Comment trouver et supprimer des certificats par empreinte de façon efficace à l’aide de PowerShell

La gestion des certificats de système est une tâche essentielle pour les professionnels de l’informatique et les fournisseurs de services gérés (MSP). Les certificats sont l’épine dorsale de la communication sécurisée et il est essentiel de s’assurer qu’ils sont correctement gérés pour maintenir l’intégrité et la sécurité des systèmes informatiques. Ce script PowerShell complet est conçu pour rationaliser le processus de recherche et de suppression des certificats système par empreinte, répondant ainsi à un besoin courant dans le monde informatique.

Contexte

Les certificats authentifient et chiffrent les données afin de garantir la sécurité des communications sur les réseaux. Au fil du temps, les certificats peuvent devenir invalides, expirer ou être compromis, ce qui nécessite leur suppression. Les professionnels de l’informatique et les MSP ont souvent besoin d’une méthode fiable pour localiser et gérer efficacement ces certificats. Ce script PowerShell fournit une solution robuste pour trouver et gérer les certificats par empreinte, garantissant ainsi la sécurité et la conformité des systèmes.

Le script

#Requires -Version 5.1

<#
.SYNOPSIS
    Returns a list of system certificates that have the specified thumbprints or Removes the certificates with matching thumbprints.
.DESCRIPTION
    Returns a list of system certificates that have the specified thumbprints or Removes the certificates with matching thumbprints.

.EXAMPLE
    (No Parameters)
    ## EXAMPLE OUTPUT WITHOUT PARAMS ##
    Does nothing.

.EXAMPLE
PARAMETER: -Thumbprint "AE68D0ADAD2345B48E507320B695D386080E5B25", "BE68D0ADAA2145B48E507320B695D386080E5B25"
    Returns the found thumbprints matching the input.
    ## EXAMPLE OUTPUT WITH Thumbprint ##
    [Alert] Found certificates:
    AE68D0ADAD2345B48E507320B695D386080E5B25
    BE68D0ADAA2145B48E507320B695D386080E5B25
    [Alert] Certificates found

.EXAMPLE
PARAMETER: -Thumbprint "BE68D0ADAA2145B48E507320B695D386080E5B25" -RemoveMatchingCertificates
    Returns the found thumbprints matching the input and Removes the certificates.
    ## EXAMPLE OUTPUT WITH RemoveMatchingCertificates ##
    [Alert] Found certificates:
    BE68D0ADAA2145B48E507320B695D386080E5B25
    [Info] Removing certificates
    [Info] Removing certificate with thumbprint: BE68D0ADAA2145B48E507320B695D386080E5B25
    [Info] Removed certificate with thumbprint: BE68D0ADAA2145B48E507320B695D386080E5B25
    [Alert] Certificates found
.EXAMPLE
PARAMETER: -Thumbprint "BE68D0ADAA2145B48E507320B695D386080E5B25" -CustomField "Thumbprints"
    Returns the found thumbprints matching the input and Removes the certificates.
    ## EXAMPLE OUTPUT WITH RemoveMatchingCertificates ##
    [Alert] Found certificates:
    BE68D0ADAA2145B48E507320B695D386080E5B25
    [Info] Saving thumbprints to custom field: Thumbprints
    [Alert] Certificates found
.OUTPUTS
    None
.NOTES
    Minimum OS Architecture Supported: Windows 10, Windows Server 2016
    Release Notes: Initial Release
By using this script, you indicate your acceptance of the following legal terms as well as our Terms of Use at https://www.ninjaone.com/terms-of-use.
    Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms. 
    Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party. 
    Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library or website belonging to or under the control of any other software provider. 
    Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations. 
    Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks. 
    Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script. 
    EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).
.COMPONENT
    Generic-Security
#>

[CmdletBinding()]
param (
    [string[]]$Thumbprint,
    [switch]$RemoveMatchingCertificates,
    [string]$CertRevokeList,
    [string]$GetCrlFromCustomField,
    [string]$CustomField
)

begin {
    function Test-IsElevated {
        $id = [System.Security.Principal.WindowsIdentity]::GetCurrent()
        $p = New-Object System.Security.Principal.WindowsPrincipal($id)
        $p.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator)
    }
    function Set-NinjaProperty {
        [CmdletBinding()]
        Param(
            [Parameter(Mandatory = $True)]
            [String]$Name,
            [Parameter()]
            [String]$Type,
            [Parameter(Mandatory = $True, ValueFromPipeline = $True)]
            $Value,
            [Parameter()]
            [String]$DocumentName
        )

