Jorge's Quest For Knowledge!

All about Windows Server, ADDS, ADFS & FIM (It Is Just Like An Addiction, The More You Have, The More You Want To Have!)

(2013-10-22) Searching For Certificates Matching A Specific DNS Name Or WildCard Name

Posted by Jorge on 2013-10-22


If your computer has lots of certificates in the local computer store and you need to find out if one or more certificates will match a specific name in the subject or subject alternate name, or a certificate will match the first level wildcard, you can use the following PowerShell code:

# Searching For A Certificate With A Specific Name In The Subject Name Or Subject Alternate Name (SAN) # Searching For A Certificate With A WildCard Name In The Subject Name Or Subject Alternate Name (SAN) Matching The Specific Name # Define The Specific DNS Name $dnsName = "<FQDN>" # Determine The First Level WildCard Name $wildCardName = "*" + $dnsName.Substring($dnsName.IndexOf(".")) $certs = $null $certs = @() $certsInLocalMachine = DIR cert:\LocalMachine\My $certsInLocalMachine | ForEach-Object{ $certificate = $_ $certThumbprint = $certificate.Thumbprint $certSubject = $($certificate.Subject).substring($($certificate.Subject).IndexOf("=")+1) If ($certSubject.ToUpper() -eq $dnsName.ToUpper() -or $certSubject.ToUpper() -eq $wildCardName.ToUpper()) { $certs += $certificate } $sanCertExtension = $certificate.extensions | Where-Object{$_.oid.FriendlyName.ToLower() -eq "subject alternative name"} $sanObjs = New-Object -ComObject X509Enrollment.CX509ExtensionAlternativeNames If ($sanCertExtension -ne $null) { $altNamesStr = [System.Convert]::ToBase64String($sanCertExtension.RawData) $sanObjs.InitializeDecode(1, $altNamesStr) Foreach ($SAN in $sanObjs.AlternativeNames) { $certAltSubject = $SAN.strValue If ($certAltSubject -ne $null) { If ($certAltSubject.ToUpper() -eq $dnsName.ToUpper() -or $certAltSubject.ToUpper() -eq $wildCardName.ToUpper()) { $certs += $certificate } } } } } $certs | FL

-

If the DNS Name is "FS.ADCORP.LAB", the output is on my demo machine:

image

Figure 1: Looking For Certificates That Could Support The DNS Name "FS.ADCORP.LAB" (Example)

-

You might also want to look at the following article, which shows you how to list subject alternate names in a specific certificate:

-

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

About these ads

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: