Dump subject CN, NotBefore, NotAfter from x509 custom folder - x509

Since I am issuing certificates for my employees, I need to have a data table, namely subject CN, NotBefore, NotAfter. I tried to write a bat file using certutil as well as PS scripts from stackoverflow but never succeeded. There are too many certificates, I can't manually check each one. How can I get the name and expiration metrics from all the certificates that are in the folder? Thank you in advance for your response.

Related

Set-AuthenticodeSignature UnknownError with new certificate, how to troubleshoot

I have been trying to get a new Sectigo code signing certificate working, with no luck, and Sectigo support is utterly useless. I am testing with this code, with the executable of course pathed to an actual PS1 file.
$executable = 'PATH TO.ps1'
$cert = Get-ChildItem cert:\CurrentUser\My -codesign
$timeStampServer = "http://timestamp.sectigo.com"
The time server seems to be working, since $timeStampServer echos http://timestamp.sectigo.com to the console. And the certificate SEEMS to be working because $cert echos a Thumbprint and Subject to the console.
But
Set-AuthenticodeSignature -filePath:$executable -certificate:$cert -timeStampServer:$timeStampServer -force
produces a blank SignerCertificate and UnknownError for the Status. For what it is worth the Path is just the file name, not the full path.
Unlike this thread, $cert.privatekey produces
PublicOnly : False
CspKeyContainerInfo : System.Security.Cryptography.CspKeyContainerInfo
KeySize : 4096
KeyExchangeAlgorithm : RSA-PKCS1-KeyEx
SignatureAlgorithm : http://www.w3.org/2000/09/xmldsig#rsa-sha1
PersistKeyInCsp : True
LegalKeySizes : {System.Security.Cryptography.KeySizes}
I wonder, is there anything else I can do to test the situation? I am waiting (about 110 minutes to go) on Sectigo support before I try downloading and installing a reissued certificate, but as crap as their support has been, I don't expect the new cert to work any better than the old, nor do I expect any insight from them as to the problem. They have my money, I expect them to say "PowerShell is your problem". So, hoping for some suggestions here as to what could be the issue, and what steps to take to isolate the problem.
One thing that does perk my ears up is that this link suggests I should also see EnhancedKeyUsageList for $cert and I do not. And when I look at the cert with Certlm I don't see an Intended Purposes column at all. But I think that's an OS issue as actually looking at the Cert there under the General tab, I have Enable all purposes for this certificate selected, and Code Signing is checked in the greyed out list.
Now, oddly, I get a single line with only UnknownError when I run Set-AuthenticodeSignature without dumping a variable to the console. But, if I dump $cert to the console right before I get
SignerCertificate :
TimeStamperCertificate :
Status : UnknownError
StatusMessage : The data is invalid
Path : PATH TO.ps1
SignatureType : None
IsOSBinary : False
Again with the correct local path. The StatusMessage doesn't exactly add much, but the fact that the TimeStamperCertificate is also blank makes me wonder if that's the issue. Given how much it seems Sectigo sucks, can I use some other generic timestamp server I can use, or am I limited to using the Timestamp Server of the certificate issuer? I tried using the timestamp server I had been using with my old GlobalSign EV cert, "http://timestamp.globalsign.com/scripts/timestamp.dll", and that produces the same results.
Also for what it is worth, the PS1 I am trying to sign for testing is one line
$scriptPath = Split-Path $script:myInvocation.myCommand.path -parent
I have never had such problems before. I had a Sectigo certificate last year and everything worked fine, but that was a different reseller, and in the meantime the Sectigo process seems to have changed. Last year my signed PDF from the KVK (Dutch Better Business Bureau) was fine for validation. But this year they demanded I provide a plain text translation of that document. And for years before I never had issues but then I was using a EV cert on a thumb drive. Which I gave up when GlobalSign took 4 months to get a thumb drive from London to Rotterdam.
But back on topic, suggestions?
EDIT: Further searching led to this, so I tried
$Cert = Get-PfxCertificate -FilePath "PATH TO.pfx"
And I put both the PFX and target PS1 in the root of C. Same results.
EDIT #2: After days of really horrible support from Comodo/Sectigo I demanded a refund, and bought a new certificate from SSL.Com. MUCH better experience with the validation process, but exactly the same issues with signing code. Now verified on both a Windows 10 and an old Windows 7 VM. So the code signing problem is definitely on my end. Meaning, more than ever I hope someone here can provide some insight.
We're sorry you're experiencing an issue. Here is some information to help resolve the issue. If you have any further questions, please feel free to contact Sectigo Support at https://sectigo.com/support and a member of our team will reach out to you.
Powershell ISE uses 'Unicode Big Endian' encoding and that could be the problem. Please try recreating the file using UTF-8 and set the Authenticode signature.
#creating the script into a new file
type \path\scriptfile.ps1 | out-file \path\scriptfile_utf.ps1 -encoding utf8
#get the certificate
$cert = Get-ChildItem cert:\CurrentUser\My -codesigning
#add Authenticode Signature to the script
Set-AuthenticodeSignature \path\scriptfile_utf.ps1
I had the same error. I tried to sign a .cmd file with a CodeSigningCert and received Unknown Error with a blank SignerCertificate as well.
When I tried signing a PowerShell script it worked fine. That is because you cannot sign a non-Executable with a CodeSigningCert. Might not be your issue, but that was what was wrong for me.
I did not use an official certificate though, I created one with the New-SelfSignedCertificate Cmdlet. Maybe you can try with a self-signed one and check if the error occurs as well?