        # If we're requested to set the field value for a Ninja document we'll specify it here.
        $DocumentationParams = @{}
        if ($DocumentName) { $DocumentationParams["DocumentName"] = $DocumentName }

        # This is a list of valid fields we can set. If no type is given we'll assume the input doesn't have to be changed in any way.
        $ValidFields = "Attachment", "Checkbox", "Date", "Date or Date Time", "Decimal", "Dropdown", "Email", "Integer", "IP Address", "MultiLine", "MultiSelect", "Phone", "Secure", "Text", "Time", "URL"
        if ($Type -and $ValidFields -notcontains $Type) { Write-Warning "$Type is an invalid type! Please check here for valid types. https://ninjarmm.zendesk.com/hc/en-us/articles/16973443979789-Command-Line-Interface-CLI-Supported-Fields-and-Functionality" }

        # The below field requires additional information in order to set
        $NeedsOptions = "Dropdown"
        if ($DocumentName) {
            if ($NeedsOptions -contains $Type) {
                # We'll redirect the error output to the success stream to make it easier to error out if nothing was found or something else went wrong.
                $NinjaPropertyOptions = Ninja-Property-Docs-Options -AttributeName $Name @DocumentationParams 2>&1
            }
        }
        else {
            if ($NeedsOptions -contains $Type) {
                $NinjaPropertyOptions = Ninja-Property-Options -Name $Name 2>&1
            }
        }

        # If we received some sort of error it should have an exception property and we'll exit the function with that error information.
        if ($NinjaPropertyOptions.Exception) { throw $NinjaPropertyOptions }

        # The below type's require values not typically given in order to be set. The below code will convert whatever we're given into a format ninjarmm-cli supports.
        switch ($Type) {
            "Checkbox" {
                # While it's highly likely we were given a value like "True" or a boolean datatype it's better to be safe than sorry.
                $NinjaValue = [System.Convert]::ToBoolean($Value)
            }
            "Date or Date Time" {
                # Ninjarmm-cli is expecting the time to be representing as a Unix Epoch string. So we'll convert what we were given into that format.
                $Date = (Get-Date $Value).ToUniversalTime()
                $TimeSpan = New-TimeSpan (Get-Date "1970-01-01 00:00:00") $Date
                $NinjaValue = $TimeSpan.TotalSeconds
            }
            "Dropdown" {
                # Ninjarmm-cli is expecting the guid of the option we're trying to select. So we'll match up the value we were given with a guid.
                $Options = $NinjaPropertyOptions -replace '=', ',' | ConvertFrom-Csv -Header "GUID", "Name"
                $Selection = $Options | Where-Object { $_.Name -eq $Value } | Select-Object -ExpandProperty GUID

                if (-not $Selection) {
                    throw "Value is not present in dropdown"
                }

                $NinjaValue = $Selection
            }
            default {
                # All the other types shouldn't require additional work on the input.
                $NinjaValue = $Value
            }
        }

        # We'll need to set the field differently depending on if its a field in a Ninja Document or not.
        if ($DocumentName) {
            $CustomField = Ninja-Property-Docs-Set -AttributeName $Name -AttributeValue $NinjaValue @DocumentationParams 2>&1
        }
        else {
            $CustomField = Ninja-Property-Set -Name $Name -Value $NinjaValue 2>&1
        }

        if ($CustomField.Exception) {
            throw $CustomField
        }
    }
    # This function is to make it easier to parse Ninja Custom Fields.
    function Get-NinjaProperty {
        [CmdletBinding()]
        Param(
            [Parameter(Mandatory = $True, ValueFromPipeline = $True)]
            [String]$Name,
            [Parameter()]
            [String]$Type,
            [Parameter()]
            [String]$DocumentName
        )
    
        if ($PSVersionTable.PSVersion.Major -lt 3) {
            throw "PowerShell 3.0 or higher is required to retrieve data from custom fields. https://ninjarmm.zendesk.com/hc/en-us/articles/4405408656013"
        }
    
        # If we're requested to get the field value from a Ninja document we'll specify it here.
        $DocumentationParams = @{}
        if ($DocumentName) { $DocumentationParams["DocumentName"] = $DocumentName }
    
        # These two types require more information to parse.
        $NeedsOptions = "DropDown", "MultiSelect"
    
        # Grabbing document values requires a slightly different command.
        if ($DocumentName) {
            # Secure fields are only readable when they're a device custom field
            if ($Type -Like "Secure") { throw "$Type is an invalid type! Please check here for valid types. https://ninjarmm.zendesk.com/hc/en-us/articles/16973443979789-Command-Line-Interface-CLI-Supported-Fields-and-Functionality" }
    
