2022 (Blake Drumm, https://github.com/blakedrumm/ )
45+ Update 02/2022 (Blake Drumm, https://github.com/blakedrumm/)
4446 Fix some minor bugs and do some restructuring
45- Update 01/2022 (Blake Drumm, https://github.com/blakedrumm/ )
47+ Update 01/2022 (Blake Drumm, https://github.com/blakedrumm/)
4648 The script will now allow an -SerialNumber parameter so you can only gather the certificate you are expecting.
47- Update 06/2021 (Blake Drumm, https://github.com/v-bldrum/ )
49+ Update 06/2021 (Blake Drumm, https://github.com/v-bldrum/)
4850 The Script will now by default only check every Certificate only if you have the -All Switch. Otherwise it will just check the certificate Serial Number (Reversed) that is present in the Registry.
49- Update 11/2020 (Blake Drumm, https://github.com/v-bldrum/ )
51+ Update 11/2020 (Blake Drumm, https://github.com/v-bldrum/)
5052 Shows Subject Name instead of Issuer for each Certificate Checked.
51- Update 08/2020 (Blake Drumm, https://github.com/v-bldrum/ )
53+ Update 08/2020 (Blake Drumm, https://github.com/v-bldrum/)
5254 Fixed formatting in output.
53- Update 06/2020 (Blake Drumm, https://github.com/v-bldrum/ )
55+ Update 06/2020 (Blake Drumm, https://github.com/v-bldrum/)
5456 Added ability to OutputFile script to file.
55- Update 2017.11.17 (Tyson Paul, https://blogs.msdn.microsoft.com/tysonpaul/ )
57+ Update 2017.11.17 (Tyson Paul, https://blogs.msdn.microsoft.com/tysonpaul/)
5658 Fixed certificate SerialNumber parsing error.
57- Update 7/2009
59+ Update 7/2009 (Lincoln Atkinson?, https://blogs.technet.microsoft.com/momteam/author/latkin/)
5860 Fix for workgroup machine subjectname validation
59- Update 2/2009
61+ Update 2/2009 (Lincoln Atkinson?, https://blogs.technet.microsoft.com/momteam/author/latkin/)
6062 Fixes for subjectname validation
6163 Typos
6264 Modification for CA chain validation
6365 Adds needed check for MachineKeyStore property on the private key
64- Original Publish Date 1/2009
65- (Lincoln Atkinson?, https://blogs.technet.microsoft.com/momteam/author/latkin/ )
66+ Original Publish Date 1/2009 (Lincoln Atkinson?, https://blogs.technet.microsoft.com/momteam/author/latkin/)
67+
6668#> CmdletBinding ()]
6769[OutputType ([string ])]
6870param
@@ -291,10 +293,27 @@ $($ChainCertsOutput)
291293 }
292294 $subjectProblem = $false
293295 $fqdnRegexPattern = " CN=" + $fqdn.Replace (" ." , " \." + ' (,.*)?$'
294- $CheckForDuplicateSubjectCNs = ((($cert ).Subject).Split(" ," | % { $_.Trim () } | Where { $_ -match " CN=" " CN=" | % { $_.Split (" ." | Select-Object - First 1 } | Group-Object | Where-Object { $_.Count -gt 1 } | Select - ExpandProperty Name
295- if ((($cert.SubjectName.Name ).ToUpper()) -notmatch ($fqdnRegexPattern.ToUpper ()))
296+ try { $CheckForDuplicateSubjectCNs = ((($cert ).Subject).Split(" ," | % { $_.Trim () } | Where { $_ -match " CN=" " CN=" | % { $_.Split (" ." | Select-Object - First 1 } | Group-Object | Where-Object { $_.Count -gt 1 } | Select - ExpandProperty Name }
297+ catch { $CheckForDuplicateSubjectCNs = $null }
298+
299+ if (-NOT $cert.Subject )
296300 {
297- $text5 = " Certificate Subjectname Mismatch"
301+ $text5 = " Certificate Subject Common Name Missing"
302+ $out += " `n " + $text5
303+ Write-Host $text5 - BackgroundColor Red - ForegroundColor Black
304+ $text6 = @"
305+ The Subject Common Name of this certificate is not present.
306+ Actual: ""
307+ Expected (case insensitive): CN=$fqdn
308+ "@
309+ $out += " `n " + $text6
310+ Write-Host $text6
311+ $pass = $false
312+ $subjectProblem = $true
313+ }
314+ elseif ((($cert.SubjectName.Name ).ToUpper()) -notmatch ($fqdnRegexPattern.ToUpper ()))
315+ {
316+ $text5 = " Certificate Subject Common Name Mismatch"
298317 $out += " `n " + $text5
299318 Write-Host $text5 - BackgroundColor Red - ForegroundColor Black
300319 $text6 = @"
@@ -307,7 +326,7 @@ $($ChainCertsOutput)
307326 $pass = $false
308327 $subjectProblem = $true
309328 }
310- if ($CheckForDuplicateSubjectCNs )
329+ elseif ($CheckForDuplicateSubjectCNs )
311330 {
312331 $CertDuplicateCN = " Certificate Subjectname Duplicate Common Names"
313332 $out += " `n " + $CertDuplicateCN
@@ -741,7 +760,7 @@ Certificate Checker
741760 }
742761 else
743762 {
744- # Modify line 751 if you want to change the default behavior when running this script through Powershell ISE
763+ # Modify line 768 if you want to change the default behavior when running this script through Powershell ISE
745764 #
746765 # Examples:
747766 # Invoke-CheckSCOMCertificate -SerialNumber 1f00000008c694dac94bcfdc4a000000000008
0 commit comments