-
Notifications
You must be signed in to change notification settings - Fork 0
Get ComprehensivePKIReport
Comprehensive PKI assessment tool for Certificate Authority infrastructure that exports all issued certificates, certificate templates, and template permissions. This script provides complete visibility into your PKI environment for security audits, compliance reviews, and migration planning.
- Certificate Export: Retrieve all issued certificates from the Certificate Authority
- Expiration Analysis: Identify certificates expiring soon or already expired
- Template Discovery: Export all certificate templates from Active Directory
- Permission Analysis: Extract and analyze template ACLs and enrollment permissions
- Published Template Detection: Identify which templates are published to the CA
- Multiple Output Formats: Generate both CSV exports and comprehensive text reports
- Executive Summary: High-level statistics and key findings
- Flexible Configuration: Customize expiration thresholds and output locations
- Windows Server with Certificate Authority role installed
-
RSAT-ADCS PowerShell Module
Install-WindowsFeature RSAT-ADCS
- Administrator Privileges on the CA server
- PowerShell 5.1 or later
- Network Access to the Certificate Authority server
-
ActiveDirectory PowerShell Module (recommended for enhanced template permissions analysis)
- Automatically detected and used if available
- Falls back to basic permissions if not available
- Local Administrator on CA server
- Read permissions on AD Certificate Templates container
- Ability to query Certificate Authority database
None - the script will auto-discover the CA server if not specified.
Directory path where reports and CSV exports will be saved.
- Type: String
-
Default:
C:\Reports\PKI_Assessment -
Example:
-OutputDirectory "D:\PKI_Reports"
Name of the Certificate Authority server to assess.
- Type: String
- Default: Auto-discovered from system configuration
-
Example:
-CAServerName "CA01.contoso.com" -
Note: Use FQDN format:
SERVERNAME.domain.com
Include revoked certificates in the assessment.
- Type: Switch
- Default: False (only active certificates)
-
Example:
-IncludeRevokedCertificates
Flag certificates expiring within this number of days.
- Type: Integer
- Range: 1-365
- Default: 90 days
-
Example:
-DaysToExpiration 30
Organization name for report headers.
- Type: String
-
Default:
Organization -
Example:
-OrganizationName "Contoso"
.\Get-ComprehensivePKIReport.ps1Runs assessment with default settings:
- Auto-discovers the CA server
- Exports only active certificates
- Flags certificates expiring within 90 days
- Saves reports to
C:\Reports\PKI_Assessment\
.\Get-ComprehensivePKIReport.ps1 -CAServerName "CA01.contoso.com"Explicitly specifies the Certificate Authority server to assess.
.\Get-ComprehensivePKIReport.ps1 -CAServerName "CA01.contoso.com" -IncludeRevokedCertificatesIncludes both active and revoked certificates in the assessment for complete audit trail.
.\Get-ComprehensivePKIReport.ps1 -DaysToExpiration 30Flags certificates expiring within 30 days instead of default 90 days.
.\Get-ComprehensivePKIReport.ps1 `
-CAServerName "CA01.contoso.com" `
-OutputDirectory "D:\Reports\PKI" `
-IncludeRevokedCertificates `
-DaysToExpiration 60 `
-OrganizationName "Contoso Corporation"Complete custom configuration for enterprise assessment.
.\Get-ComprehensivePKIReport.ps1 `
-IncludeRevokedCertificates `
-DaysToExpiration 180 `
-OrganizationName "Contoso" `
-OutputDirectory "C:\Migration\PKI_Baseline"Comprehensive baseline assessment before CA migration or decommission.