            # We'll redirect the error output to the success stream to make it easier to error out if nothing was found or something else went wrong.
            Write-Host "Retrieving value from Ninja Document..."
            $NinjaPropertyValue = Ninja-Property-Docs-Get -AttributeName $Name @DocumentationParams 2>&1
    
            # Certain fields require more information to parse.
            if ($NeedsOptions -contains $Type) {
                $NinjaPropertyOptions = Ninja-Property-Docs-Options -AttributeName $Name @DocumentationParams 2>&1
            }
        }
        else {
            # We'll redirect error output to the success stream to make it easier to error out if nothing was found or something else went wrong.
            $NinjaPropertyValue = Ninja-Property-Get -Name $Name 2>&1
    
            # Certain fields require more information to parse.
            if ($NeedsOptions -contains $Type) {
                $NinjaPropertyOptions = Ninja-Property-Options -Name $Name 2>&1
            }
        }
    
        # If we received some sort of error it should have an exception property and we'll exit the function with that error information.
        if ($NinjaPropertyValue.Exception) { throw $NinjaPropertyValue }
        if ($NinjaPropertyOptions.Exception) { throw $NinjaPropertyOptions }
    
        # This switch will compare the type given with the quoted string. If it matches, it'll parse it further; otherwise, the default option will be selected.
        switch ($Type) {
            "Attachment" {
                # Attachments come in a JSON format this will convert it into a PowerShell Object.
                $NinjaPropertyValue | ConvertFrom-Json
            }
            "Checkbox" {
                # Checkbox's come in as a string representing an integer. We'll need to cast that string into an integer and then convert it to a more traditional boolean.
                [System.Convert]::ToBoolean([int]$NinjaPropertyValue)
            }
            "Date or Date Time" {
                # In Ninja Date and Date/Time fields are in Unix Epoch time in the UTC timezone the below should convert it into local time as a datetime object.
                $UnixTimeStamp = $NinjaPropertyValue
                $UTC = (Get-Date "1970-01-01 00:00:00").AddSeconds($UnixTimeStamp)
                $TimeZone = [TimeZoneInfo]::Local
                [TimeZoneInfo]::ConvertTimeFromUtc($UTC, $TimeZone)
            }
            "Decimal" {
                # In ninja decimals are strings that represent a decimal this will cast it into a double data type.
                [double]$NinjaPropertyValue
            }
            "Device Dropdown" {
                # Device Drop-Downs Fields come in a JSON format this will convert it into a PowerShell Object.
                $NinjaPropertyValue | ConvertFrom-Json
            }
            "Device MultiSelect" {
                # Device Multi-Select Fields come in a JSON format this will convert it into a PowerShell Object.
                $NinjaPropertyValue | ConvertFrom-Json
            }
            "Dropdown" {
                # Drop-Down custom fields come in as a comma-separated list of GUIDs; we'll compare these with all the options and return just the option values selected instead of a GUID.
                $Options = $NinjaPropertyOptions -replace '=', ',' | ConvertFrom-Csv -Header "GUID", "Name"
                $Options | Where-Object { $_.GUID -eq $NinjaPropertyValue } | Select-Object -ExpandProperty Name
            }
            "Integer" {
                # Cast's the Ninja provided string into an integer.
                [int]$NinjaPropertyValue
            }
            "MultiSelect" {
                # Multi-Select custom fields come in as a comma-separated list of GUID's we'll compare these with all the options and return just the option values selected instead of a guid.
                $Options = $NinjaPropertyOptions -replace '=', ',' | ConvertFrom-Csv -Header "GUID", "Name"
                $Selection = ($NinjaPropertyValue -split ',').trim()
    
                foreach ($Item in $Selection) {
                    $Options | Where-Object { $_.GUID -eq $Item } | Select-Object -ExpandProperty Name
                }
            }
            "Organization Dropdown" {
                # Turns the Ninja provided JSON into a PowerShell Object.
                $NinjaPropertyValue | ConvertFrom-Json
            }
            "Organization Location Dropdown" {
                # Turns the Ninja provided JSON into a PowerShell Object.
                $NinjaPropertyValue | ConvertFrom-Json
            }
            "Organization Location MultiSelect" {
                # Turns the Ninja provided JSON into a PowerShell Object.
                $NinjaPropertyValue | ConvertFrom-Json
            }
            "Organization MultiSelect" {
                # Turns the Ninja provided JSON into a PowerShell Object.
                $NinjaPropertyValue | ConvertFrom-Json
            }
            "Time" {
                # Time fields are given as a number of seconds starting from midnight. This will convert it into a datetime object.
                $Seconds = $NinjaPropertyValue
                $UTC = ([timespan]::fromseconds($Seconds)).ToString("hh\:mm\:ss")
                $TimeZone = [TimeZoneInfo]::Local
                $ConvertedTime = [TimeZoneInfo]::ConvertTimeFromUtc($UTC, $TimeZone)
    
