Mirrors/pfSense-Certificate-Viewer
1
0
Fork 0
mirror of https://github.com/alvarsedano/pfSense-Certificate-Viewer.git synced 2025-04-19 08:55:11 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
pfSense-Certificate-Viewer/result-example.md
Alvaro Sedano 146ab1803e
Rename result-example to result-example.md
2019-07-22 01:55:48 +02:00

3.1 KiB
Raw Blame History

Duplicated Serial Numbers (per CA)

sIssuer SerialNumber FriendlyName DnsNameList sSubject revokedOn

internal-ca 2F hsanchez {hsanchez} hsanchez internal-ca 2F city1 {city1} city1 {revocados} internal-ca 30 audit03 {audit03} audit03 {revocados} internal-ca 30 uaIntro {uaIntro} uaIntro internal-ca 31 city04 {city04} city04 internal-ca 31 uaDevice(2) {uaDevice} uaDevice internal-ca 32 fperez {fperez} fperez internal-ca 32 uaExit(2) {uaExit} uaExit

This is the last part of the result returned by the script: It shows duplicated SerialNumbers 2F, 30, 31 and 32 To avoid issues when some of this certs is revoked, you must revoked all them, and recreate new certs forevery user involved.

As example: The execution result shows that the "city1" and "audit03" certs are revoked in the "revocados" CRL. But due to the duplicity of SerialNumbers, the openVPN tunnel that uses "revocados" as CRL also will consider revoked the certs "hsanchez" and "uaIntro".

every item of $listaC has these attributes:

PS C:\Users\me\Documents> $listaC[56]

EnhancedKeyUsageList : {Client Authentication (1.3.6.1.5.5.7.3.2)} DnsNameList : {uaDedicated01} SendAsTrustedIssuer : False Archived : False Extensions : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid...} FriendlyName : uaDedicated01(02) IssuerName : System.Security.Cryptography.X509Certificates.X500DistinguishedName NotAfter : 12/07/2020 14:10:54 NotBefore : 13/07/2018 14:10:54 HasPrivateKey : False <-- NOT IMPORTED BY THIS POWERSHELL SCRIPT PrivateKey : PublicKey : System.Security.Cryptography.X509Certificates.PublicKey RawData : {18, ...} SerialNumber : 3F SubjectName : System.Security.Cryptography.X509Certificates.X500DistinguishedName SignatureAlgorithm : System.Security.Cryptography.Oid Thumbprint : 4AD2BBE653414EE1A10E01FB3D26F62D003B52C7 Version : 3 Handle : 2788955271140 Issuer : CN=internal-ca, E=mail@mycompany.com, O=MYCOMP, L=myCity, S=myCity, C=ES Subject : CN=uaDedicated01, E=mail@mycompany.com, O=MYCOMP, L=myCity, S=myCity, C=ES IsCA : False IsServer : False IsClient : True sIssuer : internal-ca sSubject : uaDedicated01 refid : 5b85b04689ad1 isRevoked : True revokedOn : {revocados, revCAcert}

You can show certs that will expire in the next 90 days

$listaC | Where-Object {$_.NotAfter -le (Get-Date).AddDays(90)} | Select sIssuer, SerialNumber, FriendlyName, DnsNameList, sSubject, revokedOn | ft

Or the list of revoked Certs

$listaC | Where-Object {$_.revokedOn -ne $null} | Select sIssuer, SerialNumber, FriendlyName, DnsNameList, sSubject, revokedOn | ft

And everything you want :)