我在Powershell中是个菜鸟,而实际的问题是,我对如何搜索各种属性以及在寻找符合我的需求的示例时感到迷茫。
这样,我需要在Active Directory中搜索以找到由特定证书颁发机构颁发的即将过期的用户S / MIME证书。
我已经拥有的东西:
$Mail = user@example.com
$allProfileCerts = Get-ADUser -Server example.com:3268 -Filter {EmailAddress -eq $Mail} -Properties Certificates | select Certificates
结果是:
Handle Issuer Subject
------ ------ -------
1625625266096 CN=<CA1> E=test.user@example.com, CN=Test User, OU=Normal, OU=Users, OU=EXAMPLE, ...
1625625265968 CN=<CA2> E=test.user@example.com, CN=Test User, O=Example Company, ...
1625625271728 CN=<CA1> CN=Test User, OU=Normal, OU=Users, OU=EXAMPLE, ...
我认为下一步可以是:
$allProfileCerts.Certificates | foreach {New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $_}
结果提供了更多详细信息(已删除PII):
EnhancedKeyUsageList : {Secure Email (1.3.6.1.5.5.7.3.4)}
DnsNameList : {Test User}
SendAsTrustedIssuer : False
EnrollmentPolicyEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
EnrollmentServerEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
PolicyId :
Archived : False
Extensions : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid...}
FriendlyName :
IssuerName : System.Security.Cryptography.X509Certificates.X500DistinguishedName
NotAfter : 29/05/2021 10:47:00
NotBefore : 11/12/2018 09:47:00
HasPrivateKey : False
PrivateKey :
PublicKey : System.Security.Cryptography.X509Certificates.PublicKey
RawData : {48, 130, 8, 51...}
SerialNumber : <snip>
SubjectName : System.Security.Cryptography.X509Certificates.X500DistinguishedName
SignatureAlgorithm : System.Security.Cryptography.Oid
Thumbprint : <snip>
Version : 3
Handle : 1625625266096
Issuer : <ISSUER1>
Subject : <subject>
EnhancedKeyUsageList : {Secure Email (1.3.6.1.5.5.7.3.4)}
DnsNameList : {Test User}
SendAsTrustedIssuer : False
EnrollmentPolicyEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
EnrollmentServerEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
PolicyId :
Archived : False
Extensions : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid...}
FriendlyName :
IssuerName : System.Security.Cryptography.X509Certificates.X500DistinguishedName
NotAfter : 30/08/2020 14:00:00
NotBefore : 30/08/2018 02:00:00
HasPrivateKey : False
PrivateKey :
PublicKey : System.Security.Cryptography.X509Certificates.PublicKey
RawData : {48, 130, 5, 127...}
SerialNumber : <snip>
SubjectName : System.Security.Cryptography.X509Certificates.X500DistinguishedName
SignatureAlgorithm : System.Security.Cryptography.Oid
Thumbprint : <snip>
Version : 3
Handle : 1625625265968
Issuer : <ISSUER2>
Subject : <subject>
EnhancedKeyUsageList : {Encrypting File System (1.3.6.1.4.1.311.10.3.4)}
DnsNameList : {Test User}
SendAsTrustedIssuer : False
EnrollmentPolicyEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
EnrollmentServerEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
PolicyId :
Archived : False
Extensions : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid...}
FriendlyName :
IssuerName : System.Security.Cryptography.X509Certificates.X500DistinguishedName
NotAfter : 09/04/2020 15:57:37
NotBefore : 22/10/2017 15:57:37
HasPrivateKey : False
PrivateKey :
PublicKey : System.Security.Cryptography.X509Certificates.PublicKey
RawData : {48, 130, 8, 4...}
SerialNumber : <snip>
SubjectName : System.Security.Cryptography.X509Certificates.X500DistinguishedName
SignatureAlgorithm : System.Security.Cryptography.Oid
Thumbprint : <snip>
Version : 3
Handle : 1625625271728
Issuer : <ISSUER1>
Subject : <subject>
我还认为我可以使用Where-Object NotAfter...轻松按日期进行过滤(如果我对此有误,请纠正我:)),但是出于对世界的热爱,我不知道如何为{{ 1}}。我认为这是一个数组(任何给定证书中可能有多个EKU),但是如何按数组元素过滤?
奖金问题:如果我有:
EnhancedKeyUsageList : {Secure Email (1.3.6.1.5.5.7.3.4)}然后如何访问“ NotAfter”字段?我尝试了$oneCert = $allProfileCerts.Certificates | foreach {New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $_} | Where-Object SerialNumber -Match "<SN>"
,$oneCert."NotAfter",$oneCert["NotAfter"],$oneCert | % NotAfter-都不起作用:/
编辑:基于@tomalak提案的代码有效:
$oneCert | select -expandproperty "NotAfter"答案 0 :(得分:1)
我将过滤ObjectId值:
$certificates |Where-Object {$_.EnhancedKeyUsageList.ObjectId -like '1.3.6.1.5.5.7.3.2'}
此示例依赖于EnhancedKeyUsageList中OID的属性枚举,因此它仅在PowerShell 4.0或更高版本中可用
答案 1 :(得分:1)
通常,您可以使用Where-Object来过滤管道,并使用-eq来过滤列表。在这种情况下,类似:
$adUser.Certificates | Where-Object {
$_.EnhancedKeyUsageList.oid.Value -eq "1.3.6.1.5.5.7.3.4"
}
将为您提供在其EKU列表中具有"1.3.6.1.5.5.7.3.4"的所有用户证书。
请注意,当Powershell(4.0及更高版本)看到这样的表达式$object.Property.ChildProperty.SomeData时,它将获取 all Property个值,对于所有这些值,它将获取 all < / em> ChildProperty值,并为所有 them 获取所有SomeData值。这样可以节省很多打字。在传统的命令式语言中,您需要使用嵌套循环,而在Powershell中,根本不需要任何循环。
知道这一点后,$_.EnhancedKeyUsageList.oid.Value -eq "1.3.6.1.5.5.7.3.4"成为可能,因为-eq不是您传统的“等式”运算符:它获取值列表并过滤掉它们,即:
1,2,3 -eq 3 # produces 3
1,3,3 -eq 3 # produces 3,3
您可以走到最远
Get-ADUser -Property Certificates | Where-Object {
$_.Certificates.EnhancedKeyUsageList.oid.Value -eq "1.3.6.1.5.5.7.3.4"
}
一次性获得具有匹配证书的所有AD用户。
由于您要过滤每个证书的两个属性,因此我建议您进行一些修改
$minValid = (Get-Date).AddMonths(6)
Get-ADUser -Property Certificates -PipelineVariable user | ForEach-Object {
# ...we have "user" objects here
Write-Host $_
$_.Certificates | Where-Object {
$_.EnhancedKeyUsageList.oid.Value -eq "1.3.6.1.5.5.7.3.4" -and $_.NotAfter -lt $minValid
}
} | ForEach-Object {
# ...we have "certificate" objects here
Write-Host $_
}