none
Get Certificate Revocation List information by certificate information (Powershell) RRS feed

  • Question

  • I successfully managed to write a script checking if any certificates are about to expire but now I need to get those Certificates's CRLs.

    I found the cmdlet "Get-CACrlDistributionPoint" on TechNet but my powershell version does not recognize it.

    Would something like Get-ChildItem -path cert: | where { $_.serialnumber -eq $certserialnumber } work?

    • Edited by tonicruz Thursday, June 29, 2017 8:22 AM
    • Moved by Bill_Stewart Friday, August 4, 2017 9:38 PM This is not "teach me certificate server basics" forum
    Thursday, June 29, 2017 8:18 AM

All replies

  • When in doubt use help:

    help certificate

    Read all of it carefully to see how to manage certificates in Windows.


    \_(ツ)_/

    Thursday, June 29, 2017 8:29 AM
  • Also type the following:

    help *cert*


    \_(ツ)_/

    Thursday, June 29, 2017 8:31 AM
  • Here is a simple example:

    Get-ChildItem Cert:\CurrentUser\my\FB61D81EB741F9E657740A1C5EA92E59DCCD3F4A | Format-List

    You can search the whole store like this:

    Get-ChildItem Cert:\FB61D81EB741F9E657740A1C5EA92E59DCCD3F4A -Recurse


    \_(ツ)_/


    • Edited by jrv Thursday, June 29, 2017 8:39 AM
    Thursday, June 29, 2017 8:37 AM
  • The problem is,  that the CRL Distibution Point URL is not a property when I check the certificate via get-member.

    How can I access that value?
    Thursday, June 29, 2017 9:09 AM
  • What url?  The certificate is stored in the store in binary. You can export it with the commands an look in the file.You can find the URL in the "Issuer"

    PS D:\scripts> $cert.Issuer
    CN=DO_NOT_TRUST_FiddlerRoot, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com
    PS D:\scripts>


    \_(ツ)_/

    Thursday, June 29, 2017 9:14 AM
  • I'm talking about the URL that is stored in the CRL Distribution Points field.

    Looks something like this if you view it with certmgr.msc:

    [1]CRL Distribution Point
         Distribution Point Name:
              Full Name:
                   URL=http://crl3.digicert.com/sha2-assured-cs-g1.crl
    [2]CRL Distribution Point
         Distribution Point Name:
              Full Name:
                   URL=http://crl4.digicert.com/sha2-assured-cs-g1.crl
    Thursday, June 29, 2017 9:26 AM
  • In the store or in a file or in a request?


    \_(ツ)_/

    Thursday, June 29, 2017 9:29 AM
  • In the store.. I guess? Sry I'm still pretty new to POSH
    Thursday, June 29, 2017 9:31 AM
  • The CRL store does not exist on Windows as you think and the Crl commands only work on a CA Server in Windows 2012 or later.


    \_(ツ)_/

    Thursday, June 29, 2017 9:35 AM
  • Oh okay that explains a lot

    But cert: is a CertStoreLocation right?

    I would attach a screenshot but my account is still too new to do so.

    Thursday, June 29, 2017 9:38 AM
  • "cert:" is the root of the local store.  The CRL is not part of the store. It is maintained by the CA.  The CmdLets are available on the CA computer if they were installed when the CA was installed.


    \_(ツ)_/

    Thursday, June 29, 2017 9:52 AM
  • Yeah but the value "CRL Distribution Points" is stored as a field inside of the certificate so it should exist and be available on my computer, right?
    Thursday, June 29, 2017 11:23 AM
  • Yeah but the value "CRL Distribution Points" is stored as a field inside of the certificate so it should exist and be available on my computer, right?

    In a certificate?  CRL is a store in CA.  Again - the cert is encrypted and the extra fields are not made visible in the cert store. YOu can use the cert file to get the Crl:

    See: https://www.sysadmins.lv/blog-en/working-with-certificate-revocation-lists-crl-in-powershell-part-1.aspx

    Here is the code: http://powershellcoder.com/index.php/2016/10/08/get-crltimevalidity-part-1/


    \_(ツ)_/

    Thursday, June 29, 2017 12:09 PM