Powershell: Check For Misplaced Certificates

Here is a script I absentmindedly put together one evening while power watching a TV series on Netflix with the wife. The general idea of this script is to check local machine, trusted root, and intermediate trusted root stores for misplaced or duplicate certificates.

It is easy to get lax when deploying or maintaining Windows servers that require any kind of certificates to be installed. You may end up with trusted root certificates (aka self-signed issuing certs) in your intermediate trust store or vice versa. You may also have duplicated public certs across stores for whatever reason. Prior to Server 2012 and some of the more modern applications this really wasn’t an issue. As of late I’ve experiences some Lync 2013 oddities that make me think that it is about time to be more diligent with certificate placement and this script will help towards this end.

Anyway, the script makes educated guesses on incorrect cert placements and provides advice on what actions to take.

 

Comments (4)

  1. 11:56 AM, 02/04/2015Rocky  / Reply

    Great script!
    I get an error with regard to “read-host”:

    Read-Host : name cannot be null or empty.
    At line:43 char:9
    + Read-Host -Prompt ”
    + ~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidArgument: (:) [Read-Host], PSArgumentException
    + FullyQualifiedErrorId : Argument,Microsoft.PowerShell.Commands.ReadHostCommand

    I running this on my local Windows 8.1 box with latest version of PS:

    Name : Windows PowerShell ISE Host
    Version : 5.0.9883.0
    InstanceId : dfc72318-6b1d-4e48-b170-36e1b2a3ef14
    UI : System.Management.Automation.Internal.Host.InternalHostUserInterface
    CurrentCulture : en-US
    CurrentUICulture : en-US
    PrivateData : Microsoft.PowerShell.Host.ISE.ISEOptions
    DebuggerEnabled : True
    IsRunspacePushed : False
    Runspace : System.Management.Automation.Runspaces.LocalRunspace

  2. 3:29 PM, 12/19/2014DJ Grijalva  / Reply

    Love your scripts but write-host??? (face2palm)
    http://www.jsnover.com/blog/2013/12/07/write-host-considered-harmful/

    • 8:35 PM, 12/19/2014Zachary Loeber  / Reply

      Glad you like them! I’m well aware of the write-hosts issues with powershell. In this script I purposefully used write-host for the reasons Mr. Snover gave in the article you referenced, “The other scenario to use Write-Host is when you really do want to generate a UX. Write-Host has a number of nice features like the the ability to colorize text that are great to use when you really do intend to generate a UX.”.

      I never intended for this quick script to be part of any automated process and only ever to run in a powershell console for output so I think I’m in the clear on this one 🙂

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Follow

Get every new post delivered to your Inbox

Join other followers