Public/Get-PWSHCertutilIssuedCerts.ps1
|
function Get-PWSHCertutilIssuedCerts { <# .SYNOPSIS Gets issued certificates from one or all CAs in a profile. .DESCRIPTION Connects to each CA defined in the profile via WinRM, runs certutil -view filtered to issued certificates, and returns them as PowerShell objects. The restrict and out values are read dynamically from the profile configuration. Each object includes Profile and CAServer properties identifying its source. .PARAMETER Profile The configuration profile to use. .PARAMETER CAFqdn Optional. Queries only this CA instead of all CAs in the profile. .PARAMETER Credential Optional PSCredential for WinRM authentication. Defaults to current user. .EXAMPLE Get-PWSHCertutilIssuedCerts -Profile 'prod-pki' Retrieves all issued certificates from every CA in the 'prod-pki' profile. .EXAMPLE Get-PWSHCertutilIssuedCerts -Profile 'prod-pki' -CAFqdn 'ca01.corp.local' Retrieves issued certificates from ca01.corp.local only. .EXAMPLE Get-PWSHCertutilIssuedCerts -Profile 'prod-pki' | Where-Object { $_.NotAfter -lt (Get-Date).AddDays(30) } Finds issued certificates expiring within 30 days. .OUTPUTS PSCustomObject[]. One object per certificate with Profile, CAServer, and all configured -out fields. #> [CmdletBinding()] [OutputType([PSCustomObject])] param( [Parameter(Mandatory, Position = 0)] [string] $Profile, [Parameter()] [string] $CAFqdn, [Parameter()] [pscredential] $Credential ) $config = Read-ConfigFile $profileConfig = Get-ProfileConfig -Config $config -ProfileName $Profile $autoSyncArgs = @{ Config = $config; ProfileName = $Profile; ProfileConfig = $profileConfig } if ($PSBoundParameters.ContainsKey('Credential')) { $autoSyncArgs['Credential'] = $Credential } $profileConfig = Invoke-ProfileAutoSync @autoSyncArgs $fieldMap = @{} if ($profileConfig.syncState -and $profileConfig.syncState.fieldNameMap) { $profileConfig.syncState.fieldNameMap.PSObject.Properties | ForEach-Object { $fieldMap[$_.Name] = $_.Value } } $viewParams = Get-CertutilViewParams -ProfileConfig $profileConfig -Operation 'issuedCerts' $cas = if ($PSBoundParameters.ContainsKey('CAFqdn')) { $found = $profileConfig.cas | Where-Object { $_.fqdn -eq $CAFqdn } if (-not $found) { throw "CA '$CAFqdn' is not defined in profile '$Profile'." } $found } else { $profileConfig.cas } foreach ($ca in $cas) { try { $sessionArgs = @{ CAFqdn = $ca.fqdn; RemotingConfig = $profileConfig.remoting } if ($PSBoundParameters.ContainsKey('Credential')) { $sessionArgs['Credential'] = $Credential } $session = Get-CASession @sessionArgs $rawOutput = Invoke-CertutilView -Session $session -Restrict $viewParams.Restrict -Out $viewParams.Out ConvertFrom-CertutilCsv -RawOutput $rawOutput -FieldMap $fieldMap | Add-ResultMetadata -Profile $Profile -CAServer $ca.fqdn } catch { Write-Error "Failed to query issued certs from '$($ca.fqdn)': $_" } } } |