Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invoke-IcingaCheckCertificate enhancements #428

Open
scriptkiddy666 opened this issue Dec 17, 2024 · 1 comment
Open

Invoke-IcingaCheckCertificate enhancements #428

scriptkiddy666 opened this issue Dec 17, 2024 · 1 comment

Comments

@scriptkiddy666
Copy link

Hi,
am I the only one or would it be nice to have some additional information of the certificates returned by this check (at least with verbosity mode)?
I think of serial, thumbprint, friendly name, certificate template, issuer and maybe subject alternative names. (So no basic copy of the content the Certificate Monitoring module displays, but a limited version.)

Additionally it would also be nice if those fields can be searched (like it's already possible with thumbprint for example).
But maybe that's only a "personal problem" with a lot of certificates in the certificate store to find the "right" certificate.
@tectumopticum
Copy link

Hi @scriptkiddy666
I have the same requirement: filtering out two dedicated certificates and display at least issue and EnhancedKeyUsageList in plugin-output.
Example how to retrieve the needed information from powershell:

Get-ChildItem Cert:\LocalMachine\My\ | Select-Object -Property Issuer,EnhancedKeyUsageList,NotAfter

Issuer                                        EnhancedKeyUsageList                                                                   NotAfter
------                                        --------------------                                                                   --------
CN=Icinga CA                                  {}                                                                                     18.09.2099 14:58:40
CN=FOO C1 Sub CA 01 G1, O=FOO Group, C=DE     {Server Authentication (1.3.6.1.5.5.7.3.1)}                                            09.01.2098 12:39:08
CN=Icinga CA                                  {}                                                                                     24.12.2097 14:55:25
CN=Icinga CA                                  {}                                                                                     17.05.2096 16:46:01
CN=FOO C1 Sub CA 01 G1, O=FOO Group, C=DE     {Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1)} 09.01.2095 12:39:08

Currently it is only possible to exclude certain data with "-ExcludePattern":

Invoke-IcingaCheckCertificate -CertStore 'LocalMachine' -CertStorePath 'My' -ExcludePattern 'Icinga CA' -Verbosity 2
[OK] Certificates: 2 Ok
\_ [OK] Certificate 'example' (valid until 2026-01-09 : 364d) valid for: 31521041.556151
\_ [OK] Certificate 'example' (valid until 2025-01-09 : 729d) valid for: 63057041.540524
0

I assume that the ProviderCertificate-command needs a small enhancement with the data you're looking for

$CertStoreCerts = Get-ChildItem -Path $CertStorePath -Recurse | Select-Object -Property Issuer,EnhancedKeyUsageList,NotAfter,Thumbprint,Subject;

and a new "-IncludePattern"-parameter.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@scriptkiddy666 @tectumopticum