icinga-powershell-plugins icon indicating copy to clipboard operation
icinga-powershell-plugins copied to clipboard
verified publisher icon Icinga

Invoke-IcingaCheckCertificate enhancements

Open scriptkiddy666 opened this issue 1 year ago • 1 comments

Hi, am I the only one or would it be nice to have some additional information of the certificates returned by this check (at least with verbosity mode)? I think of serial, thumbprint, friendly name, certificate template, issuer and maybe subject alternative names. (So no basic copy of the content the Certificate Monitoring module displays, but a limited version.)

Additionally it would also be nice if those fields can be searched (like it's already possible with thumbprint for example). But maybe that's only a "personal problem" with a lot of certificates in the certificate store to find the "right" certificate.

scriptkiddy666 avatar Dec 17 '24 11:12 scriptkiddy666

Hi @scriptkiddy666 I have the same requirement: filtering out two dedicated certificates and display at least issue and EnhancedKeyUsageList in plugin-output. Example how to retrieve the needed information from powershell:

Get-ChildItem Cert:\LocalMachine\My\ | Select-Object -Property Issuer,EnhancedKeyUsageList,NotAfter

Issuer                                        EnhancedKeyUsageList                                                                   NotAfter
------                                        --------------------                                                                   --------
CN=Icinga CA                                  {}                                                                                     18.09.2099 14:58:40
CN=FOO C1 Sub CA 01 G1, O=FOO Group, C=DE     {Server Authentication (1.3.6.1.5.5.7.3.1)}                                            09.01.2098 12:39:08
CN=Icinga CA                                  {}                                                                                     24.12.2097 14:55:25
CN=Icinga CA                                  {}                                                                                     17.05.2096 16:46:01
CN=FOO C1 Sub CA 01 G1, O=FOO Group, C=DE     {Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1)} 09.01.2095 12:39:08

Currently it is only possible to exclude certain data with "-ExcludePattern":

Invoke-IcingaCheckCertificate -CertStore 'LocalMachine' -CertStorePath 'My' -ExcludePattern 'Icinga CA' -Verbosity 2
[OK] Certificates: 2 Ok
\_ [OK] Certificate 'example' (valid until 2026-01-09 : 364d) valid for: 31521041.556151
\_ [OK] Certificate 'example' (valid until 2025-01-09 : 729d) valid for: 63057041.540524
0

I assume that the ProviderCertificate-command needs a small enhancement with the data you're looking for

$CertStoreCerts = Get-ChildItem -Path $CertStorePath -Recurse | Select-Object -Property Issuer,EnhancedKeyUsageList,NotAfter,Thumbprint,Subject;

and a new "-IncludePattern"-parameter.

tectumopticum avatar Jan 09 '25 16:01 tectumopticum