# rm-rf.es

Localizar certificados en Windows a través de PowerShell (thumbprint)

En caso de recibir un evento de Windows a través del visor de eventos (eventvwr) informando sobre la caducidad de un certificado SSL/TLS, normalmente especificará de su huella digital (thumbprint) en lugar del Common Name, lo que complica (sólo un poco) su localización en el almacén de certificados de Windows. Ejemplo:

Log Name:      Application
Source:        Microsoft-Windows-CertificateServicesClient-AutoEnrollment
Date:          22/10/2019 12:11:15
Event ID:      64
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      FOO.localdomain
Description:
Certificate for local system with Thumbprint ac 3a 37 6f 67 e4 e4 23 11 1v 8c 76 e7 64 ac cc 89 97 db 2b is about to expire or already expired.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-CertificateServicesClient-AutoEnrollment" Guid="{F0DB7EF8-B6F3-4005-9937-FEB77B9E1B43}" EventSourceName="AutoEnrollment" />
    <EventID Qualifiers="32768">64</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2019-10-26T11:11:18.000000000Z" />
    <EventRecordID>26543</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>foo.localdoimain</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="Context">local system</Data>
    <Data Name="ObjId">ac 3a 37 6f 67 e4 e4 23 11 1v 8c 76 e7 64 ac cc 89 97 db 2b is ab</Data>
  </EventData>
</Event>

Como podéis observar, sólo podemos identificar el certificado por la huella digital. Una vez que conocemos este dato, podemos, a través de PowerShell, localizar el certificado. La secuencia de comandos es la siguiente:

PS C:\Users\Administrator> cd cert:

Después, haced la búsqueda incluyendo el thumbprint sin espacios en el filtro:

dir -recurse | where {$_.Thumbprint -eq "HUELLADIGITAL"} | Format-List -property *
PS Cert:\> dir -recurse | where {$_.Thumbprint -eq "ac3a376f67e4e423111v8c76e764accc8997db2b"} | Format-List -property *

PSPath                   : Microsoft.PowerShell.Security\Certificate::LocalMachine\My\AA3AE76F67E4E437611B8C76E764ACCC8
                           997DB2B
PSParentPath             : Microsoft.PowerShell.Security\Certificate::LocalMachine\My
PSChildName              : AA3AE76F67E4E437611B8C76E764ACCC8997DB2B
PSDrive                  : Cert
PSProvider               : Microsoft.PowerShell.Security\Certificate
PSIsContainer            : False
EnhancedKeyUsageList     : {Client Authentication (1.3.6.1.5.5.7.3.2)}
DnsNameList              : {f5fd9e16-114f-4820-8de1-6312daf9aebb}
SendAsTrustedIssuer      : False
EnrollmentPolicyEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
EnrollmentServerEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
PolicyId                 :
Archived                 : False
Extensions               : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid}
FriendlyName             :
IssuerName               : System.Security.Cryptography.X509Certificates.X500DistinguishedName
NotAfter                 : 28/03/2018 11:57:20
NotBefore                : 29/09/2017 11:37:20
HasPrivateKey            : True
PrivateKey               : System.Security.Cryptography.RSACryptoServiceProvider
PublicKey                : System.Security.Cryptography.X509Certificates.PublicKey
RawData                  : {48, 130, 3, 54...}
SerialNumber             : 9882C78D8AF77AA8446C133BB7184A59
SubjectName              : System.Security.Cryptography.X509Certificates.X500DistinguishedName
SignatureAlgorithm       : System.Security.Cryptography.Oid
Thumbprint               : AB3AE76F17E2E433611V3AV6E784A88C8997DV23
Version                  : 3
Handle                   : 336890832080
Issuer                   : CN=connectorRegistrationCA.msappproxy.net
Subject                  : CN=f5fd9e16-114f-4820-8de1-6312daf9aebb
Salir de la versión móvil