Jorge's Quest For Knowledge!

About Windows Server, ADDS, ADFS, Azure AD, FIM/MIM & AADSync (Just Like An Addiction, The More You Have, The More You Want To Have!)

(2013-10-22) Searching For Certificates Matching A Specific DNS Name Or WildCard Name

Posted by Jorge on 2013-10-22


If your computer has lots of certificates in the local computer store and you need to find out if one or more certificates will match a specific name in the subject or subject alternate name, or a certificate will match the first level wildcard, you can use the following PowerShell code:

# Searching For A Certificate With A Specific Name In The Subject Name Or Subject Alternate Name (SAN) # Searching For A Certificate With A WildCard Name In The Subject Name Or Subject Alternate Name (SAN) Matching The Specific Name # Define The Specific DNS Name $dnsName = "<FQDN>" # Determine The First Level WildCard Name $wildCardName = "*" + $dnsName.Substring($dnsName.IndexOf(".")) $certs = $null $certs = @() $certsInLocalMachine = DIR cert:\LocalMachine\My $certsInLocalMachine | ForEach-Object{ $certificate = $_ $certThumbprint = $certificate.Thumbprint $certSubject = $($certificate.Subject).substring($($certificate.Subject).IndexOf("=")+1) If ($certSubject.ToUpper() -eq $dnsName.ToUpper() -or $certSubject.ToUpper() -eq $wildCardName.ToUpper()) { $certs += $certificate } $sanCertExtension = $certificate.extensions | Where-Object{$_.oid.FriendlyName.ToLower() -eq "subject alternative name"} $sanObjs = New-Object -ComObject X509Enrollment.CX509ExtensionAlternativeNames If ($sanCertExtension -ne $null) { $altNamesStr = [System.Convert]::ToBase64String($sanCertExtension.RawData) $sanObjs.InitializeDecode(1, $altNamesStr) Foreach ($SAN in $sanObjs.AlternativeNames) { $certAltSubject = $SAN.strValue If ($certAltSubject -ne $null) { If ($certAltSubject.ToUpper() -eq $dnsName.ToUpper() -or $certAltSubject.ToUpper() -eq $wildCardName.ToUpper()) { $certs += $certificate } } } } } $certs | FL

-

If the DNS Name is "FS.ADCORP.LAB", the output is on my demo machine:

image

Figure 1: Looking For Certificates That Could Support The DNS Name "FS.ADCORP.LAB" (Example)

-

You might also want to look at the following article, which shows you how to list subject alternate names in a specific certificate:

-

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

About these ads

2 Responses to “(2013-10-22) Searching For Certificates Matching A Specific DNS Name Or WildCard Name”

  1. brian.yili@citi.com said

    How about getting the script to work across the network, e.g. scan multiple servers and report back on the SAN in the certificate? Scenario would be domain controllers that you want to check the SAN field on. Maybe even compare a predefined SAN field to teh actual and report on differences.

  2. […] (2013-10-22) Searching For Certificates Matching A Specific DNS Name Or WildCard Name […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: