Clean up expired certificates from AD

Security MVP Vadims Podans just did a great post on using PowerShell to remove expired user certificates from Active Directory.

In a nutshell,

• If your company is using certificates for user authentication or encryption, these expire every now and then,
• Your Enterprise CA in that case appends new certificates to users’ userCertificate attribute, while leaving expired certs there as well,
• Over time these increasingly clutter your AD, making administration more difficult and negatively affecting AD replication traffic.

Luckily, cleaning up expired certificates with PowerShell is extremely easy.

To do the clean-up for a specific user you can run this one-liner:

Get-QADUser username | Remove-QADCertificate -Valid:$false

To clean-up the entire domain, just do:

Get-QADUser | Remove-QADCertificate -Valid:$false

See Vadim’s original post for details.

Read more about PKI management with PowerShell here.

Advertisement

Managing Certificate Revocation Lists and Certificate Stores

Vadims has published a couple of articles with great examples of how to use PowerShell to manage CRLs (Certificate Revocation List) and local certificate stores.

CRL tasks include:

• Importing CRL:

$crl = Import-QADCertificateRevocationList -File C:\pica-1.crl

• Reviewing CRL details:

$crl | format-list *

• Add CRL to local certificate store:

Add-QADCertificateRevocationList -CRL $crl -Store $store

• CRL removal:

Get-QADCertificateRevocationList -Store $store |
  where-object {$_.IssuedBy -like "sysadmins*"} |
  Remove-QADCertificateRevocationList -Store $store

• CRL export:

Export-QADCertificateRevocationList -CRL $crl -File c:\customcrl.crl

• Publishing CRL:

Publish-QADCertificateRevocationList -CRL $crl -CAName CustomCAName

• Unpublishing CRL:

Get-QADPKIObject CDP |
  Get-QADCertificateRevocationList |
  where-object {$_.IssuedBy -like "sysadmins*"} |
  Unpublish-QADCertificateRevocationList -CAName "CustomCAName"

For certificate store management, Vadims goes through:

• Exploring certificate stores:

Get-QADLocalCertificateStore -StoreLocation LocalMachine -StoreName My |
  Get-QADCertificate

• Adding certificate stores:

New-QADLocalCertificateStore -StoreLocation CurrentUser -StoreName CustomStoreNameToAdd

• Removing certificate stores:

Remove-QADLocalCertificateStore -StoreLocation LocalMachine -StoreName CustomStoreToDelete

For all these, Vadims is providing tons of details so I highly recommend checking those out:

Managing Certificate Revocation Lists (CRL) with PowerShell

Managing Certificate Stores with PowerShell

PKI management with PowerShell

Complete guide for security certificate management with AD cmdlets 1.4 got recently published here and is a must-read if you want to automate your public key infrastructure (PKI).

PKI allows security administrators to uniquely identify and trust hardware devices by using digital certificates. This technique is one of the most secure access strategies, but can also be complicated to set up and manage. This guide reviews the security concepts surrounding digital certificate management and details how the AD-PKI cmdlets can be used with Active Directory to simplify PKI management.

Here’s the table of content from the guide:

• Understanding Digital Certificates
  • Cryptography Fundamentals
    • Symmetric Encryption
    • Asymmetric Encryption
    • Best Practices for Symmetric and Asymmetric Encryption
• Types of Certificates
  • X509 Certificate Version 1
  • X509 Certificate Version 2
  • X509 Certificate Version 3
    • Common Certificate Extensions
• Certificate Revocation List
  • X509 Certificate Revocation List Version 1
  • X509 Certificate Revocation List Version 2
    • Common CRL Extensions
• Certificate Stores and Containers
  • Local Certificate Stores
  • Active Directory Certificate Containers
• Certificate cmdlet Descriptions
• Object Structures of Certificate Stores, Certificates, and CR
  • Certificate Store
  • Certificate
  • Certificate Revocation List (CRL)
• Using Quest AD PKI-related cmdlets
  • Working with Certificate Stores
    • Explore Certificate Store
    • Create Certificate Store Container
    • Delete Certificate Store Container
  • Adding Certificates to a Certificate Store
    • Certificate File Types
    • Import a Single Certificate
    • Import a Pkcs7 Certificate Container
    • Import a Serialized Store
    • Import a Pkcs12 Certificate with a Private Key
    • Add Imported Certificates to a Store
    • Add an Imported Certificate to a User Account
    • Advanced Techniques
  • Exporting Certificates from a Certificate Store
    • Simple Certificate Export
    • Export a Certificate with a Private Key
    • Export Multiple Certificates
• Working with Certificate Revocation Lists (CRLs)
  • Add CRLs to a Certificate Store
  • Export CRLs from a Certificate Store
  • Remove a CRL from a Certificate Store
• Manage Active Directory PKI-related Containers
  • Publish a Certificate to Active Directory Containers
  • Remove a Certificate from Active Directory Containers
  • Publish CRLs to Active Directory Containers
  • Remove CRLs from Active Directory

Download the ebook “Guide for Using QuestAD-PKI cmdlets: Using PowerShell to manage your security certificates” and get the most out of your PKI environment.

PKI Management Console 1.5

Vadim‘s enterprise certificate management PowerPack went 1.5 and got significantly enhanced. The new features include:

• Native use of Quest AD Cmdlets (version 1.4.2) – so better performance and the code which is easier to understand.
• Additional error handling.
• Certification Authorities information includes CA CRL status.
• New Active Directory PKI node that contains the most common AD PKI-related containers. You can review container contents and publish/unpublish certificates/CRLs by using new actions.
• Now the PowerPack correctly retrieves all available Enterprise OCSP Responders even if they are not running CA service.
• For Certificates node now has two subcontainers: Certificates and CRLs. This allows you to browse both — certificates and CRLs in the local certificate store. For CRLs added new basic actions.
• Graphical dialog boxes for certificate export and import actions.

And of course it still has the great functionality from previous versions:

Here’s a very quick summary of some of the features his tool has:

• Certificate Authorities management:
  • CRL Distribution Points (CDP)
  • Authority Information Access (AIA) settings
  • Review CRLs
  • Publish new CRLs
  • Change CRL publishing periods including overlap settings
  • Revoked Certificates
  • Issued Certificates
  • Pending requests
  • Failed requests
  • Issued certificate templates
  • Revoke/unrevoke certificates
  • Issue or deny pending requests for certificates
  • Add/remove certificate templates to issue
  • Change CRL/CRT/OCSP URL priorities
• Local certificate store management:
  • Import/Export certificates using various certificate types (such CER/pkcs12/pkcs7/SST)
  • Copy/move certificates between stores
  • Delete certificate from store
  • Validate certificates passing them through certificate chaining engine
  • Sign files
• Online Certificate Status Protocol (OCSP) Responders management
  • Review and change OCSP Responder settings
  • Change OCSP URL priorities

All of these support bulk operations, filtering, and reporting. All are available with their source PowerShell code for your reference and scripting.

Learn more about the Enterprise PKI PowerPack and download it here.

What’s New in AD cmdlets 1.4

Don’t get confused by the version number – this is a major update to the free QAD cmdlets adding significant new functionality and making Active Directory management from PowerShell easier than ever before.

Here is a quick list of what is new in this release.

You can read more about each cmdlet and parameter by following the corresponding links – or waiting till I blog about all the new functionality throughout the coming weeks.

32 new cmdlets!

Certificate and Public Key Infrastructure (PKI) management

• Get-QADLocalCertificateStore
• New-QADLocalCertificateStore
• Remove-QADLocalCertificateStore
• Get-QADCertificate
• Where-QADCertificate
• Add-QADCertificate
• Import-QADCertificate
• Show-QADCertificate
• Edit-QADCertificate
• Export-QADCertificate
• Remove-QADCertificate
• Remove-QADPrivateKey
• Get-QADCertificateRevocationList
• Add-QADCertificateRevocationList
• Import-QADCertificateRevocationList
• Export-QADCertificateRevocationList
• Remove-QADCertificateRevocationList
• Get-QADPKIObject
• Publish-QADCertificate
• Unpublish-QADCertificate
• Publish-QADCertificateRevocationList
• Unpublish-QADCertificateRevocationList

Email address management

• Add-QADProxyAddress
• Set-QADProxyAddress
• Remove-QADProxyAddress
• Clear-QADProxyAddress
• Enable-QADEmailAddressPolicy
• Disable-QADEmailAddressPolicy

