PowerShell for OpenSSL CA Issued Cert Status

In the lab you might use a basic OpenSSL certificate authority (CA) to issue test client certificates. If you’re on Windows, you may find the following PowerShell sample helpful to list the issued client certs along with current status, subject, and validity dates. You might want to use openssl ca -updatedb beforehand to update the status of outdated certs to expired in the CA database. This example has the CA files available on a Windows file share, but this could be a local path as well. Note that we’re explicitly setting the OPENSSL_CONF environment variable for this script just in case the CA config file is at a different path from your system OPENSSL_CONF. The format of client cert serial numbers is assumed to be a 6-character hexadecimal number – if your cert serial numbers have a different form, you should change the patterns below to match.

$openssl = "C:\OpenSSL-Win64\bin\openssl.exe"
$folder = "\\SomeServer\SomeShare\CAFolder"
$env:OPENSSL_CONF = "$folder\openssl.cnf"
Get-ChildItem "$folder\newcerts\??????.pem" | Sort `
  | ForEach { 
    $null = $_ -match '\\([0-9A-F]{6})\.pem'
    $serial = $Matches[1]
    # Instead of "-config" ... use $env:OPENSSL_CONF by default
    (&$openssl ca -status $serial 2>&1 | Out-String | `
      ForEach { $_ -split "`r"} | Select-String "=").Line.Trim()
    (&$openssl x509 -in "$_" -text | Select-String `
      "Not After|Not Before|Subject: |Serial Number" ).Line.Trim()
    "=" * 20 

This is just a little hint for how to automate OpenSSL commands and filter output with PowerShell. You should be able to automate all kinds of similar operations by reading up on OpenSSL and PowerShell and modifying/creating script(s) to suit your needs.

About notesbytom

Keeping technology notes on WordPress.com to free up my mind to solve new problems rather than figuring out the same ones repeatedly :-).
This entry was posted in System Administration and tagged , . Bookmark the permalink.

One Response to PowerShell for OpenSSL CA Issued Cert Status

  1. Pingback: Grep for Windows PowerShell | Notes by Tom

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s