                Get-Date $ConvertedTime -DisplayHint Time
            }
            default {
                # If no type was given or not one that matches the above types just output what we retrieved.
                $NinjaPropertyValue
            }
        }
    }
    # Utility function for downloading files.
    function Invoke-Download {
        param(
            [Parameter()]
            [String]$URL,
            [Parameter()]
            [String]$Path,
            [Parameter()]
            [int]$Attempts = 3,
            [Parameter()]
            [Switch]$SkipSleep
        )
        Write-Host "URL given, Downloading the file..."

        $SupportedTLSversions = [enum]::GetValues('Net.SecurityProtocolType')
        if ( ($SupportedTLSversions -contains 'Tls13') -and ($SupportedTLSversions -contains 'Tls12') ) {
            [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol::Tls13 -bor [System.Net.SecurityProtocolType]::Tls12
        }
        elseif ( $SupportedTLSversions -contains 'Tls12' ) {
            [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12
        }
        else {
            # Not everything requires TLS 1.2, but we'll try anyway.
            Write-Warning "TLS 1.2 and or TLS 1.3 are not supported on this system. This download may fail!"
            if ($PSVersionTable.PSVersion.Major -lt 3) {
                Write-Warning "PowerShell 2 / .NET 2.0 doesn't support TLS 1.2."
            }
        }

        $i = 1
        While ($i -le $Attempts) {
            # Some cloud services have rate-limiting
            if (-not ($SkipSleep)) {
                $SleepTime = Get-Random -Minimum 3 -Maximum 15
                Write-Host "Waiting for $SleepTime seconds."
                Start-Sleep -Seconds $SleepTime
            }
        
            if ($i -ne 1) { Write-Host "" }
            Write-Host "Download Attempt $i"

            try {
                # Invoke-WebRequest is preferred because it supports links that redirect, e.g., https://t.ly
                if ($PSVersionTable.PSVersion.Major -lt 4) {
                    # Downloads the file
                    $WebClient = New-Object System.Net.WebClient
                    $WebClient.DownloadFile($URL, $Path)
                }
                else {
                    # Standard options
                    $WebRequestArgs = @{
                        Uri                = $URL
                        OutFile            = $Path
                        MaximumRedirection = 10
                        UseBasicParsing    = $true
                    }

                    # Downloads the file
                    Invoke-WebRequest @WebRequestArgs
                }

                $File = Test-Path -Path $Path -ErrorAction SilentlyContinue
            }
            catch {
                Write-Warning "An error has occurred while downloading!"
                Write-Warning $_.Exception.Message

                if (Test-Path -Path $Path -ErrorAction SilentlyContinue) {
                    Remove-Item $Path -Force -Confirm:$false -ErrorAction SilentlyContinue
                }

                $File = $False
            }

            if ($File) {
                $i = $Attempts
            }
            else {
                Write-Warning "File failed to download."
                Write-Host ""
            }

            $i++
        }

        if (-not (Test-Path $Path)) {
            Write-Warning "Failed to download file!"
        }
        else {
            return $Path
        }
    }

    function Revoke-Certificate {
        param (
            $Object,
            $Loop = 0
        )
        $CrlPath = "$TEMP\CertRevokeListScript-$(Get-Date -Format FileDate).crl"
        Write-Host "[Info] Revoking certificates with CRL file from Path, URL, or custom field: $Object"
        if ($Object -like "http*") {
            Write-Host "[Info] Downloading CRL file"
            try {
                # Download the CRL file
                Invoke-Download -URL $Object -Path $CrlPath -SkipSleep -ErrorAction Stop
                Write-Host "[Info] Downloaded CRL file to $CrlPath"
                # Revoke the certificates
                certutil.exe -addstore CA $CrlPath
                Write-Host "[Info] Added CRL to the list of revoked certificates"
            }
            catch {
                Write-Host "[Error] Failed to download CRL file"
                exit 1
            }
            # Remove the temporary CRL file
            try {
                Remove-Item -Path $CrlPath -Force -Confirm:$false -ErrorAction Stop
            }
            catch {
                Write-Host "[Error] Failed to remove temporary CRL file"
                exit 1
            }
        }
        elseif ($(Test-Path -Path $Object -ErrorAction SilentlyContinue)) {
            # Revoke the certificates
            Write-Host "[Info] Adding CRL to the list of revoked certificates"
            try {
                $Object | Set-Content -Path $CrlPath -Force -ErrorAction Stop
                # Revoke the certificates
                certutil.exe -addstore CA $CrlPath
                Write-Host "[Info] Added CRL to the list of revoked certificates"
            }
            catch {
                Write-Host "[Error] Failed to revoke certificates with CRL file"
                exit 1
            }
            # Remove the temporary CRL file
            try {
                Remove-Item -Path $CrlPath -Force -Confirm:$false -ErrorAction Stop
            }
            catch {
                Write-Host "[Error] Failed to remove temporary CRL file"
                exit 1
            }
        }
        else {
            $ValueFromCf = Get-NinjaProperty -Name $Object
            if (
                # Check if Loop is 0 and the value from the custom field is a path or URL
                $Loop -eq 0 -and (
                    $(Test-Path -Path $ValueFromCf -ErrorAction SilentlyContinue) -or
                    $ValueFromCf -like "http*"
                )
            ) {
                # Call Revoke-Certificate if the Custom Field value is a path or URL
                # We'll only call Revoke-Certificate once to prevent an infinite loop via $Loop variable
                Revoke-Certificate -Object $ValueFromCf -Loop $($Loop + 1)
                return
            }
            $ValueFromCf | Set-Content -Path $CrlPath -Force -ErrorAction Stop
            
