我正在将Active Directory证书服务angular色转移到新的2012服务器上。 新的服务器将发布新的证书,我需要find所有不是通过自动注册颁发的证书,所以我可以手动发布新的证书。
任何人都知道最好的方式与Powershell做到这一点? 我正在使用PSPKI模块。
您可以打开证书存储区 :
$CertStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("\\computername\MY","LocalMachine") $CertStore.Open("ReadOnly") $CertStore.Certificate # this property contains all the certificates. 您可以打开每台计算机上的本地计算机个人存储,然后枚举并返回未由新CA颁发的证书的信息
$Computers = "adbertram01","adbertram02","adbertram03" $oldCerts = @() # This will contain all the interesting certificates foreach($Computer in $Computers) { $CertStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("\\$Computer\MY","LocalMachine") $CertStore.Open("ReadOnly") if(!$CertStore.Certificates.Count -gt 0) { continue # No certificates found, move along } foreach($Cert in $CertStore.Certificates) { if($Cert.Issuer -notmatch "MyNew2012CA") { $oldCerts += New-Object PSObject -Property @{ Computer = $Computer Subject = $Cert.Subject Issuer = $Cert.Issuer Thumbprint = $c.Thumbprint } } } }
现在您可以看到哪些计算机/服务器仍然安装了旧CA的证书:
$oldCerts |Group-Object -Property Computer