, ,

Certificate Template: Determining Compliance

Overview

At times it is important to determine if a client machine has a certain certificate installed from a certificate template. I developed this script, Get-DMGCertificateTemplateExistance, to to detect if a certificate was created from a particular template name. It could be run stand-alone or is also deployable as an SCCM configuration item/baseline and will return the desired results in a true / false fashion.

Instructions

Add the namme of the certificate template you would like to check within the Invoke-DMGCertificateTemplateExistance function and then run the PowerShell script. If the computer you run the script on has a certificate that was created from the template you provided, the script will return true, and it will return false otherwise.


function Invoke-DMGCertificateTemplateExistance{
    $CertificateName = 'Display Name of Certificate Template Certificate Was Created From'
    Get-DMGCertificateTemplateExistance -CertificateName $CertificateName
}

Detecting Certificate Template Compliance in SCCM

Deploy this to your required machines as a configuration baseline compliance item. Deployed to this sample machine, we have configured the function to look for a Cisco ISE certificate. Here we can see the machine reports compliance.

cid:image003.png@01D39C74.153A0660

PowerShell Script: Get-DMGCertificateTemplateExistance.ps1


<#

.SYNOPSIS
  Determines if a certificate exists on the local machine that matches the template name
.NOTES
  Version:        1.0
  Author:         David Maiolo
  Creation Date:  2018-02-02
  Purpose/Change: Initial script development

#>

function Get-DMGCertificateTemplateExistance{
    [CmdletBinding()]
    param(
    [Parameter(Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)]
    [String]$CertificateName
    )

    #Set Certificate Template Existance Count
    $i = 0
    #Get All of the local machine certificates
    $cert = $null
    $certs = $null
    $certs = get-childitem cert:\localmachine\my

    #Loop through each certificate
    foreach ($cert in $certs){ 
        $temp = $null

        #See if certificate associated with Microsoft Chryptogrophy:  szOID_ENROLL_CERTTYPE_EXTENSION
        $temp = $cert.Extensions | Where-Object{$_.Oid.Value -eq "1.3.6.1.4.1.311.20.2"}
        if(!$temp){
            #Else see if certificate associated with Microsoft CertSrv Infrastructure: Certificate template extension (v2) szOID_CERTIFICATE_TEMPLATE
            $temp = $cert.Extensions | Where-Object{$_.Oid.Value -eq "1.3.6.1.4.1.311.21.7"}
         }
         
         #Create a New Value, Template, and see if it mateches the template name we are looking for
         if($temp){
            $cert | Add-Member -Name Template -MemberType NoteProperty -Value $temp.Format(1)
        
            #If the template name is found, incrememnt the Certificate Template Existance Count
            if ($cert.template.contains($CertificateName)){
                $i++
                break;
            }
        }
    }

    #If the Certificate Template Existance Count is greater than one, we found a certificate with our template
    if ($i -gt 0){return $true; break}else{return $false}
}

function Invoke-DMGCertificateTemplateExistance{
    $CertificateName = 'Display Name of Certificate Template Certificate Was Created From'
    Get-DMGCertificateTemplateExistance -CertificateName $CertificateName
}

Invoke-DMGCertificateTemplateExistance
/0 Comments/by
0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

Link to: Get in touch

Let’s collaborate!

Contact Me

DAVID MAIOLO

 The content on this website, including text, photographs, and any other media, is the property of David Maiolo unless otherwise noted. No part of this website may be reproduced, distributed, or transmitted in any form or by any means, including photocopying, recording, or other electronic or mechanical methods, without the prior written permission of the owner.

DISCLAIMER

The information provided on this website is for general informational purposes only. While I strive to keep the information up-to-date and correct, I make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability, or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk. In no event will I be liable for any loss or damage including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of, or in connection with, the use of this website. *This website may include links to other websites which are not under the control of David Maiolo. I have no control over the nature, content, and availability of those sites.

© 2024 David Maiolo

SCCM Script: Fix Kerberos Authentication ErrorsSCCM Script: Returning SQL Reports as Arrays