            # Revoke the certificates
            certutil.exe -addstore CA $CrlPath
            if ($LASTEXITCODE -ne 0) {
                Write-Host "[Error] Failed to revoke certificates with CRL file"
                exit 1
            }
            Write-Host "[Info] Added CRL to the list of revoked certificates"
            # Remove the temporary CRL file
            try {
                Remove-Item -Path $CrlPath -Force -Confirm:$false -ErrorAction Stop
            }
            catch {
                Write-Host "[Error] Failed to remove temporary CRL file"
                exit 1
            }
        }
        
    }
}
process {
    if (-not (Test-IsElevated)) {
        Write-Error -Message "Access Denied. Please run with Administrator privileges."
        exit 1
    }
    if ($PSSenderInfo) {
        Write-Host "[Error] This script cannot be run in a PSSession. Please run it locally or via Ninja RMM."
        exit 1
    }

    $CertificatesFound = $false
    $RemoveError = $false

    # Get a list of thumbprints from the environment variable
    if ($env:Thumbprints -and $env:Thumbprints -ne "null") {
        $Thumbprint = $env:Thumbprints -split ',' | ForEach-Object { "$_".Trim() }
    }
    elseif ($Thumbprint) {
        # Remove any commas from the thumbprint and trim any whitespace
        $Thumbprint = $Thumbprint | ForEach-Object { "$($_ -split ',')".Trim() }
    }
    if ($env:getCrlFromCustomField -and $env:getCrlFromCustomField -ne "null") {
        $GetCrlFromCustomField = $env:getCrlFromCustomField
    }

    # Get crl file path from the environment variable
    if ($env:certificateRevokeListPath -and $env:certificateRevokeListPath -ne "null") {
        $CertRevokeList = $env:certificateRevokeListPath
    }

    # Check that Thumbprint or CertRevokeList where specified
    if ($Thumbprint) {}
    elseif ($CertRevokeList) {}
    elseif ($GetCrlFromCustomField) {}
    else {
        Write-Host "[Error] Thumbprint or CertRevokeList or GetCrlFromCustomField where not specified. Please specify at least one of them."
        exit 2
    }

    # Check if the RemoveMatchingCertificates switch/checkbox was selected
    if ($env:removeMatchingCertificates -eq "true") {
        $RemoveMatchingCertificates = $true
    }

    # Get the custom field name from the Script Variable
    if ($env:customField) {
        $CustomField = $env:customField
    }

    if ($Thumbprint) {
        $Thumbprint = $Thumbprint | ForEach-Object {
            if ($_.Length -eq 40 -and $_ -match "^[0-9a-fA-F]{40}$") {
                Write-Host "[Info] Thumbprint($_) is valid and will be processed."
                $_
            }
            else {
                Write-Host "[Warn] Thumbprint($_) is not valid and will be skipped."
            }
        }
    
        # Loop through all certificates installed on the system
        $FoundCertificates = Get-ChildItem -Path Cert:\LocalMachine\ -Recurse | Where-Object { $_.Thumbprint -and $_.Thumbprint -in $Thumbprint }
    
