Certificate Template: Determining Compliance

Overview

At times it is important to determine if a client machine has a certain certificate installed from a certificate template. I developed this script, Get-DMGCertificateTemplateExistance, to to detect if a certificate was created from a particular template name. It could be run stand-alone or is also deployable as an SCCM configuration item/baseline and will return the desired results in a true / false fashion.

Instructions

Add the namme of the certificate template you would like to check within the Invoke-DMGCertificateTemplateExistance function and then run the PowerShell script. If the computer you run the script on has a certificate that was created from the template you provided, the script will return true, and it will return false otherwise.


function Invoke-DMGCertificateTemplateExistance{
    $CertificateName = 'Display Name of Certificate Template Certificate Was Created From'
    Get-DMGCertificateTemplateExistance -CertificateName $CertificateName
}

Detecting Certificate Template Compliance in SCCM

Deploy this to your required machines as a configuration baseline compliance item. Deployed to this sample machine, we have configured the function to look for a Cisco ISE certificate. Here we can see the machine reports compliance.

cid:image003.png@01D39C74.153A0660

PowerShell Script: Get-DMGCertificateTemplateExistance.ps1


<#

.SYNOPSIS
  Determines if a certificate exists on the local machine that matches the template name
.NOTES
  Version:        1.0
  Author:         David Maiolo
  Creation Date:  2018-02-02
  Purpose/Change: Initial script development

#>

function Get-DMGCertificateTemplateExistance{
    [CmdletBinding()]
    param(
    [Parameter(Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)]
    [String]$CertificateName
    )

    #Set Certificate Template Existance Count
    $i = 0
    #Get All of the local machine certificates
    $cert = $null
    $certs = $null
    $certs = get-childitem cert:\localmachine\my

    #Loop through each certificate
    foreach ($cert in $certs){ 
        $temp = $null

        #See if certificate associated with Microsoft Chryptogrophy:  szOID_ENROLL_CERTTYPE_EXTENSION
        $temp = $cert.Extensions | Where-Object{$_.Oid.Value -eq "1.3.6.1.4.1.311.20.2"}
        if(!$temp){
            #Else see if certificate associated with Microsoft CertSrv Infrastructure: Certificate template extension (v2) szOID_CERTIFICATE_TEMPLATE
            $temp = $cert.Extensions | Where-Object{$_.Oid.Value -eq "1.3.6.1.4.1.311.21.7"}
         }
         
         #Create a New Value, Template, and see if it mateches the template name we are looking for
         if($temp){
            $cert | Add-Member -Name Template -MemberType NoteProperty -Value $temp.Format(1)
        
            #If the template name is found, incrememnt the Certificate Template Existance Count
            if ($cert.template.contains($CertificateName)){
                $i++
                break;
            }
        }
    }

    #If the Certificate Template Existance Count is greater than one, we found a certificate with our template
    if ($i -gt 0){return $true; break}else{return $false}
}

function Invoke-DMGCertificateTemplateExistance{
    $CertificateName = 'Display Name of Certificate Template Certificate Was Created From'
    Get-DMGCertificateTemplateExistance -CertificateName $CertificateName
}

Invoke-DMGCertificateTemplateExistance

Leave a Comment

Your email address will not be published.