# test-certificatestore # # checks all local certificates for common failures # Root Certs in other stores # intermediae with missing root # conputercerts with missing issuingCert # exired certs # https://www.msxfaq.de/signcrypt/maxrootca.htm param ( [datetime]$notafter = (get-date).adddays(7), [switch]$removeexpired, [switch]$removerootwithprivatekey, [long]$maxrootcacount = 100 ) write-host "Test-CertificateStore: Start" [datetime]$yesterday = (get-date).adddays(-1) $certlist =@{} $result = @{ "Warn"=[long]0 "Critical"=[long]0 "Error"=[long]0 "removeexpired"=[long]0 } # Check for Root CAs write-host "--------------- Checking Root Certs -------------------" $rootlist = Get-ChildItem [long]$totalcertbytes=0 foreach ($cert in (Get-ChildItem cert:\localmachine\root)) { write-host "Checking Root: $($cert.subject)" -NoNewline $totalcertbytes+=$cert.GetRawCertData().count if ($cert.issuer -ne $cert.subject) { write-warning " Invalid Cert in Root. Issuer not subject. $($cert.subject)" $result.critical++ } if ($cert.notafter -lt $yesterday){ Write-Warning " Certificate has expired at $($cert.notafter)" if ($removeexpired) { Remove-Item $cert.pspath } } elseif ($cert.notafter -lt $notafter) { write-warning "Will expire at $($cert.notafter)" $result.warn++ } if ($cert.HasPrivateKey) { Write-Warning "Does have a private key" $result.critical++ if ($removerootwithprivatekey) { Remove-Item $cert.pspath } } write-host " done Cert" $certlist[$cert.subject]="Root" } if ($rootlist.count -gt $maxrootcacount){ Write-Warning "More than $($maxrootcacount) in Root CA" $result.warn++ } if ($totalcertbytes -gt 16384){ Write-Warning "RootCert Totalbytes to large. Bytes: $($totalcertbytes)" $result.critical++ } write-host "--------------- Checking Intermediate Certs -------------------" foreach ($cert in (Get-ChildItem cert:\localmachine\ca )) { write-host "Checking Intermediate: $($cert.subject)" -NoNewline if ($certlist[$cert.subject]) { Write-warning " Is also in Root" $result.warn++ } if ($cert.issuer -eq $cert.subject) { Write-warning " Not a valid Intermediate. Is Root or SelfSigned" $result.critical++ } if ($cert.HasPrivateKey) { Write-Warning "Does have a private key" $result.critical++ } $certlist[$cert.subject]="Intermediate" if (!$certlist[$cert.issuer]) { Write-Warning " Missing Root for Intermediate" $result.critical++ } if ($cert.notafter -lt $yesterday){ Write-Warning " Certificate has expired at $($cert.notafter)" if ($removeexpired) { Remove-Item $cert.pspath $result.removeexpired++ } } elseif ($cert.notafter -lt $notafter) { write-warning "Will expire at $($cert.notafter)" $result.warn++ } write-host " done Cert" } write-host "--------------- Checking MachineCerts -------------------" foreach ($cert in (Get-ChildItem cert:\localmachine\my)) { write-host "Checking My: $($cert.subject)" -NoNewline if ($certlist[$cert.subject]) { Write-warning " Is already in $($certlist[$cert.subject]) $($cert.subject)" $result.critical++ } else { $certlist[$cert.subject]="My" } if (!$cert.HasPrivateKey) { Write-Warning "Does not have private key" $result.warn++ } if ($cert.issuer -eq $cert.subject) { Write-warning " Contains Root/SelfSigned: $($cert.subject)" $result.critical++ } if ($cert.notafter -lt $yesterday){ Write-Warning " Certificate has expired at $($cert.notafter)" if ($removeexpired) { Remove-Item $cert.pspath $result.removeexpired++ } } elseif ($cert.notafter -lt $notafter) { write-warning "Will expire at $($cert.notafter)" $result.warn++ } write-host " done Cert" } $result write-host "Test-CertificateStore: End"