        # Output the found certificates
        $OutputThumbprints = if ($FoundCertificates) {
            $CertificatesFound = $true
            Write-Host "[Alert] Found certificates:"
            $FoundCertificates = $FoundCertificates | ForEach-Object {
                [PSCustomObject]@{
                    Thumbprint = $_.Thumbprint
                    PSPath     = $_.PSPath
                    ExpiryDate = if ($_.NotAfter) { $_.NotAfter.ToShortDateString() }else { "No Expiry Date" }
                }
            }
            if ($FoundCertificates) {
                $thumbprint = "Thumbprint"
                $path = "Path"
                $padding = 40

                $centeredThumbprint = $thumbprint.PadLeft(($thumbprint.Length + $padding) / 2).PadRight($padding)
                $centeredPath = $path

                Write-Host "$centeredThumbprint - $centeredPath - Expires"
            }
            $FoundCertificates | ForEach-Object {
                $CertPath = $_
                $CertificatePath = $CertPath.PSPath
                # Convert PSPath to how certmgr.mmc formats the path
                $CertificatePath = $CertificatePath -replace 'LocalMachine\\', 'Local Computer\'
                $CertificatePath = $CertificatePath -replace '\\My\\', '\Personal\'
                $CertificatePath = $CertificatePath -replace '\\CA\\', '\Intermediate Certification Authorities\'
                $CertificatePath = $CertificatePath -replace '\\Root\\', '\Trusted Root Certification Authorities\'
                $CertificatePath = $CertificatePath -replace '\\Disallowed\\', '\Untrusted Certificates\'
                $CertificatePath = $CertificatePath -replace '\\AuthRoot\\', '\Third-Party Root Certification Authorities\'
                $CertificatePath = $CertificatePath -replace '\\TrustedPublisher\\', '\Trusted Publishers\'
                $CertificatePath = $CertificatePath -replace '\\ClientAuthIssuer\\', '\Client Authentication Issuers\'
                $CertificatePath = $CertificatePath -replace '\\Remote Desktop\\', '\Remote Desktop\'
                $CertificatePath = $CertificatePath -replace '\\SmartCardRoot\\', '\Smart Card Trusted Roots\'
                $CertificatePath = $CertificatePath -replace '\\TrustedPeople\\', '\Trusted People\'
                $CertificatePath = $CertificatePath -replace '\\Trust\\', '\Enterprise Trust\'
                $CertificatePath = $CertificatePath -replace '\\REQUEST\\', '\Certificate Enrollment Requests\'
                $CertificatePath = $CertificatePath -replace '\\AddressBook\\', '\Other People\'
                $CertificatePath = $CertificatePath -replace '\\UserdDS\\', '\Active Directory User Object\'
                # Output with the formatted path
                "$($CertPath.Thumbprint) - $($CertificatePath -replace 'Microsoft.PowerShell.Security\\Certificate::') - $($CertPath.ExpiryDate)"
            }
        }
        else {
            Write-Host "[Info] No certificates found"
        }
        if ($OutputThumbprints) {
            $OutputThumbprints | Out-String | Write-Host
        }
    
        # Remove the certificates if we should
        if ($RemoveMatchingCertificates) {
            Write-Host "[Info] Removing certificates"
            # Loop through all the found certificates
            $FoundCertificates | ForEach-Object {
                $Certificate = $_
                # Remove the certificate
                Write-Host "[Info] Removing certificate with path: $($Certificate.PSPath -replace 'Microsoft.PowerShell.Security\\Certificate::')"
                try {
                    # Remove the certificate and its private key
                    # More Info: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/about/about_certificate_provider?view=powershell-5.1#deleting-certificates-and-private-keys
                    if ($IsLinux) {
                        # Only used for testing purposes
                        Remove-Item -Path $Certificate.PSPath -Force -Confirm:$false -ErrorAction Stop
                    }
                    else {
                        Remove-Item -Path $Certificate.PSPath -DeleteKey -Force -Confirm:$false -ErrorAction Stop
                    }
                    Write-Host "[Info] Removed certificate with path: $($Certificate.PSPath -replace 'Microsoft.PowerShell.Security\\Certificate::')"
                }
                catch {
                    # Only error if there is only one certificate
                    # More than one certificate with the same thumbprint is likely already removed
                    if ($($FoundCertificates | Where-Object { $_ -like $Certificate.Thumbprint }).Count -eq 1) {
                        Write-Host "[Error] Failed to Remove certificate with thumbprint: $($Certificate.Thumbprint)"
                        $RemoveError = $true
                    }
                    else {
                        Write-Host "[Info] Removed certificate with path: $($Certificate.PSPath -replace 'Microsoft.PowerShell.Security\\Certificate::')"
                    }
                }
            }
        }
        else {
            Write-Host "[Info] Removing certificates is not enabled. Doing nothing."
        }
        if ($CustomField) {
            # Save the found thumbprints to a NinjaRMM custom field
            Write-Host "[Info] Saving thumbprints to custom field: $CustomField"
            try {
                if ($RemoveMatchingCertificates) {
                    Set-NinjaProperty -Name $CustomField -Value $($OutputThumbprints | ForEach-Object {
                            # Output just the path
                            "$("$_" -split ' - ' | Select-Object -Skip 1 -First 1) - Removed from system"
                        } | Out-String) -Type "MultiLine"
                }
                else {
                    Set-NinjaProperty -Name $CustomField -Value $($OutputThumbprints | ForEach-Object {
                            # Output just the path
                            "$("$_" -split ' - ' | Select-Object -Skip 1 -First 1)"
                        } | Out-String) -Type "MultiLine"
                }
            }
            catch {
                # If we ran into some sort of error we'll output it here.
                Write-Error -Message $_.ToString() -Category InvalidOperation -Exception (New-Object System.Exception)
                exit 1
            }
        }
    
