mirror of
				https://github.com/alvarsedano/pfSense-Certificate-Viewer.git
				synced 2025-10-25 14:46:18 +00:00 
			
		
		
		
	| @@ -1,11 +1,12 @@ | |||||||
| #### | #### | ||||||
| ### Extracting pfSense Certificates (without private key) | ### Extracting pfSense Certificates (without private key) | ||||||
| #### | #### | ||||||
| # Redefine the $cfg string variable to point to a valid unencrypted pfSense Configuration XML file | # Redefine the $cfg string variable to point to a valid unecripted pfSense Configuration XML file | ||||||
| # The script will return the CA, Server, User and Duplicated Serial Number Certificates | # The script will return the CA certificates, Server certificates, User certificated (used or not used) and duplicate Serial Number Certificates | ||||||
| # | # | ||||||
| # Tested on PowerShell 5 and avobe | # Tested on PowerShell 5 and avobe | ||||||
| # Created by Alvaro Sedano Galindo. al_sedano@hotmail.com | # Created by Alvaro Sedano Galindo. al_sedano@hotmail.com | ||||||
|  | # | ||||||
|  |  | ||||||
| Function Get-CN { | Function Get-CN { | ||||||
|     Param([Parameter(Mandatory=$true)][string]$name) |     Param([Parameter(Mandatory=$true)][string]$name) | ||||||
| @@ -21,25 +22,56 @@ Function Add-Lista { | |||||||
|  |  | ||||||
|     [string]$oidCLI = '1.3.6.1.5.5.7.3.2' |     [string]$oidCLI = '1.3.6.1.5.5.7.3.2' | ||||||
|     [string]$oidSRV = '1.3.6.1.5.5.7.3.1' |     [string]$oidSRV = '1.3.6.1.5.5.7.3.1' | ||||||
|  |     [array]$revs = $listaR | Select -ExpandProperty refid -Unique | ||||||
|     [System.Security.Cryptography.X509Certificates.X509Certificate2]$ccc = $null |     [System.Security.Cryptography.X509Certificates.X509Certificate2]$ccc = $null | ||||||
|     foreach($c in $obj.Value) { |     foreach($c in $obj.Value) { | ||||||
|         $ccc = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new([System.Convert]::FromBase64String($c.crt)) |         $ccc = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new([System.Convert]::FromBase64String($c.crt)) | ||||||
|         $ccc.FriendlyName = "[$($c.refid)] $($c.descr.'#cdata-section')" |         $ccc.FriendlyName = $c.descr.'#cdata-section' | ||||||
|         $lista.Value += $ccc | Select *, @{N='IsCA';E={$fromCA}} ` |         $objTmp = $ccc | Select *, @{N='IsCA';E={$fromCA}} ` | ||||||
|                                   , @{N='IsServer';E={-not $fromCA -and $_.EnhancedKeyUsageList.ObjectId -contains $oidSRV}} ` |                                   , @{N='IsServer';E={-not $fromCA -and $_.EnhancedKeyUsageList.ObjectId -contains $oidSRV}} ` | ||||||
|                                   , @{N='IsClient';E={-not $fromCA -and $_.EnhancedKeyUsageList.ObjectId -contains $oidCLI}} ` |                                   , @{N='IsClient';E={-not $fromCA -and $_.EnhancedKeyUsageList.ObjectId -contains $oidCLI}} ` | ||||||
|                                   , @{N='sIssuer';E={Get-CN($_.Issuer)}}, @{N='sSubject';E={Get-CN($_.Subject)}} |                                   , @{N='sIssuer';E={Get-CN($_.Issuer)}}, @{N='sSubject';E={Get-CN($_.Subject)}} ` | ||||||
|  |                                   , @{N='refid'; E={$c.refid}} ` | ||||||
|  |                                   , @{N='isRevoked'; E={-not $fromCA -and $c.refid -in $revs}} ` | ||||||
|  |                                   , @{N='revokedOn'; Expression={$null}} ` | ||||||
|  |  | ||||||
|  |         if ($objTmp.isRevoked) { | ||||||
|  |             [string[]]$strRev = @() | ||||||
|  |             foreach($d in $listaR) { | ||||||
|  |                 if ($d.refid -eq $c.refid) { | ||||||
|  |                     $strRev += [string]($d.listRev) | ||||||
|  |                 } | ||||||
|  |             } | ||||||
|  |             $objTmp.revokedOn = $strRev | ||||||
|  |         } | ||||||
|  |         $lista.Value += $objTmp | ||||||
|     } |     } | ||||||
| } | } | ||||||
|  |  | ||||||
|  |  | ||||||
|  | #$CRL = New-Object -ComObject "X509Enrollment.CX509CertificateRevocationList" | ||||||
|  | #$CRLContents = [System.Convert]::ToBase64String((Get-Content "C:\Users\ASG\Downloads\revocados.crl" -Encoding Byte)) | ||||||