The script generates four output files with timestamps:
Filename: PKI_IssuedCertificates_YYYYMMDD_HHmmss.csv
Columns:
-
CommonName: Certificate subject common name -
RequesterName: User/computer that requested the certificate -
Template: Certificate template used -
SerialNumber: Certificate serial number -
NotBefore: Certificate validity start date -
NotAfter: Certificate expiration date -
DaysRemaining: Days until expiration (negative if expired) -
ExpirationStatus: Valid | Expiring Soon | Expired -
CertificateHash: Certificate thumbprint/hash -
Disposition: Issued | Revoked (if included)
Filename: PKI_CertificateTemplates_YYYYMMDD_HHmmss.csv
Columns:
-
DisplayName: Template display name -
Name: Template common name (CN) -
Published: True/False - whether published to CA -
PublishedOn: CA server(s) where template is published -
ValidityPeriod: Certificate validity period -
MinimalKeyLength: Minimum required key length -
Flags: Template flags (numeric) -
EnrollmentFlags: Enrollment flags (numeric) -
Distinguished_Name: Full AD distinguished name
Filename: PKI_TemplatePermissions_YYYYMMDD_HHmmss.csv
Columns:
-
TemplateName: Template display name -
TemplateCommonName: Template CN -
IdentityReference: User/group with permissions -
AccessControlType: Allow | Deny -
ActiveDirectoryRights: Specific rights (Enroll, AutoEnroll, Read, Write, etc.) -
InheritanceType: Inheritance settings -
IsInherited: True/False - inherited permission
Filename: PKI_Assessment_Report_YYYYMMDD_HHmmss.txt
Sections:
- CA Information: Server name, assessment date, generated by
- Issued Certificates Summary: Total, valid, expiring, expired counts
- Top 10 Expiring Certificates: Certificates closest to expiration
- Certificate Templates Summary: Total, published, unpublished counts
- Published Templates: Detailed list with properties
- Template Permissions Summary: Key enrollment permissions by template
- Assessment Summary: Errors, warnings, exported file paths
Default: C:\Reports\PKI_Assessment\
Custom: Specify with -OutputDirectory parameter
The script provides color-coded real-time feedback:
- Green (β ): Successful operations
-
Yellow (
β οΈ ): Warnings and informational messages - Red (β): Errors and failures
- Cyan: Section headers and progress updates
Review template permissions to identify:
- Unauthorized enrollment rights
- Over-permissioned templates
- Templates with auto-enrollment enabled
- Unexpected user/group access
Analyze certificate expiration to:
- Plan certificate renewals
- Identify expired certificates to revoke
- Forecast certificate issuance needs
- Track certificate usage patterns
Generate reports showing:
- All issued certificates with requesters
- Template security configurations
- Permission assignments
- Certificate validity status
Export complete PKI configuration:
- Baseline before CA migration
- Template configurations to replicate
- Issued certificates inventory
- Permission mappings for new CA
Monitor template usage:
- Identify unused templates
- Review published vs. unpublished templates
- Audit template permission changes
- Document template inventory
Cause: RSAT-ADCS feature not installed
Solution:
# Install RSAT-ADCS
Install-WindowsFeature RSAT-ADCS
# Verify installation
Get-Module ADCS-Administration -ListAvailable
# Import module
Import-Module ADCS-AdministrationCause: Network connectivity, firewall, or permissions issue
Solution:
-
Verify CA server is online:
Test-Connection CAServerName -
Check CA service status:
Get-Service CertSvc -ComputerName CAServerName
-
Test CA connectivity:
certutil -config "CAServerName" -ping
-
Verify firewall allows RPC traffic (ports 135, 49152-65535)
-
Ensure running as Administrator with CA access rights
Cause: Empty CA database or permissions issue
Solution:
-
Verify CA has issued certificates:
certutil -view -restrict "Disposition=20" -out "CommonName"
-
Check you're querying correct CA:
certutil -dump | Select-String "Config:"
-
Verify CA database is accessible and not corrupted
Cause: Insufficient AD permissions
Solution:
- Run PowerShell as Administrator
- Verify domain connectivity:
Test-Connection (Get-ADDomain).PDCEmulator
- Check permissions on Certificate Templates container in AD
- Ensure account has Read permissions on Configuration partition
Cause: RSAT-AD-PowerShell not installed (warning only)
Solution (optional - script works without it):
# Install AD PowerShell module
Install-WindowsFeature RSAT-AD-PowerShell
# Import module
Import-Module ActiveDirectoryCause: Large number of certificates or templates
Solution:
- This is expected behavior - script is processing all data
- Run during off-hours for large environments
- Monitor progress in console output
- Consider filtering by date range (future enhancement)
- Small PKI (< 1,000 certs): 1-2 minutes
- Medium PKI (1,000-10,000 certs): 3-10 minutes
- Large PKI (> 10,000 certs): 10-30 minutes
- Enterprise PKI (> 100,000 certs): 30+ minutes
- Network: Moderate - queries CA database and AD
- CPU: Low - parsing and processing
- Memory: Moderate - holds certificate data in memory
- Disk I/O: Low - CSV/text file writes
- Run on CA server or management workstation to reduce network latency
- Use
-IncludeRevokedCertificatesonly when needed - Schedule during off-peak hours for large environments
- Ensure adequate disk space for output files (estimate 1 KB per certificate)
- Export-ADLyncTeamsMigrationData.ps1 - Uses certificate data for Teams migration
- Get-ServerCertificate.ps1 - Individual server certificate inspection
-
v1.0 (2025-12-24): Initial release
- Export issued certificates with expiration analysis
- Export certificate templates from Active Directory
- Extract and analyze template permissions
- Generate comprehensive CSV and text reports
- Auto-discovery of CA server
- Support for revoked certificate inclusion
- Overview
- Start-LyncCsvExporter
- Get-ComprehensiveLyncReport
- Get-LyncHealthReport
- Get-LyncInfrastructureReport
- Get-LyncServiceStatus
- Get-LyncUserRegistrationReport
- Export-ADLyncTeamsMigrationData
- New-Office365Accounts
- Sync-ContactsFromCsv
- Set-EmailToSharedAccount
- Set-SMTPForward
- Invoke-UserSignOutAndBlock
- Security Assessment Scripts (coming soon)
- Azure Automation (documentation pending)
- Get-GraphToken
- Get-GraphHeaders
- Get-AzureResourcePaging
- Get-EnterpriseAppUsage
- Get-ExchangeErrorsGraph
- Get-PBIWorkspaceUsageReport
- Intune Management (documentation pending)