        # Exit with an error when we failed to remove a certificate
        if ($RemoveError) {
            Write-Host "[Error] Failed to Remove one or more certificates"
            exit 1
        }
    
        # Exit with an error when we found certificates and we shouldn't remove them
        if ($CertificatesFound -and -not $RemoveMatchingCertificates) {
            Write-Host "[Alert] Certificates found"
            exit 1
        }
    }

    if ($CertRevokeList) {
        Revoke-Certificate -Object $CertRevokeList
    }
    if ($GetCrlFromCustomField) {
        Revoke-Certificate -Object $GetCrlFromCustomField
    }

    # Exit with a success when no certificates were found
    exit 0
}
end {
    
    
    
}

 

Description détaillée

Le script est un outil puissant qui permet de trouver et éventuellement de supprimer des certificats sur la base d’empreintes spécifiées. Voici une explication étape par étape de son fonctionnement :

1. Initialisation et gestion des paramètres

  • Le script commence par définir les paramètres nécessaires, tels que Thumbprint, RemoveMatchingCertificates, CertRevokeList, GetCrlFromCustomField et CustomField.
  • Il comprend des fonctions utilitaires telles que Test-IsElevated pour vérifier les privilèges administratifs et Set-NinjaProperty pour définir des champs personnalisés dans NinjaOne.

2. Vérification des privilèges administratifs

  • La fonction Test-IsElevated vérifie si le script est exécuté avec des droits d’administration, ce qui est essentiel pour accéder aux certificats du système et les modifier.

3. Traitement des empreintes de pouce

  • Le script traite les empreintes fournies, en s’assurant qu’elles sont valides et correctement formatées.
  • Il récupère les certificats dans le magasin de certificats de la machine locale et les filtre en fonction des empreintes spécifiées.

4. Gestion des certificats

  • Si le commutateur RemoveMatchingCertificates est activé, le script tente de supprimer les certificats trouvés. Il traite les erreurs avec élégance, en veillant à ce que tous les problèmes soient enregistrés et gérés de manière appropriée.
  • Le script peut également enregistrer les résultats dans un champ personnalisé de NinjaOne, ce qui facilite la gestion et l’établissement de rapports.

5. Traitement des CRL

  • Le script peut gérer des listes de révocation de certificats (CRL) à partir d’URL, de chemins locaux ou de champs personnalisés. Il télécharge et traite ces listes pour révoquer les certificats si nécessaire.

6. Sortie et enregistrement

  • Des résultats détaillés sont fournis à chaque étape, ce qui garantit la transparence et facilite le dépannage. Le script enregistre les certificats trouvés, les actions de suppression et les éventuelles erreurs rencontrées.

Cas d’utilisation potentiels

Imaginez un professionnel de l’informatique qui gère le réseau d’une grande entreprise. Les certificats sont utilisés pour sécuriser les communications internes et divers services. Le professionnel constate que certains certificats approchent de l’expiration ou ont été compromis. À l’aide de ce script, ils peuvent rapidement trouver ces certificats grâce à leur empreinte et les supprimer, garantissant ainsi la sécurité du réseau.

Comparaisons

Par rapport aux méthodes manuelles de gestion des certificats, ce script offre des avantages significatifs :

  • Efficacité: Automatise le processus de recherche et de suppression des certificats, ce qui permet de gagner du temps et de réduire le risque d’erreur humaine.
  • Précision: Garantit que seuls les certificats avec les empreintes spécifiées sont affectés, évitant ainsi des modifications involontaires sur d’autres certificats.
  • Intégration: Peut s’intégrer à NinjaOne, ce qui permet une gestion et des rapports transparents dans un cadre de gestion informatique plus large.

