< Back
Get-CertificateHealth
Post
NAME Get-CertificateHealth
SYNOPSIS
Get certificates from the filesystem or certificate store and display their health
for expiration, pending expiration, and deprecated signature algorithms.
SYNTAX
Get-CertificateHealth [[-Path] <String[]>] [[-ComputerName] <String>] [[-WarningDays] <Int32>] [[-CriticalDays]
<Int32>] [[-ExcludedThumbprint] <String[]>] [[-WarningAlgorithm] <String[]>] [[-CriticalAlgorithm] <String[]>]
[[-CriticalKeySize] <Int32>] [[-WarningKeySize] <Int32>] [[-CertUtilPath] <String>] [[-CertificateFileType]
<String[]>] [-Recurse] [<CommonParameters>]
DESCRIPTION
Get certificates from the filesystem or certificate store and display their health
for expiration, pending expiration, and deprecated signature algorithms.
The function outputs custom objects that include basic certificate properties as
well as the certificate's expiration date, how many days are left, and the name of
the signature algorithm used to generate the certificate.
Depending on the provided warning and critical algorithm parameters, a certificate
will be marked as OK, Warning, or Critical. By default the script considers sha1RSA
certificates to be warning (deprecated) since vendors are beginning to consider these
certificates to use weak encryption. The md5 signature algorithm has already been
designated as vulnerable and will be marked as critical. Microsoft already blocks
these certificates.
The certificate validity period is evaluated to determine if the certificate has
expired (Critical) or will be expiring soon. Use the WarningDays and CriticalDays
parameters to denote certificates with pending expiration.
The certificate key size is also an indicator of health. Key sizes less than
1024 bits are no longer supported, and now it is recommended to use at least 2048 bits.
Requires Get-CertificateFile function from module CertificateHealth to evaluate
certificate files from the filesystem.
PARAMETERS
-Path <String[]>
Enter a path or paths containing certificates to be checked.
Checking of remote certificate files should be done through UNC path.
Required? false
Position? 1
Default value Cert:\\LocalMachine\\My
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-ComputerName <String>
Enter a name of a computer to check the certificate store provider via PSRP.
Required? false
Position? 2
Default value
Accept pipeline input? false
Accept wildcard characters? false
-WarningDays <Int32>
Specify the amount of days before the certificate expiration should be in a
warning state.
Required? false
Position? 3
Default value 60
Accept pipeline input? false
Accept wildcard characters? false
-CriticalDays <Int32>
Specify the amount of days before the certificate expiration should be in a
critical state.
Required? false
Position? 4
Default value 30
Accept pipeline input? false
Accept wildcard characters? false
-ExcludedThumbprint <String[]>
Array of thumbprints of certificates that should be excluded from being checked.
This would be used if there is a certificate that you wish to ignore from health
checks.
Required? false
Position? 5
Default value
Accept pipeline input? false
Accept wildcard characters? false
-WarningAlgorithm <String[]>
Array of algorithms that are deprecated.
Required? false
Position? 6
Default value sha1RSA
Accept pipeline input? false
Accept wildcard characters? false
-CriticalAlgorithm <String[]>
Array of algorithms with known vulnerabilities.
Required? false
Position? 7
Default value md5RSA
Accept pipeline input? false
Accept wildcard characters? false
-CriticalKeySize <Int32>
Required? false
Position? 8
Default value 1024
Accept pipeline input? false
Accept wildcard characters? false
-WarningKeySize <Int32>
Certificates with key size less than this value and greater than the CriticalKeySize
will be considered warning.
Required? false
Position? 9
Default value 2048
Accept pipeline input? false
Accept wildcard characters? false
-CertUtilPath <String>
Path to the certutil.exe.
Required? false
Position? 10
Default value C:\\Windows\\System32\\certutil.exe
Accept pipeline input? false
Accept wildcard characters? false
-CertificateFileType <String[]>
Array of certificate file types that need to be checked.
Required? false
Position? 11
Default value ('*.cer','*.crt','*.p7b')
Accept pipeline input? false
Accept wildcard characters? false
-Recurse [<SwitchParameter>]
Recurse through subdirectories of specified path(s).
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
OUTPUTS
NOTES
Created by: Jason Wasser @wasserja
Modified: 9/28/2016 02:43:52 PM
Changelog:
Version 1.3
* Added support for remote computer check for cert:\\ provider using PSRP.
Version 1.2
* Added key size health properties
Version 1.1
* Added PowerShell 2.0 compatibility.
Version 1.0
* Initial Release
-------------------------- EXAMPLE 1 --------------------------
PS C:\\>Get-CertificateHealth
FileName : Microsoft.PowerShell.Security\\Certificate::LocalMachine\\My\\27AC9369FAF25207
BB2627CEFACCBE4EF9C319B8
Subject : CN=Go Daddy Secure Certificate Authority - G2,
OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.",
L=Scottsdale, S=Arizona, C=US
SignatureAlgorithm : sha256RSA
NotBefore : 5/3/2011 3:00:00 AM
NotAfter : 5/3/2031 3:00:00 AM
Days : 5329
Thumbprint : 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8
ValidityPeriodStatus : OK
ValidityPeriodStatusMessage : Certificate expires in 5329 days.
AlgorithmStatus : OK
AlgorithmStatusMessage : Certificate uses valid algorithm sha256RSA.
KeySize : 2048
KeySizeStatus : OK
KeySizeStatusMessage : Certificate key size 2048 is greater than or equal to 2048.
Gets all the certificates in the local machine personal certificate store (cert:\\LocalMachine\\My)
and shows their basic information and health.
-------------------------- EXAMPLE 2 --------------------------
PS C:\\>Get-CertificateHealth -Path C:\\Website\\Certificates
Gets all the certificates in the c:\\Website\\Certificates folder and shows their basic
information and health.
-------------------------- EXAMPLE 3 --------------------------
PS C:\\>Get-CertificateHealth -Path 'Cert:\\LocalMachine\\My','C:\\SSL' -Recurse
Gets all the certificates in the local machine personal certificate store (cert:\\LocalMachine\\My)
and C:\\SSL including subfolders and shows their basic information and health.
RELATED LINKS
https://gallery.technet.microsoft.com/s ... h-b646aeff
requires -Version 2.0
SYNOPSIS
Get certificates from the filesystem or certificate store and display their health
for expiration, pending expiration, and deprecated signature algorithms.
SYNTAX
Get-CertificateHealth [[-Path] <String[]>] [[-ComputerName] <String>] [[-WarningDays] <Int32>] [[-CriticalDays]
<Int32>] [[-ExcludedThumbprint] <String[]>] [[-WarningAlgorithm] <String[]>] [[-CriticalAlgorithm] <String[]>]
[[-CriticalKeySize] <Int32>] [[-WarningKeySize] <Int32>] [[-CertUtilPath] <String>] [[-CertificateFileType]
<String[]>] [-Recurse] [<CommonParameters>]
DESCRIPTION
Get certificates from the filesystem or certificate store and display their health
for expiration, pending expiration, and deprecated signature algorithms.
The function outputs custom objects that include basic certificate properties as
well as the certificate's expiration date, how many days are left, and the name of
the signature algorithm used to generate the certificate.
Depending on the provided warning and critical algorithm parameters, a certificate
will be marked as OK, Warning, or Critical. By default the script considers sha1RSA
certificates to be warning (deprecated) since vendors are beginning to consider these
certificates to use weak encryption. The md5 signature algorithm has already been
designated as vulnerable and will be marked as critical. Microsoft already blocks
these certificates.
The certificate validity period is evaluated to determine if the certificate has
expired (Critical) or will be expiring soon. Use the WarningDays and CriticalDays
parameters to denote certificates with pending expiration.
The certificate key size is also an indicator of health. Key sizes less than
1024 bits are no longer supported, and now it is recommended to use at least 2048 bits.
Requires Get-CertificateFile function from module CertificateHealth to evaluate
certificate files from the filesystem.
PARAMETERS
-Path <String[]>
Enter a path or paths containing certificates to be checked.
Checking of remote certificate files should be done through UNC path.
Required? false
Position? 1
Default value Cert:\\LocalMachine\\My
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-ComputerName <String>
Enter a name of a computer to check the certificate store provider via PSRP.