How to I relate the signature algorithms of a Windows certificate, with the parameters for signing with SignTool?

We have a PowerShell script written years ago by someone who has moved on, to sign our ClickOnce deployments. This has worked well, until recently when the certificate expired. I'm tasked with updating the PowerShell script to incorporate the new signing certificate we recently purchased.
I put the new certificate into the Certificate store, per the instructions from the previous maintainer. I've made modifications to the PowerShell script, fixing other bugs as they've come along, but I'm at a place where I don't know how to relate the details of the certificate with the parameters for SignTool.exe. Looking at the properties of the certificate, from the Details view, I see the following relevant values:
Signature algorithm: sha384RSA
Signature hash algorithm: sha384
Thumbprint algorithm: sha1
Looking at Microsoft's SignTool documentation page for the sign command I see values used by the PowerShell such as /td and /fd, but I don't know which relates to the values displayed in the properties for the certificate. Also, I'm not certain that I need the thumbprint algorithm. According to the Microsoft page I referenced it should be used if working with multiple certificates, which the PowerShell script is not.
Here is what is currently in the PowerShell script for signing the ClickOnce app:
Get-AuthenticodeSignature *.exe,*.dll | ? Status -eq NotSigned | % Path | %{&$signtool sign /tr $timestamp /td sha384 /fd sha384 $hash $_ }
That now gives me an error of, "##[error]SignTool Error: No certificates were found that met all the given criteria."

fetching certificates with powershell

Hi I'm very new to powershell , i need to fetch only issued certificates from CA server and want to export all issued certificates to csv file by using powershell but unable to find the exact command , any help would be appreciated.
i'm using this command to fetch issued certificates, but getting all certificates, how to filter only issued certificates?
certutil -view -out "RequestID,RequesterName,RequestType,NotAfter,CommonName,CertificateTemplate,SerialNumber"
I'd recommend looking into using the PKITools module as this module includes the ability to retrieve issued certificates with ease.
You should be able to install the module by issuing the following command:
Install-Module -Name PKITools
Once the module has been installed, it should be as simple as running the below (without Format-Table if you want to work with the returned data):
Get-IssuedCertificate | Format-Table
This will give you output similar to the below:

How can I use PowerShell to find a website's certificate?

I am trying to use PowerShell to query a website and see what SSL certificate (name) it is using for HTTPS bindings. Then I would like to trace back to see what CA issued the cert.
I am having trouble querying the website to find out what SSL certificate is bound. The IIS 7.5 GUI shows a friendly name.
After I get the websites SSL certificate the plan is to use PowerShell to search the Certificate stores by FriendlyName (or thumbprint, or some other value).
Here is what I have so far:
Query store for cert info:
get-childitem cert:\LocalMachine\my | ft issuer, subject, notafter, FriendlyName
check for active bindings
get-itemproperty 'IIS:\Sites\(SITENAME)' -name bindings
I'm not sure where this information is stored, and I have no luck searching for it with PowerShell, in the web.config and applicationhost.config. Google searching has not been helpful so far.
Any info, links to information, or documentation on how certs are handled / stored in IIS is appreciated.
To get the site SSL binding check out: IIS:\SslBinding
You can get the binding port like this:
dir IIS:\SslBindings | ? {$_.Port -eq 1443} | Select *
The Thumbprint and Store properties will be of interest.
You can get the actual cert using:
get-item cert:\LocalMachine\$theStore\$theThumbprint
e.g.
get-item cert:\LocalMachine\My\29F025A78F537D931A8CF05B00EB81DB84160CF3 | select *

How to trust a certificate in Windows Powershell

I am using Windows 7, and want to run signed scripts from Powershell, the security-settings of Powershell are set to "all-signed", and my scripts are signed with a valid certificate from my company. I have also added the .pfx-file to my local certificate store (right-clicked the pfx-file and installed).
However, when I start a signed script, I get a message that says:
"Do you want to run software from this untrusted publisher?
File Z:\Powershell Signed Scripts\signed.ps1 is published by CN=[MyCompanyName] and is not trusted on your system. Only run scripts from
trusted publishers.
[V] Never run [D] Do not run [R] Run once [A] Always run [?] Help
(default is "D"):"
Since I want to automatically call these scripts on my systems, I would like to add my imported certificate to the trusted list on my system, so that I do not get a message anymore when I run a signed script for the first time. How can I make my certificate a trusted one?
How to trust a certificate in Windows Powershell
Indeed, you can do this without any mmc :)
First, check the location of your personal certificate named for example "Power" :
Get-ChildItem -Recurse cert:\CurrentUser\ |where {$_ -Match "Power"} | Select PSParentPath,Subject,Issuer,HasPrivateKey |ft -AutoSize
(This one should be empty:)
gci cert:\CurrentUser\TrustedPublisher
Build the command with the path to your certificate:
$cert = Get-ChildItem Certificate::CurrentUser\My\ABLALAH
Next work on certificate store (Here I work on two certificate store : user & computer)
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store "TrustedPublisher","LocalMachine"
$store.Open("ReadWrite")
$store.Add($cert)
$store.Close()
Check, you should find your certificate :
ls cert:\CurrentUser\TrustedPublisher
Sounds like you need to verify that the script is signed properly and that you have the correct certificate installed in the correct certificate store.
Use the Get-AuthenticodeSignature cmdlet to get information about the signed script.
Also review Scott's guide for signing certificates.