FAQ

Q : Qu’est-ce qu’une empreinte de pouce et pourquoi est-elle importante ?
R : Une empreinte est un identifiant unique pour un certificat, utilisé pour s’assurer que le bon certificat est géré.

Q : Ce script peut-il être exécuté sur n’importe quelle version de Windows ?
R : Le script nécessite Windows 10 ou Windows Server 2016 et plus.

Q : Que se passe-t-il si le script n’est pas exécuté avec des privilèges administratifs ?
R : Le script ne parviendra pas à exécuter les actions nécessitant des droits d’administration, telles que la suppression de certificats.

Q : Ce script peut-il gérer des certificats provenant de champs personnalisés dans NinjaOne ?
R : Oui, il est possible de récupérer et de traiter des certificats en utilisant des champs personnalisés dans NinjaOne.

Implications

Grâce à ce script, les professionnels de l’informatique peuvent s’assurer que les certificats sont correctement gérés, réduisant ainsi le risque de failles de sécurité dues à des certificats expirés ou compromis. Cette approche proactive de la gestion des certificats améliore la position globale de l’organisation en matière de sécurité.

Recommandations

  • Audits réguliers: Exécutez régulièrement le script pour auditer et gérer les certificats, en veillant à ce qu’aucun certificat expiré ou non valide ne subsiste dans le système.
  • Sauvegarde: Sauvegardez toujours le magasin de certificats avant d’apporter des modifications, afin de pouvoir le restaurer en cas d’erreur.
  • Intégration: Utilisez l’intégration du script avec NinjaOne pour une gestion et des rapports complets.

Conclusion

Ce script PowerShell est un outil précieux pour les professionnels de l’informatique et les MSP, car il rationalise le processus de recherche et de gestion des certificats système par empreinte. En s’intégrant à NinjaOne, il offre une solution puissante pour maintenir la sécurité et la conformité dans un environnement d’entreprise. La plateforme de NinjaOne, combinée à ce script, fournit une approche complète de la gestion informatique, garantissant que les certificats sont traités de manière efficace et sécurisée.

Pour aller plus loin

Pour créer une équipe informatique efficace et performante, il est essentiel d'avoir une solution centralisée qui joue le rôle de nœud principal pour vos services. NinjaOne permet aux équipes informatiques de surveiller, gérer, sécuriser et prendre en charge tous les appareils, où qu'ils soient, sans avoir besoin d'une infrastructure complexe sur site. Pour en savoir plus sur NinjaOne Endpoint Management, participez à une visite guidée, ou profitez d'un essai gratuit de la plateforme NinjaOne.

Catégories :

Vous pourriez aussi aimer

×

Voir NinjaOne en action !

En soumettant ce formulaire, j'accepte la politique de confidentialité de NinjaOne.

Termes et conditions NinjaOne

En cliquant sur le bouton “J’accepte” ci-dessous, vous indiquez que vous acceptez les termes juridiques suivants ainsi que nos conditions d’utilisation:

  • Droits de propriété: NinjaOne possède et continuera de posséder tous les droits, titres et intérêts relatifs au script (y compris les droits d’auteur). NinjaOne vous accorde une licence limitée pour l’utilisation du script conformément à ces conditions légales.
  • Limitation de l’utilisation: Les scripts ne peuvent être utilisés qu’à des fins personnelles ou professionnelles internes légitimes et ne peuvent être partagés avec d’autres entités.
  • Interdiction de publication: Vous n’êtes en aucun cas autorisé à publier le script dans une bibliothèque de scripts appartenant à, ou sous le contrôle d’un autre fournisseur de logiciels.
  • Clause de non-responsabilité: Le texte est fourni “tel quel” et “tel que disponible”, sans garantie d’aucune sorte. NinjaOne ne promet ni ne garantit que le script sera exempt de défauts ou qu’il répondra à vos besoins ou attentes particulières.
  • Acceptation des risques: L’utilisation du script est sous votre propre responsabilité. Vous reconnaissez qu’il existe certains risques inhérents à l’utilisation du script, et vous comprenez et assumez chacun de ces risques.
  • Renonciation et exonération de responsabilité: Vous ne tiendrez pas NinjaOne pour responsable des conséquences négatives ou involontaires résultant de votre utilisation du script, et vous renoncez à tout droit ou recours légal ou équitable que vous pourriez avoir contre NinjaOne en rapport avec votre utilisation du script.
  • EULA: Si vous êtes un client de NinjaOne, votre utilisation du script est soumise au contrat de licence d’utilisateur final qui vous est applicable (End User License Agreement (EULA)).