Required? false
Position? 2
Default value
Accept pipeline input? false
Accept wildcard characters? false
-WarningDays <Int32>
Specify the amount of days before the certificate expiration should be in a
warning state.
Required? false
Position? 3
Default value 60
Accept pipeline input? false
Accept wildcard characters? false
-CriticalDays <Int32>
Specify the amount of days before the certificate expiration should be in a
critical state.
Required? false
Position? 4
Default value 30
Accept pipeline input? false
Accept wildcard characters? false
-ExcludedThumbprint <String[]>
Array of thumbprints of certificates that should be excluded from being checked.
This would be used if there is a certificate that you wish to ignore from health
checks.
Required? false
Position? 5
Default value
Accept pipeline input? false
Accept wildcard characters? false
-WarningAlgorithm <String[]>
Array of algorithms that are deprecated.
Required? false
Position? 6
Default value sha1RSA
Accept pipeline input? false
Accept wildcard characters? false
-CriticalAlgorithm <String[]>
Array of algorithms with known vulnerabilities.
Required? false
Position? 7
Default value md5RSA
Accept pipeline input? false
Accept wildcard characters? false
-CriticalKeySize <Int32>
Required? false
Position? 8
Default value 1024
Accept pipeline input? false
Accept wildcard characters? false
-WarningKeySize <Int32>
Certificates with key size less than this value and greater than the CriticalKeySize
will be considered warning.
Required? false
Position? 9
Default value 2048
Accept pipeline input? false
Accept wildcard characters? false
-CertUtilPath <String>
Path to the certutil.exe.
Required? false
Position? 10
Default value C:\\Windows\\System32\\certutil.exe
Accept pipeline input? false
Accept wildcard characters? false
-CertificateFileType <String[]>
Array of certificate file types that need to be checked.
Required? false
Position? 11
Default value ('*.cer','*.crt','*.p7b')
Accept pipeline input? false
Accept wildcard characters? false
-Recurse [<SwitchParameter>]
Recurse through subdirectories of specified path(s).
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
OUTPUTS
NOTES
Created by: Jason Wasser @wasserja
Modified: 9/28/2016 02:43:52 PM
Changelog:
Version 1.3
* Added support for remote computer check for cert:\\ provider using PSRP.
Version 1.2
* Added key size health properties
Version 1.1
* Added PowerShell 2.0 compatibility.
Version 1.0
* Initial Release
-------------------------- EXAMPLE 1 --------------------------
PS C:\\>Get-CertificateHealth
FileName : Microsoft.PowerShell.Security\\Certificate::LocalMachine\\My\\27AC9369FAF25207
BB2627CEFACCBE4EF9C319B8
Subject : CN=Go Daddy Secure Certificate Authority - G2,
OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.",
L=Scottsdale, S=Arizona, C=US
SignatureAlgorithm : sha256RSA
NotBefore : 5/3/2011 3:00:00 AM
NotAfter : 5/3/2031 3:00:00 AM
Days : 5329
Thumbprint : 27AC9369FAF25207BB2627CEFACCBE4EF9C319B8
ValidityPeriodStatus : OK
ValidityPeriodStatusMessage : Certificate expires in 5329 days.
AlgorithmStatus : OK
AlgorithmStatusMessage : Certificate uses valid algorithm sha256RSA.
KeySize : 2048
KeySizeStatus : OK
KeySizeStatusMessage : Certificate key size 2048 is greater than or equal to 2048.
Gets all the certificates in the local machine personal certificate store (cert:\\LocalMachine\\My)
and shows their basic information and health.
-------------------------- EXAMPLE 2 --------------------------
PS C:\\>Get-CertificateHealth -Path C:\\Website\\Certificates
Gets all the certificates in the c:\\Website\\Certificates folder and shows their basic
information and health.
-------------------------- EXAMPLE 3 --------------------------
PS C:\\>Get-CertificateHealth -Path 'Cert:\\LocalMachine\\My','C:\\SSL' -Recurse
Gets all the certificates in the local machine personal certificate store (cert:\\LocalMachine\\My)
and C:\\SSL including subfolders and shows their basic information and health.
RELATED LINKS
https://gallery.technet.microsoft.com/s ... h-b646aeff
requires -Version 2.0