Script to retrieve AD CA expired certificates

by tommygun at 2013-04-18 21:37:35

Hi there,
I have the code below that I can point to my local Active Directory Certificate Authority and it will pull back expiring certificates, based on a set number of days.
How do i run this script? I have copied the script and created a cascript.ps1 file and changed the $CAlocation=“CAServer\Some Root CA” to my CA server and name and $duedays=365 though when I run it in powershell ./cascript.ps1 it doesn’t output anything… any help will be greatly appreciated. Thanks

function get-ExpiringCerts ($duedays=60,$CAlocation=“CAServer\Some Root CA”) {
$certs = @()
$now = get-Date;
$expirationdate = $now.AddDays($duedays)
$CaView = New-Object -Com CertificateAuthority.View.1
$index0 = $CaView.GetColumnIndex($false, “Issued Common Name”)
$index1 = $CaView.GetColumnIndex($false, “Certificate Expiration Date”)
$index2 = $CaView.GetColumnIndex($false, “Issued Email Address”)
$index3 = $CaView.GetColumnIndex($false, “Certificate Template”)
$index4 = $CaView.GetColumnIndex($false, “Request Disposition”)
$index0, $index1, $index2, $index3, $index4 | %{$CAView.SetResultColumn($_) }


$index1 = $CaView.GetColumnIndex($false, “Certificate Expiration Date”)

# brief disposition code explanation:
# 9 - pending for approval
# 15 - CA certificate renewal
# 16 - CA certificate chain
# 20 - issued certificates
# 21 - revoked certificates
# all other - failed requests

$RowObj= $CAView.OpenView()

while ($Rowobj.Next() -ne -1){
$Cert = New-Object PsObject
$ColObj = $RowObj.EnumCertViewColumn()
do {
$current = $ColObj.GetName()
$Cert | Add-Member -MemberType NoteProperty $($ColObj.GetDisplayName()) -Value $($ColObj.GetValue(1)) -Force
} until ($ColObj.Next() -eq -1)
Clear-Variable ColObj
$datediff = New-TimeSpan -Start ($now) -End ($cert.“Certificate Expiration Date”)

"Certificate " + $cert.“Issued Common Name” + " will expire in " + $dateDiff.Days + " days at " + $cert.“Certificate Expiration Date”
#"Send email to : " + $cert.“Issued Email Address”
$CaView = $null

get-ExpiringCerts -duedays 365 -CAlocation "CAServer\Some Root CA"
by DonJ at 2013-04-19 08:32:53
You’ll have to add some debugging code to this, and see what’s happening.

First, at the very top of the function, add:

Param($duedays=60,$CAlocation=“CAServer\Some Root CA”)

Remove the existing

($duedays=60,$CAlocation=“CAServer\Some Root CA”)

that’s after the function keyword and function name.

Modify the last line to add -Verbose to the function call… put it after the -duedays and -calocation parameters.

Then, in the function, you can start adding Write-Verbose statements.

For example, I might do this:

do {
$current = $ColObj.GetName()
Write-Verbose "Current is $current"

In other words, just getting some output to tell me what the script is doing, and what’s going inside the variables.

If it’s not producing ANY output, then I suspect it’s not executing either the while loop. Which means $RowObj never has anything in it. So, I might just run some of those lines manually, from the console - everything up to the while loop, for example, to see what happened.

Sorry, it’s tough for me to debug a script I can’t run, but that’s the approach I’d take if I were sitting down with you. Run each command one at a time, just like the script is doing, and see what you get after each line.