Technology Tips and News
We have two Certificate Authorities, and one is being removed.
We have already removed all of the templates and all of the certificates that are left have been revoked etc.
We would like to see if any computers left in our domain are using certificates issued by this old CA.
Is there any way using PowerShell to accomplish this? if not any other help would be appreciated.
Thanks!
Why not just use the CA to force all certs to expire in the domain.
Post in Security forum to find out how to manage this kind of transition. You should not need to use PowerShell. Imagein if Microsoft had to do this after expiring a cert. How could they or anyone do it remotely and why would they.
I revoked the certificates and published a new revocation list, if that's what you mean by force them to expire.
I just don't want to take a chance on a system not updating their certificate for some reason, and something going down due to authentication/certificate issues.
I mean if it was you, would you make the assumption that all of your servers that everyone uses for ERP and shipping/receiving and all of your executives systems processed the updated revocation list, and renewed their certificates, and that
it is safe to demote/remove this CA from the environment? or would you feel the need to check first? if it was your own systems and neck on the line?
I figure better to at least check first and error on the side of caution? and learn a bit about how to search certificates via PowerShell along the way? no?
Here's something you can run locally:
$issuer = 'CN=YOURCA'
Get-ChildItem Cert: -Recurse |
Where { $_.Issuer -eq $issuer }
You'd need remoting enabled to run this against remote machines.
Be sure your new CA has the revocation list. That is the only way to guarantee what you are after. As I noted - post in security/CAServer forum to learn how to do this.
Here's something you can run locally:
$issuer = 'CN=YOURCA' Get-ChildItem Cert: -Recurse | Where { $_.Issuer -eq $issuer }You'd need remoting enabled to run this against remote machines.
Hi Mike,
Thanks for that,
However I just thought, I can't run PowerShell commands like this against a server 2003 system that doesn't have PowerShell installed, can I?
So for an environment with non PS systems... I'm guessing I'll need to either figure it out in vbs or like a startup script that writes certificate issuers to a text in shared location or something...
What I posted is just an example and won't work on machines that don't have PowerShell installed.
I highly recommend taking jrv's advice on this.
Hi Mike, Jrv,
I already updated and published the revocation list on the new CA,
thanks for the advice about the security forum, maybe I'll post there later hoping someone else would read it... but just FYI this isn't a security issue... this is just me wanting to check my bases to ensure that services don't stop running, and that nothing
losses access when the CA is gone.... No worries about private keys or anything malicious happening...
Its just there is two or three old servers I've found in the past few days that have the old CA's certificates even after being revoked...
Even after following any advice given in the security forum I'm still not just gonna trust it.. I'm still gonna check those systems, so I'm still gonna try to find an easier way to search than one by one..
Thanks again for all your help
What services would use a cert? IIS, Exchange. I would hope that you already updated all critical services.
You really need to post in the Security forum to learn the corer4ct way to do a migration. The answer depe4nds on the how and what of you migration and is not a scripting issue.
Reasons I would want to check the certificates?
Wireless authentication, vpn authentication, Remote desktop, shared folders that use computername$ etc.
The specific certificates for IIS and such I've already ensured are renewed from the new CA.
Originally for migrating I had asked the question on the Spiceworks forums because I couldn't find the MS forum for certificate stuffs...I guess thats the Security forum, thanks for that, but my question was originally about migrating, and I'd been pointed
to this blog article.
http://blogs.technet.com/b/pki/archive/2012/01/27/steps-needed-to-decommission-an-old-certification-authority-without-affecting-previously-issued-certificates-and-then-switching-all-operations-to-a-new-certification-authority.aspx
I'm just trying to be thorough and double check the certificates, and your just trying to teach me the steps I would do BEFORE that anyway...
Its ok, I can probably check the remaining important systems in a day or two manually.
I'll give you correct answer so they close this thread
Thanks anyway.
This might help you:
Good luck but most of those are not delivered via you CA. If you are talking about services then you need to do a migration. You VPN servers would be easy enough to find but they are likely not Windows based and PowerShell will not help.
The issue is that the certs are in user accounts. You would have to scan all user accounts and search there cert stores. There are scripts in the gallery which will do that but I do not think it will fix anything since you will still not be able to switch those certs.
Thank you Mike,
I can use that and modify to just find that issuer!
JRV,
While I appreciate your effort, I never asked for anything to FIX anything...
Only how to search. I came specifically here to the PowerShell forum, for a specific PowerShell answer.
If you know scripts in the gallery which might have helped, I feel like that would have been a bit more help than suggesting I did something wrong by telling me to go elsewhere and learn to migrate...
While you were trying to help by trying to teach me to do things a different way...
Mike answered my question, you know... the whole reason I posted...
Anyway, question answered, I really appreciate it.
Thank you Mike,
I can use that and modify to just find that issuer!
JRV,
While I appreciate your effort, I never asked for anything to FIX anything...
Only how to search. I came specifically here to the PowerShell forum, for a specific PowerShell answer.
If you know scripts in the gallery which might have helped, I feel like that would have been a bit more help than suggesting I did something wrong by telling me to go elsewhere and learn to migrate...
While you were trying to help by trying to teach me to do things a different way...
Mike answered my question, you know... the whole reason I posted...
Anyway, question answered, I really appreciate it.
Meanwhile you still have not addressed how you are going to find all of the user cert stores and how you are going to run the script. That is what I am trying to show you has other and easier solutions but you already know all of the answers so you do not need any help.
Hi Mike, Jrv,
I already updated and published the revocation list on the new CA,
thanks for the advice about the security forum, maybe I'll post there later hoping someone else would read it... but just FYI this isn't a security issue... this is just me wanting to check my bases to ensure that services don't stop running, and that nothing
losses access when the CA is gone.... No worries about private keys or anything malicious happening...
Its just there is two or three old servers I've found in the past few days that have the old CA's certificates even after being revoked...
Even after following any advice given in the security forum I'm still not just gonna trust it.. I'm still gonna check those systems, so I'm still gonna try to find an easier way to search than one by one..
Thanks again for all your help
Reasons I would want to check the certificates?
Wireless authentication, vpn authentication, Remote desktop, shared folders that use computername$ etc.
The specific certificates for IIS and such I've already ensured are renewed from the new CA.
Originally for migrating I had asked the question on the Spiceworks forums because I couldn't find the MS forum for certificate stuffs...I guess thats the Security forum, thanks for that, but my question was originally about migrating, and I'd been pointed
to this blog article.
http://blogs.technet.com/b/pki/archive/2012/01/27/steps-needed-to-decommission-an-old-certification-authority-without-affecting-previously-issued-certificates-and-then-switching-all-operations-to-a-new-certification-authority.aspx
I'm just trying to be thorough and double check the certificates, and your just trying to teach me the steps I would do BEFORE that anyway...
Its ok, I can probably check the remaining important systems in a day or two manually.
I'll give you correct answer so they close this thread
Thanks anyway.
This topic is archived. No further replies will be accepted.
Other recent topics
Click here to get your free copy of Network Administrator. Over 25 plugins to make your life easier