|  | #[System.Security.Cryptography.X509Certificates.X509CRL2]$ccc = $null | ||||||
|  |  | ||||||
|  | #https://msdnshared.blob.core.windows.net/media/2016/04/CRLFreshCheck.psm1_.txt | ||||||
|  |  | ||||||
| # | # | ||||||
| # BODY | # BODY | ||||||
| # | # | ||||||
|  |  | ||||||
| #Read XML pfSense config file | #Read XML pfSense config file | ||||||
| [string]$cfg = "$env:USERPROFILE\Downloads\config-pfSense01.private.xml" | [string]$cfg = "$env:USERPROFILE\Downloads\config-pfSense01.casi.es.private.xml" | ||||||
|  | #[string]$cfg = "C:\Users\ASG\Downloads\config-e.tecnube.es-20190630223501.xml" | ||||||
| [xml]$aaa = Get-Content $cfg -Encoding Default | [xml]$aaa = Get-Content $cfg -Encoding Default | ||||||
|  |  | ||||||
|  | #Get the CRL revocation list | ||||||
|  | [DateTime]$time0 = '1970-01-01' | ||||||
|  | #[array]$listaR = $aaa.pfsense.crl.cert | Select caref, refid, reason, @{N='revDate';E={$o.AddSeconds($_.revoke_time)}} | ||||||
|  | [array]$listaR = @() | ||||||
|  | foreach($r in $aaa.pfsense.crl) { | ||||||
|  |     $listaR += $r.cert | Select @{N='listRev';E={$r.descr.'#cdata-section'}}, caref, refid, reason, @{N='revDate';E={$time0.AddSeconds($_.revoke_time)}} | ||||||
|  | } | ||||||
|  |  | ||||||
| #Add CA Certificates to $listaC (WITHOUT private keys) | #Add CA Certificates to $listaC (WITHOUT private keys) | ||||||
| [array]$listaC = @() | [array]$listaC = @() | ||||||
| Add-Lista -lista ([ref]$listaC) -obj ([ref]$aaa.pfsense.ca) -fromCA $true | Add-Lista -lista ([ref]$listaC) -obj ([ref]$aaa.pfsense.ca) -fromCA $true | ||||||
| @@ -48,7 +80,7 @@ Add-Lista -lista ([ref]$listaC) -obj ([ref]$aaa.pfsense.ca) -fromCA $true | |||||||
| Add-Lista -lista ([ref]$listaC) -obj ([ref]$aaa.pfsense.cert) -fromCA $false | Add-Lista -lista ([ref]$listaC) -obj ([ref]$aaa.pfsense.cert) -fromCA $false | ||||||
| #Note: User Certificates created with old pfSense versions can set the EnhancedKeyUsageList property to <empty> | #Note: User Certificates created with old pfSense versions can set the EnhancedKeyUsageList property to <empty> | ||||||
|  |  | ||||||
| Remove-Variable aaa | Remove-Variable aaa, r | ||||||
|  |  | ||||||
| #List of CA Certificates | #List of CA Certificates | ||||||
| Write-Output "`nCA Certificates" | Write-Output "`nCA Certificates" | ||||||
| @@ -56,12 +88,12 @@ $listaC | Where-Object {$_.isCA} | Select sIssuer, SerialNumber, FriendlyName, D | |||||||
|  |  | ||||||
| #List of Server Certificates | #List of Server Certificates | ||||||
| Write-Output "`nServer Certificates" | Write-Output "`nServer Certificates" | ||||||
| $listaC | Where-Object {$_.isServer} | Select sIssuer, SerialNumber, FriendlyName, DnsNameList, sSubject | Sort-Object -Property sIssuer, SerialNumber | ft | $listaC | Where-Object {$_.isServer} | Select sIssuer, SerialNumber, FriendlyName, DnsNameList, sSubject, revokedOn | Sort-Object -Property sIssuer, SerialNumber | ft | ||||||
|  |  | ||||||
| #List of User Certificates (not CA and not Server) | #List of User Certificates (not CA and not Server) | ||||||
| Write-Output "`nUser Certificates" | Write-Output "`nUser Certificates" | ||||||
| $listaC | Where-Object {-not ($_.isCA -or $_.isServer)} | Select sIssuer, SerialNumber, FriendlyName, DnsNameList, sSubject | Sort-Object -Property sIssuer, SerialNumber | ft | $listaC | Where-Object {-not ($_.isCA -or $_.isServer)} | Select sIssuer, SerialNumber, FriendlyName, DnsNameList, sSubject, revokedOn | Sort-Object -Property sIssuer, SerialNumber | ft | ||||||
|  |  | ||||||
| #List of Dupicated SerialNumbers (per CA) | #List of Dupicated SerialNumbers (per CA) | ||||||
| Write-Output "`nDuplicated Serial Numbers (per CA)" | Write-Output "`nDuplicated Serial Numbers (per CA)" | ||||||
| $listaC | Select sIssuer, SerialNumber, FriendlyName, DnsNameList, sSubject | Group-Object -Property sIssuer, SerialNumber | Where-Object {$_.Count -gt 1} | Select -ExpandProperty Group | ft | $listaC | Select sIssuer, SerialNumber, FriendlyName, DnsNameList, sSubject, revokedOn | Group-Object -Property sIssuer, SerialNumber | Where-Object {$_.Count -gt 1} | Select -ExpandProperty Group | ft | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user