pfSense Certificate Viewer

1. ####
2. ### Extracting pfSense Certificates (without private key)
3. ####
4. # Redefine the $cfg string variable to point to a valid non encrypted pfSense XML configuration backup file.
5. # You can also pass the command line FilePath parameter as path to the input XML cfg file.
6.  
7. # The script will return the CA certificates, Server certificates, User certificates (used or not used) and duplicated Serial Number Certificates
8. #
9. # Tested on PowerShell 5 and avobe
10. # Created by Alvaro Sedano Galindo. al_sedano@hotmail.com
11. #
12. # https://github.com/alvarsedano/pfSense-Certificate-Viewer
13. #
14.  
15. Param (
16.     [Parameter(Mandatory=$false,
17.                 Position=0,
18.                 ValueFromPipeline=$true,
19.                 ValueFromPipelineByPropertyName=$true)]
20.     [Alias("File")]
21.     [string]$FilePath)
22.  
23.  
24. #
25. # Functions
26. #
27.  
28. Function Get-CN {
29.     Param([Parameter(Mandatory=$true)][string]$name)
30.     if($name -match "CN=([^,]*)") {
31.         $Matches[1] }
32.     else {$name}
33. }
34.  
35. Function Add-Lista {
36.     Param([Parameter(Mandatory=$true)][ref]$lista `
37.          ,[Parameter(Mandatory=$true)][ref]$obj `
38.          ,[Parameter(Mandatory=$true)][bool]$fromCA)
39.  
40.     [string]$oidCLI = '1.3.6.1.5.5.7.3.2'
41.     [string]$oidSRV = '1.3.6.1.5.5.7.3.1'
42.     [array]$revs = $listaR | Select -ExpandProperty refid -Unique
43.     [System.Security.Cryptography.X509Certificates.X509Certificate2]$ccc = $null
44.     foreach($c in $obj.Value) {
45.         $ccc = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new([System.Convert]::FromBase64String($c.crt))
46.         $ccc.FriendlyName = $c.descr.'#cdata-section'
47.         $objTmp = $ccc | Select *, @{N='IsCA';E={$fromCA}} `
48.                                   , @{N='IsServer';E={-not $fromCA -and $_.EnhancedKeyUsageList.ObjectId -contains $oidSRV}} `
49.                                   , @{N='IsClient';E={-not $fromCA -and $_.EnhancedKeyUsageList.ObjectId -contains $oidCLI}} `
50.                                   , @{N='sIssuer';E={Get-CN($_.Issuer)}}, @{N='sSubject';E={Get-CN($_.Subject)}} `
51.                                   , @{N='refid'; E={$c.refid}} `
52.                                   , @{N='isRevoked'; E={-not $fromCA -and $c.refid -in $revs}} `
53.                                   , @{N='revokedOn'; Expression={$null}} `
54.  
55.         if ($objTmp.isRevoked) {
56.             [string[]]$strRev = @()
57.             foreach($d in $listaR) {
58.                 if ($d.refid -eq $c.refid) {
59.                     $strRev += [string]($d.listRev)
60.                 }
61.             }
62.             $objTmp.revokedOn = $strRev
63.         }
64.         $lista.Value += $objTmp
65.     }
66. }
67.  
68.  
69. #
70. # BODY
71. #
72.  
73. # Check if param 0 is assigned
74. if ($FilePath -eq $null -or $FilePath -eq '') {
75.     [string]$cfg = "$env:USERPROFILE\Downloads\config-pfSense01.private.xml"
76. }
77. else {
78.     # Use the FilePath console input parameter
79.     [string]$cfg = $FilePath
80. }
81.  
82.  
83. if (-not (Test-Path -Path $cfg)) {
84.     Write-Host "File '$cfg' not found. Process stopped." -BackgroundColor DarkRed
85.     Exit 1
86. }
87.  
88. #Read XML pfSense config file
89. [xml]$fxml = Get-Content $cfg -Encoding Default
90.  
91. #Get the CRL revocation list
92. [DateTime]$time0 = '1970-01-01'
93. [array]$listaR = @()
94. foreach($r in $fxml.pfsense.crl) {
95.     $listaR += $r.cert | Select @{N='listRev';E={$r.descr.'#cdata-section'}}, caref, refid, reason, @{N='revDate';E={$time0.AddSeconds($_.revoke_time)}}
96. }
97.  
98. #Add CA Certificates to $listaC (WITHOUT private keys)
99. [array]$listaC = @()
100. Add-Lista -lista ([ref]$listaC) -obj ([ref]$fxml.pfsense.ca) -fromCA $true
101.  
102. #Add user/server certificates to $listaC (WITHOUT private keys)
103. Add-Lista -lista ([ref]$listaC) -obj ([ref]$fxml.pfsense.cert) -fromCA $false
104. #Note: User Certificates created with old pfSense versions can set the EnhancedKeyUsageList property to <empty>
105.  
106. Remove-Variable fxml, r
107.  
108. #List of CA Certificates
109. Write-Output "`nCA Certificates"
110. $listaC | Where-Object {$_.isCA} | Select sIssuer, SerialNumber, FriendlyName, DnsNameList, sSubject | Sort-Object -Property sIssuer, SerialNumber | ft
111.  
112. #List of Server Certificates
113. Write-Output "`nServer Certificates"
114. $listaC | Where-Object {$_.isServer} | Select sIssuer, SerialNumber, FriendlyName, DnsNameList, sSubject, revokedOn | Sort-Object -Property sIssuer, SerialNumber | ft
115.  
116. #List of User Certificates (not CA and not Server)
117. Write-Output "`nUser Certificates"
118. $listaC | Where-Object {-not ($_.isCA -or $_.isServer)} | Select sIssuer, SerialNumber, FriendlyName, DnsNameList, sSubject, revokedOn | Sort-Object -Property sIssuer, SerialNumber | ft
119.  
120. #List of Dupicated SerialNumbers (per CA)
121. Write-Output "`nDuplicated Serial Numbers (per CA)"
122. $listaC | Select sIssuer, SerialNumber, FriendlyName, DnsNameList, sSubject, revokedOn | Group-Object -Property sIssuer, SerialNumber | Where-Object {$_.Count -gt 1} | Select -ExpandProperty Group | ft