forked from nsacyber/Windows-Secure-Host-Baseline
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Certificates.psm1
136 lines (112 loc) · 5.64 KB
/
Certificates.psm1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
#requires -version 3
Set-StrictMode -Version 3
Function Get-Certificates() {
<#
.SYNOPSIS
Gets certificates.
.DESCRIPTION
Gets certificates for a specific certificate store location and certificate store name.
.PARAMETER StoreLocation
The certificate store location.
.PARAMETER StoreName
The certificate store name.
.EXAMPLE
Get-Certificates -StoreLocation 'CurrentUser'
.EXAMPLE
Get-Certificates -StoreLocation 'LocalMachine'
.EXAMPLE
Get-Certificates -StoreLocation 'CurrentUser' -StoreName 'My'
#>
[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseSingularNouns', '', Scope='Function')]
[CmdletBinding()]
[OutputType([System.Security.Cryptography.X509Certificates.X509Certificate2[]])]
Param(
[Parameter(Mandatory=$true, HelpMessage='The certificate store location')]
[ValidateNotNullOrEmpty()]
[ValidateSet('CurrentUser','LocalMachine',IgnoreCase=$true)]
[string]$StoreLocation,
[Parameter(Mandatory=$false, HelpMessage='The certificate store name')]
[ValidateNotNullOrEmpty()]
[ValidateSet('ACRS','ADDRESSBOOK','AuthRoot','CA','ClientAuthIssuer','Disallowed','DPNGRA','EFS','FlightRoot','FVE','FVE_NKP','My','REQUEST','Root','SmartCardRoot','Trust','TrustedDevices','TrustedPeople','TrustedPublisher','UserDS','Windows Live ID Token Issuer',IgnoreCase=$true)]
[string]$StoreName
)
if ($null -eq $StoreName) {
$certificates = [System.Security.Cryptography.X509Certificates.X509Certificate2[]]@(Get-ChildItem -Path cert:\ -Recurse | Where-Object {$_.PSParentPath -like "*$StoreLocation*" -and $_.PSIsContainer -eq $false})
} else {
$certificates = [System.Security.Cryptography.X509Certificates.X509Certificate2[]]@(Get-ChildItem -Path cert:\ -Recurse | Where-Object {$_.PSParentPath -like "*$StoreLocation*" -and $_.PSParentPath -like "*$StoreName"})
}
return ,$certificates
}
Function Get-CertificateStoreNames() {
<#
.SYNOPSIS
Gets certificate store names.
.DESCRIPTION
Gets the certificate store names for a specific certificate store location.
.PARAMETER StoreLocation
The certificate store location.
.EXAMPLE
Get-CertificateStoreNames -StoreLocation 'CurrentUser'
#>
[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseSingularNouns', '', Scope='Function')]
[CmdletBinding()]
[OutputType([string[]])]
Param(
[Parameter(Mandatory=$true, HelpMessage='The certificate store location')]
[ValidateNotNullOrEmpty()]
[ValidateSet('CurrentUser','LocalMachine',IgnoreCase=$true)]
[string]$StoreLocation
)
$storeNames = [string[]]@((Get-ChildItem -Path cert:\ | Where-Object {$_.Location -ieq $StoreLocation}).StoreNames.Keys)
return ,$storeNames
}
Function Get-CertificateStoreDisplayName() {
<#
.SYNOPSIS
Gets the certificate store display name based on the programmatic name.
.DESCRIPTION
Gets the certificate store display name, as shown in certmgr.msc, based on the programmatic name.
.PARAMETER StoreName
The certificate store name.
.EXAMPLE
Get-CertificateStoreDisplayName -StoreName 'My'
#>
[CmdletBinding()]
[OutputType([string])]
Param(
[Parameter(Mandatory=$true, HelpMessage='The certificate store name')]
[ValidateNotNullOrEmpty()]
[ValidateSet('ACRS','ADDRESSBOOK','AuthRoot','CA','ClientAuthIssuer','Disallowed','DPNGRA','EFS','FlightRoot','FVE','FVE_NKP','My','REQUEST','Root','SmartCardRoot','Trust','TrustedDevices','TrustedPeople','TrustedPublisher','UserDS','Windows Live ID Token Issuer',IgnoreCase=$true)]
[string]$StoreName
)
$displayName = 'Unknown'
switch ($StoreName.ToLower()) {
'acrs' { $displayName = 'Automatic Certificate Request Settings' ; break }
'addressbook' { $displayName = 'Other People' ; break }
'authroot' { $displayName = 'Third-Party Root Certification Authorities' ; break }
'ca' { $displayName = 'Intermediate Certification Authorities' ; break }
'clientauthissuer' { $displayName = 'Client Authentication Issuers' ; break }
'disallowed' { $displayName = 'Untrusted Certificates' ; break }
'dpngra = ' { $displayName = 'Data Protection' ; break }
'efs' { $displayName = 'Encrypting File System' ; break }
'flightroot' { $displayName = 'Preview Build Roots' ; break }
'fve' { $displayName = 'BitLocker Drive Encryption' ; break }
'fve_nkp' { $displayName = 'BitLocker Drive Encryption Network Unlock Certificate' ; break }
'my' { $displayName = 'Personal' ; break }
'request' { $displayName = 'Certificate Enrollment Requests' ; break }
'root' { $displayName = 'Trusted Root Certification Authorities' ; break }
'smartcardroot' { $displayName = 'Smart Card Trusted Roots' ; break }
'trust' { $displayName = 'Enterprise Trust' ; break }
'trusteddevices' { $displayName = 'Trusted Devices' ; break }
'trustedpeople' { $displayName = 'Trusted People' ; break }
'trustedpublisher' { $displayName = 'Trusted Publishers' ; break }
'userds' { $displayName = 'Active Directory User Object' ; break }
'windows live id token issuer' { $displayName = 'Windows Live ID Token Issuer' ; break }
default {}
# other certmgr.msc Display Names seen in screenshots on the Internet (don't know store name yet):
# MSIEHistoryJournal
# Remote Desktop
# SMS
}
return $displayName
}