Nathan's Thoughts and Notes: Download all enterprise CA crl's from active directory

Wednesday, April 19, 2017

Download all enterprise CA crl's from active directory

This script will look for all published crl's in the configuration partition, download them, and write them to binary files. To further examine the files, you can open them up in windows (standard certificate viewing tools), or use the PSPKI module to dig into the data.

$debase = new-object directoryservices.directoryentry("LDAP://RootDSE")

$configpartition = $debase.configurationNamingContext[0]

$de = new-object directoryservices.directoryentry(`
      "LDAP://CN=CDP,CN=Public Key Services,CN=Services," + $configpartition)

$ds = new-object directoryservices.directorysearcher($de)

$ds.filter = "(objectclass=cRLDistributionPoint)"

$ds.propertiestoload.add("certificaterevocationlist")|out-null

$crls = $ds.findall()

foreach ($crl in $crls) {

 $CAcert = $crl.path.replace("LDAP://CN=","")

 $CAcert = $CAcert.substring(0,$CAcert.indexof(","))

 $file = $CACert + ".crl"

 set-content $file  ([byte[]]($crl.properties.certificaterevocationlist[0])) `
  -encoding Byte

}

Nathan's Thoughts and Notes

Wednesday, April 19, 2017

Download all enterprise CA crl's from active directory

No comments:

Post a Comment