Auxiliary cmdlets for Progress Bar and Inactive Account Reporting

• Set-QADProgressPolicy
• Get-QADProgressPolicy

• Set-QADInactiveAccountsPolicy
• Get-QADInactiveAccountsPolicy

20 New Parameters

Parameters	Added for Cmdlets
–
ExpiredFor Inactive InactiveFor NotLoggedOnFor PasswordNotChangedFor	Get-QADUser
–
Inactive InactiveFor NotLoggedOnFor PasswordNotChangedFor	Get-QADComputer
–
PrimaryProxyAddress ProxyAddress SecondaryProxyAddress	Get-QADObject Get-QADGroup Get-QADUser
–
ShowProgress ProgressThreshold Activity	Get-QADComputer Get-QADGroup Get-QADGroupMember Get-QADManagedObject Get-QADMemberOf Get-QADObject Get-QADPasswordSettingsObject Get-QADPasswordSettingsObjectAppliesTo Get-QADUser Get-QARSAccessTemplate Get-QARSAccessTemplateLink Get-QARSWorkflowDefinition
—
Disabled Enabled KeepForeignSecurityPrincipals	Get-QADGroupMember
—
ResolveForeignSecurityPrincipals	Get-QADObject
—
Control	Add-QADGroupMember Add-QADMemberOf Add-QADPasswordSettingsObjectAppliesTo Deprovision-QADUser Disable-QADComputer Disable-QADUser Enable-QADComputer Enable-QADUser Get-QADComputer Get-QADGroup Get-QADGroupMember Get-QADManagedObject Get-QADMemberOf Get-QADObject Get-QADPasswordSettingsObject Get-QADPasswordSettingsObjectAppliesTo Get-QADUser Get-QARSAccessTemplate Get-QARSAccessTemplateLink Get-QARSWorkflowDefinition Move-QADObject New-QADComputer New-QADGroup New-QADObject New-QADPasswordSettingsObject New-QADUser New-QARSAccessTemplateLink Publish-QARSGroup Remove-QADGroupMember Remove-QADMemberOf Remove-QADObject Remove-QADPasswordSettingsObjectAppliesTo Remove-QARSAccessTemplateLink Rename-QADObject Reset-QADComputer Restore-QADDeletedObject Set-QADComputer Set-QADGroup Set-QADObject Set-QADUser Set-QARSAccessTemplateLink Unlock-QADUser Unpublish-QARSGroup

SearchRoot parameter now accepting arrays

This lets you retrieve objects from multiple containers with one call. The change affects the following cmdlets:

Get-QADComputer

Get-QADGroup

Get-QADObject

Get-QADPasswordSettingsObject

Get-QADUser

Get-QARSAccessTemplate

Get-QARSAccessTemplateLink

Get-QARSWorkflowDefinition

Summary

To get full list of all QAD cmdlets please see AD cmdlets online reference.

Download AD cmdlets 1.4 here and let us know what you think.

New enterprise PKI management console

Certificate management used to be tough. There have not been a single tool to manage all the aspects of it and administrators had to launch all these certsrv.msc, certtmpl.msc, certutil.exe, ocsp.msc, pkiview.msc, and so on. We had no bulk operations, had to manage each certificate authority (CA) in a separate MMC snapin, and so on.

That is now all a thing in the past with the new PowerGUI/PowerShell-based certificate management admin console created by PowerShell MVP Vadims Podāns (here’s English translation of his blog) and shared for free here.

Here’s a very quick summary of some of the features his tool has:

• Certificate Authorities management:
  • CRL Distribution Points (CDP)
  • Authority Information Access (AIA) settings
  • Review CRLs
  • Publish new CRLs
  • Change CRL publishing periods including overlap settings
  • Revoked Certificates
  • Issued Certificates
  • Pending requests
  • Failed requests
  • Issued certificate templates
  • Revoke/unrevoke certificates
  • Issue or deny pending requests for certificates
  • Add/remove certificate templates to issue
  • Change CRL/CRT/OCSP URL priorities
• Local certificate store management:
  • Import/Export certificates using various certificate types (such CER/pkcs12/pkcs7/SST)
  • Copy/move certificates between stores
  • Delete certificate from store
  • Validate certificates passing them through certificate chaining engine
  • Sign files
• Online Certificate Status Protocol (OCSP) Responders management
  • Review and change OCSP Responder settings
  • Change OCSP URL priorities

All of these support bulk operations, filtering, and reporting. All are available with their source PowerShell code for your reference and scripting.

Could you ask for more? Please submit your feedback to Vadims – this will help him improve the pack.

Read more about the pack, see the screenshots, and download the tool here.

Are you also into PowerShell and have a great idea of a tool to make someone’s life easier – go for it – create your PowerPack and submit it to the contest!

Tags: Certificate Authority, Certificate Management, PKI, PowerGUI, PowerPack, PowerPack Challenge, PowerShell
Add to: | Technorati | Digg | del.icio.us | Yahoo | BlinkList | Spurl | reddit | Furl |