2019-07-22 01:05:07 +02:00
|
|
|
|
|
|
|
|
|
|
|
|
|
Duplicated Serial Numbers (per CA)
|
|
|
|
|
|
|
|
|
|
sIssuer SerialNumber FriendlyName DnsNameList sSubject revokedOn
|
|
|
|
|
------- ------------ ------------ ----------- -------- ---------
|
|
|
|
|
internal-ca 2F hsanchez {hsanchez} hsanchez
|
|
|
|
|
internal-ca 2F city1 {city1} city1 {revocados}
|
|
|
|
|
internal-ca 30 audit03 {audit03} audit03 {revocados}
|
|
|
|
|
internal-ca 30 uaIntro {uaIntro} uaIntro
|
|
|
|
|
internal-ca 31 city04 {city04} city04
|
2019-07-22 01:42:45 +02:00
|
|
|
internal-ca 31 uaDevice(2) {uaDevice} uaDevice
|
2019-07-22 01:05:07 +02:00
|
|
|
internal-ca 32 fperez {fperez} fperez
|
2019-07-22 01:42:45 +02:00
|
|
|
internal-ca 32 uaExit(2) {uaExit} uaExit
|
2019-07-22 01:05:07 +02:00
|
|
|
|
|
|
|
|
This is the last part of the result returned by the script: It shows duplicated SerialNumbers 2F, 30, 31 and 32
|
|
|
|
|
To avoid issues when some of this certs is revoked, you must revoked all them, and recreate new certs forevery user involved.
|
|
|
|
|
|
|
|
|
|
As example: The execution result shows that the "city1" and "audit03" certs are revoked in the "revocados" CRL.
|
|
|
|
|
But due to the duplicity of SerialNumbers, the openVPN tunnel that uses "revocados" as CRL also will consider revoked
|
|
|
|
|
the certs "hsanchez" and "uaIntro".
|
2019-07-22 01:32:34 +02:00
|
|
|
|
|
|
|
|
every item of $listaC has these attributes:
|
|
|
|
|
|
|
|
|
|
PS C:\Users\me\Documents> $listaC[56]
|
|
|
|
|
|
|
|
|
|
EnhancedKeyUsageList : {Client Authentication (1.3.6.1.5.5.7.3.2)}
|
|
|
|
|
DnsNameList : {uaDedicated01}
|
|
|
|
|
SendAsTrustedIssuer : False
|
|
|
|
|
Archived : False
|
|
|
|
|
Extensions : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid...}
|
|
|
|
|
FriendlyName : uaDedicated01(02)
|
|
|
|
|
IssuerName : System.Security.Cryptography.X509Certificates.X500DistinguishedName
|
|
|
|
|
NotAfter : 12/07/2020 14:10:54
|
|
|
|
|
NotBefore : 13/07/2018 14:10:54
|
2019-07-22 01:41:06 +02:00
|
|
|
HasPrivateKey : False <-- NOT IMPORTED BY THIS POWERSHELL SCRIPT
|
2019-07-22 01:32:34 +02:00
|
|
|
PrivateKey :
|
|
|
|
|
PublicKey : System.Security.Cryptography.X509Certificates.PublicKey
|
|
|
|
|
RawData : {18, ...}
|
|
|
|
|
SerialNumber : 3F
|
|
|
|
|
SubjectName : System.Security.Cryptography.X509Certificates.X500DistinguishedName
|
|
|
|
|
SignatureAlgorithm : System.Security.Cryptography.Oid
|
|
|
|
|
Thumbprint : 4AD2BBE653414EE1A10E01FB3D26F62D003B52C7
|
|
|
|
|
Version : 3
|
|
|
|
|
Handle : 2788955271140
|
|
|
|
|
Issuer : CN=internal-ca, E=mail@mycompany.com, O=MYCOMP, L=myCity, S=myCity, C=ES
|
|
|
|
|
Subject : CN=uaDedicated01, E=mail@mycompany.com, O=MYCOMP, L=myCity, S=myCity, C=ES
|
|
|
|
|
IsCA : False
|
|
|
|
|
IsServer : False
|
|
|
|
|
IsClient : True
|
|
|
|
|
sIssuer : internal-ca
|
|
|
|
|
sSubject : uaDedicated01
|
|
|
|
|
refid : 5b85b04689ad1
|
|
|
|
|
isRevoked : True
|
|
|
|
|
revokedOn : {revocados, revCAcert}
|
|
|
|
|
|
|
|
|
|
---
|
|
|
|
|
You can show certs that will expire in the next 90 days
|
|
|
|
|
|
2019-07-22 01:41:06 +02:00
|
|
|
$listaC | Where-Object {$_.NotAfter -le (Get-Date).AddDays(90)} | Select sIssuer, SerialNumber, FriendlyName, DnsNameList, sSubject, revokedOn | ft
|
|
|
|
|
|
2019-07-22 01:57:23 +02:00
|
|
|
$listaC | Where-Object {$_.revokedOn -ne $null} | Select sIssuer, SerialNumber, FriendlyName, DnsNameList, sSubject, revokedOn | ft
|
|
|
|
|
|
2019-07-22 01:41:06 +02:00
|
|
|
---
|
|
|
|
|
Or the list of revoked Certs
|
|
|
|
|
|
|
|
|
|
$listaC | Where-Object {$_.revokedOn -ne $null} | Select sIssuer, SerialNumber, FriendlyName, DnsNameList, sSubject, revokedOn | ft
|
2019-07-22 01:57:23 +02:00
|
|
|
|
2019-07-22 01:41:06 +02:00
|
|
|
And everything you want :)
|
