Clean up expired certificates from AD

Security MVP Vadims Podans just did a great post on using PowerShell to remove expired user certificates from Active Directory.

In a nutshell,

• If your company is using certificates for user authentication or encryption, these expire every now and then,
• Your Enterprise CA in that case appends new certificates to users’ userCertificate attribute, while leaving expired certs there as well,
• Over time these increasingly clutter your AD, making administration more difficult and negatively affecting AD replication traffic.

Luckily, cleaning up expired certificates with PowerShell is extremely easy.

To do the clean-up for a specific user you can run this one-liner:

Get-QADUser username | Remove-QADCertificate -Valid:$false

To clean-up the entire domain, just do:

Get-QADUser | Remove-QADCertificate -Valid:$false

See Vadim’s original post for details.

Read more about PKI management with PowerShell here.

Advertisement

Managing Certificate Revocation Lists and Certificate Stores

Vadims has published a couple of articles with great examples of how to use PowerShell to manage CRLs (Certificate Revocation List) and local certificate stores.

CRL tasks include:

• Importing CRL:

$crl = Import-QADCertificateRevocationList -File C:\pica-1.crl

• Reviewing CRL details:

$crl | format-list *

• Add CRL to local certificate store:

Add-QADCertificateRevocationList -CRL $crl -Store $store

• CRL removal:

Get-QADCertificateRevocationList -Store $store |
  where-object {$_.IssuedBy -like "sysadmins*"} |
  Remove-QADCertificateRevocationList -Store $store

• CRL export:

Export-QADCertificateRevocationList -CRL $crl -File c:\customcrl.crl

• Publishing CRL:

Publish-QADCertificateRevocationList -CRL $crl -CAName CustomCAName

• Unpublishing CRL:

Get-QADPKIObject CDP |
  Get-QADCertificateRevocationList |
  where-object {$_.IssuedBy -like "sysadmins*"} |
  Unpublish-QADCertificateRevocationList -CAName "CustomCAName"

For certificate store management, Vadims goes through:

• Exploring certificate stores:

Get-QADLocalCertificateStore -StoreLocation LocalMachine -StoreName My |
  Get-QADCertificate

• Adding certificate stores:

New-QADLocalCertificateStore -StoreLocation CurrentUser -StoreName CustomStoreNameToAdd

• Removing certificate stores:

Remove-QADLocalCertificateStore -StoreLocation LocalMachine -StoreName CustomStoreToDelete

For all these, Vadims is providing tons of details so I highly recommend checking those out:

Managing Certificate Revocation Lists (CRL) with PowerShell

Managing Certificate Stores with PowerShell

PKI management with PowerShell

Complete guide for security certificate management with AD cmdlets 1.4 got recently published here and is a must-read if you want to automate your public key infrastructure (PKI).

PKI allows security administrators to uniquely identify and trust hardware devices by using digital certificates. This technique is one of the most secure access strategies, but can also be complicated to set up and manage. This guide reviews the security concepts surrounding digital certificate management and details how the AD-PKI cmdlets can be used with Active Directory to simplify PKI management.

Here’s the table of content from the guide:

• Understanding Digital Certificates
  • Cryptography Fundamentals
    • Symmetric Encryption
    • Asymmetric Encryption
    • Best Practices for Symmetric and Asymmetric Encryption
• Types of Certificates
  • X509 Certificate Version 1
  • X509 Certificate Version 2
  • X509 Certificate Version 3
    • Common Certificate Extensions
• Certificate Revocation List
  • X509 Certificate Revocation List Version 1
  • X509 Certificate Revocation List Version 2
    • Common CRL Extensions
• Certificate Stores and Containers
  • Local Certificate Stores
  • Active Directory Certificate Containers
• Certificate cmdlet Descriptions
• Object Structures of Certificate Stores, Certificates, and CR
  • Certificate Store
  • Certificate
  • Certificate Revocation List (CRL)
• Using Quest AD PKI-related cmdlets
  • Working with Certificate Stores
    • Explore Certificate Store
    • Create Certificate Store Container
    • Delete Certificate Store Container
  • Adding Certificates to a Certificate Store
    • Certificate File Types
    • Import a Single Certificate
    • Import a Pkcs7 Certificate Container
    • Import a Serialized Store
    • Import a Pkcs12 Certificate with a Private Key
    • Add Imported Certificates to a Store
    • Add an Imported Certificate to a User Account
    • Advanced Techniques
  • Exporting Certificates from a Certificate Store
    • Simple Certificate Export
    • Export a Certificate with a Private Key
    • Export Multiple Certificates
• Working with Certificate Revocation Lists (CRLs)
  • Add CRLs to a Certificate Store
  • Export CRLs from a Certificate Store
  • Remove a CRL from a Certificate Store
• Manage Active Directory PKI-related Containers
  • Publish a Certificate to Active Directory Containers
  • Remove a Certificate from Active Directory Containers
  • Publish CRLs to Active Directory Containers
  • Remove CRLs from Active Directory

