我在Powershell中相当不错,实际问题是我在如何搜索各种属性以及很难找到符合我需求的示例时有点迷失。
有了这个说法,我需要的是搜索Active Directory以查找将从特定证书颁发机构颁发的即将过期的用户S / MIME证书。
我已经拥有的:
$Mail = [email protected]
$allProfileCerts = Get-ADUser -Server example.com:3268 -Filter {EmailAddress -eq $Mail} -Properties Certificates | select Certificates
结果是:
Handle Issuer Subject
------ ------ -------
1625625266096 CN=<CA1> [email protected], CN=Test User, OU=Normal, OU=Users, OU=EXAMPLE, ...
1625625265968 CN=<CA2> [email protected], CN=Test User, O=Example Company, ...
1625625271728 CN=<CA1> CN=Test User, OU=Normal, OU=Users, OU=EXAMPLE, ...
我认为下一步可以是:
$allProfileCerts.Certificates | foreach {New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $_}
结果提供了更多细节(编辑以删除PII):
EnhancedKeyUsageList : {Secure Email (1.3.6.1.5.5.7.3.4)}
DnsNameList : {Test User}
SendAsTrustedIssuer : False
EnrollmentPolicyEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
EnrollmentServerEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
PolicyId :
Archived : False
Extensions : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid...}
FriendlyName :
IssuerName : System.Security.Cryptography.X509Certificates.X500DistinguishedName
NotAfter : 29/05/2021 10:47:00
NotBefore : 11/12/2018 09:47:00
HasPrivateKey : False
PrivateKey :
PublicKey : System.Security.Cryptography.X509Certificates.PublicKey
RawData : {48, 130, 8, 51...}
SerialNumber : <snip>
SubjectName : System.Security.Cryptography.X509Certificates.X500DistinguishedName
SignatureAlgorithm : System.Security.Cryptography.Oid
Thumbprint : <snip>
Version : 3
Handle : 1625625266096
Issuer : <ISSUER1>
Subject : <subject>
EnhancedKeyUsageList : {Secure Email (1.3.6.1.5.5.7.3.4)}
DnsNameList : {Test User}
SendAsTrustedIssuer : False
EnrollmentPolicyEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
EnrollmentServerEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
PolicyId :
Archived : False
Extensions : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid...}
FriendlyName :
IssuerName : System.Security.Cryptography.X509Certificates.X500DistinguishedName
NotAfter : 30/08/2020 14:00:00
NotBefore : 30/08/2018 02:00:00
HasPrivateKey : False
PrivateKey :
PublicKey : System.Security.Cryptography.X509Certificates.PublicKey
RawData : {48, 130, 5, 127...}
SerialNumber : <snip>
SubjectName : System.Security.Cryptography.X509Certificates.X500DistinguishedName
SignatureAlgorithm : System.Security.Cryptography.Oid
Thumbprint : <snip>
Version : 3
Handle : 1625625265968
Issuer : <ISSUER2>
Subject : <subject>
EnhancedKeyUsageList : {Encrypting File System (1.3.6.1.4.1.311.10.3.4)}
DnsNameList : {Test User}
SendAsTrustedIssuer : False
EnrollmentPolicyEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
EnrollmentServerEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
PolicyId :
Archived : False
Extensions : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid...}
FriendlyName :
IssuerName : System.Security.Cryptography.X509Certificates.X500DistinguishedName
NotAfter : 09/04/2020 15:57:37
NotBefore : 22/10/2017 15:57:37
HasPrivateKey : False
PrivateKey :
PublicKey : System.Security.Cryptography.X509Certificates.PublicKey
RawData : {48, 130, 8, 4...}
SerialNumber : <snip>
SubjectName : System.Security.Cryptography.X509Certificates.X500DistinguishedName
SignatureAlgorithm : System.Security.Cryptography.Oid
Thumbprint : <snip>
Version : 3
Handle : 1625625271728
Issuer : <ISSUER1>
Subject : <subject>
我还想我可以使用Where-Object NotAfter...
轻松过滤日期(如果我错了,请纠正我:))但是对于世界的爱我无法想象如何过滤EnhancedKeyUsageList : {Secure Email (1.3.6.1.5.5.7.3.4)}
。我认为这是一个数组(在任何给定的证书中可能有多个EKU),但我如何按数组元素进行过滤?
奖金问题:如果我有:
$oneCert = $allProfileCerts.Certificates | foreach {New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $_} | Where-Object SerialNumber -Match "<SN>"
然后我如何访问“NotAfter”字段?我试过$oneCert."NotAfter"
,$oneCert["NotAfter"]
,$oneCert | % NotAfter
,$oneCert | select -expandproperty "NotAfter"
- 两者都没有用:/
编辑:基于@tomalak提案的代码:
Get-ADUser -Server $Server -Filter {EmailAddress -eq $Mail} -Property Certificates |
ForEach-Object {
# ...we have "user" objects here
Write-Host $_
$_.Certificates |
foreach {New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $_} |
Where-Object {
$_.EnhancedKeyUsageList.FriendlyName -eq "Secure Email"
}
} |
ForEach-Object {
# ...we have "certificate" objects here
Write-Host $_.Issuer
}
通常,您可以使用Where-Object
过滤管道,使用-eq
过滤列表。在这种情况下,像:
$adUser.Certificates | Where-Object {
$_.EnhancedKeyUsageList.oid.Value -eq "1.3.6.1.5.5.7.3.4"
}
会给你所有在他们的EKU列表中有"1.3.6.1.5.5.7.3.4"
的用户证书。
请注意,当Powershell(4.0及更高版本)看到这样的表达式$object.Property.ChildProperty.SomeData
时,它会获取所有Property
值,对于所有这些值,它获取所有ChildProperty
值,并且对于所有这些值,它获取所有SomeData
值。这节省了一些打字。在传统的命令式语言中,你需要嵌套循环,在Powershell中你根本不需要任何循环。
知道这一点,$_.EnhancedKeyUsageList.oid.Value -eq "1.3.6.1.5.5.7.3.4"
成为可能,因为-eq
不是你传统的“平等”运算符:它需要一个值列表并过滤它们,即:
1,2,3 -eq 3 # produces 3
1,3,3 -eq 3 # produces 3,3
你可以走得那么远
Get-ADUser -Property Certificates | Where-Object {
$_.Certificates.EnhancedKeyUsageList.oid.Value -eq "1.3.6.1.5.5.7.3.4"
}
一次性获取具有匹配证书的所有AD用户。
由于您要为每个证书过滤两个属性,我建议使用一些变体
$minValid = (Get-Date).AddMonths(6)
Get-ADUser -Property Certificates -PipelineVariable user | ForEach-Object {
# ...we have "user" objects here
Write-Host $_
$_.Certificates | Where-Object {
$_.EnhancedKeyUsageList.oid.Value -eq "1.3.6.1.5.5.7.3.4" -and $_.NotAfter -lt $minValid
}
} | ForEach-Object {
# ...we have "certificate" objects here
Write-Host $_
}
我会过滤ObjectId
值:
$certificates |Where-Object {$_.EnhancedKeyUsageList.ObjectId -like '1.3.6.1.5.5.7.3.2'}
此示例依赖于EnhancedKeyUsageList
中OID的Property Enumeration,因此它仅适用于PowerShell 4.0或更高版本