1

I'm taking initial steps to start securing a network, and I've come across the fact that a number of machines have Client Certificates for websites installed in the user client certificate store, locally, rather than through AD. These are from a third-party CA, and are business critical.

As a first step, I'm trying to create a list of which certificates each user has installed, so that I can then try to create something more manageable using a GPO or similar, but as they were installed locally, I can't see them in my AD or Certificate Services.

I've been looking at powershell's certificate management cmdlets, but even then, I can only list the current user's certificates, which makes remoting with a domain administrator credential not a valid solution.

How do I go about cataloguing everybody's certificates?

Moof
  • 11
  • 1
  • 4

1 Answers1

2

This link indicates that you cannot access the certificate store of another user.

One way i would think of is to write a logon script that will get the certificates of the current user at logon, for example with Get-Childitem cert:\currentUser -recurse and save the output to a local or network file. If you use Export-CSV you would get a format that you can easily process.

A possible one-Liner could be:

Get-Childitem Cert:\currentUser -Recurse |ยด
Select @{N="Username";E={$env:username}}, Subject, Issuer, FriendlyName, NotAfter |`
Export-CSV [csvFilePath] -Append

With the additional calculated property you get the username of the logged on user, so you can put the data in one file and still distinguish the certificates by user.

Tobias
  • 1,236
  • 13
  • 25