Download the ebook “Guide for Using QuestAD-PKI cmdlets: Using PowerShell to manage your security certificates” and get the most out of your PKI environment.

Improved script-signing in PowerGUI

Kirk has just updated his Script Editor add-on allowing you to sign your PowerShell scripts.

Script-signing is a highly-recomended best practice in PowerShell and the best way to prevent accidentally changed scripts or scripts downloaded from the internet and not properly tested and verified to be executed in your environment.

Kirk’s add-on is a great way to have code-signing integrated right into your script development environment absolutely for free. This is also one of our most popular add-ons which already had more than 700 downloads.

The new features include:

• Replaced test certificate functionality with View Certificate, and updated result to show the certificate properties in the native windows dialog,
• Updated script signing certificate search algorithm to search only in the “My” containers (the only places where script signing certificates will be stored),
• Switched the default signing method to include all certificates in the chain.

Download the PowerShell Script-Signing add-on for PowerGUI here and let us know what you think.

Demo: Advanced Exchange 2007 Management

PowerGUI documentation section got updated with a new demo – Advanced Exchange 2007 Management.

Although PowerGUI introductory demo indeed used Exchange 2007 it mostly had basic mailbox and Exchange management.

However, there are tasks for which Exchange 2007 Management Console at the moment does not provide any user interface and in this demo we concentrated on some of them, namely:

• Mailbox provisioning from CSV files, and using existing mailboxes as a model,
• Managing Public Folders (browse, create, mail-enable and so on),
• Manage certificates, request and generate new x.509 Transport Security certificates.

This all makes PowerGUI really handy when managing Exchange 2007 deployments, and learning PowerShell for automating such tasks.

Are there any other tasks that native UI does not cover at the moment? Leave your comments or participate in PowerGUI Discussion Forums.

Tags: PowerGUI, Public Folders, PowerPack, provisioning, Certificates, Webcast, PowerShell, Demo

Exchange 2007 PowerPack: UI on top of PowerShell

Exchange 2007 is one of the most PowerShell’ized Microsoft platforms. PowerGUI reuses that to provides graphical interface for bulk property changes, mailbox provisioning from csv files, public folder- and certificate management.

I’ve just uploaded to PowerGUI library a pack for Exchange 2007 that does all of the above and much more.

PowerGUI had a built-in pack for managing Exchange 2007 for a long time. However, the trick has been that the pack only showed up when PowerGUI was installed on a computer which already had either Exchange or the management tools. Install the stuff in reverse order (PowerGUI first) and you have not Exchange pack in it. Now even in that case you can download the PowerShell-based Exchange pack separately and import it into PowerGUI.

I’ve also shot a webcast about the pack and will hopefully upload it to PowerGUI.org this week and will make a few blog posts on it contents.

P.S. Historically one of the reasons why we started the PowerGUI project was due to the fact that once we started using E12 (codename for Exchange 2007) beta we found that indeеhe UI (Exchange Management Console) was just a subset of the PowerShell command-line and the latter was the only option for a lot of management operations: public folders, certificates, etc. Luckily PowerShell was indeed available for all these operations and this pack gives you UI for all these operations.

Tags: Public Folders, PowerPack, PowerGUI, provisioning, PowerShell, Certificates, Exchange