Get ADFS relying parties signing certificates

Today I want to show you how to check relying party signing certificates. If you working in large scale ADFS environment where you have huge amount of relying parties it might be difficult to check lots of thing manually. This is why you are forced to use ADFS cmdlets available on microsoft pages – link.

In this article you will find out how to check signing certificates using PowerShell function. To get relying party details you can use Get-ADFSRelyingPartyTrust command and specify identifier of RP. One of the property is RequestSigningCertificate and it will contain all certificate information that we need. In this example function will get details like:

– SerialNumber
– Subject
– Issuer
– Thumbprint
– NotBefore
– NotAfter

Usage:

Get-ADFSRPCertificate -RPs https:\\relyingparty01.com
Get-ADFSRPCertificate -RPs https:\\relyingparty01.com, https:\\relyingparty02.com
Get-ADFSRPCertificate -RPs (Get-Content "C:\Users\$env:username\desktop\RPList.txt")

Final script:


Function Get-ADFSRPCertificate {
    [CmdletBinding()]
             
    # Parameters used in this function
    Param
    (
        [Parameter(Position=0, Mandatory = $True, HelpMessage="Provide relying parties identifiers", ValueFromPipeline = $true)] 
        $RPs,

        [Parameter(Position=1, Mandatory = $False, HelpMessage="Provide ADFS server name", ValueFromPipeline = $true)] 
        $ADFSServer = "ADFS01"
    ) 
     
    $ErrorActionPreference = "Stop"
    $Results = @()


    ForEach($RP in $RPs)
    {
        $RP = $RP.trim()
        Write-Host Processing $RP -ForegroundColor Yellow

        Try
        {
            $RPDetails = Invoke-Command -ErrorAction Stop -ComputerName $ADFSServer -scriptblock {param($RP) Get-ADFSRelyingPartyTrust -identifier $using:RP | select Name,Identifier,Enabled,RequestSigningCertificate} -ArgumentList $RP
        }
        Catch
        {
            $_.Exception.Message
            Continue
        }

            If($RPDetails.RequestSigningCertificate)
            {
                    $Object = New-Object PSObject -Property @{ 
    
                    RelyingParty               = $RP
                    SerialNumber               = $RPDetails.RequestSigningCertificate.SerialNumber
                    Subject                    = $RPDetails.RequestSigningCertificate.Subject
                    Issuer                     = $RPDetails.RequestSigningCertificate.Issuer
                    Thumbprint                 = $RPDetails.RequestSigningCertificate.Thumbprint
                    NotBefore                  = $RPDetails.RequestSigningCertificate.NotBefore
                    NotAfter                   = $RPDetails.RequestSigningCertificate.NotAfter
  
                   }
 
                   $Results += $Object 
            }
 
    }

    If($Results)
    { 
        Write-Host "`nFinal results:" -ForegroundColor Green
        # Display results in console
        $Results | Format-Table -AutoSize RelyingParty,Thumbprint,SerialNumber,NotAfter,NotBefore,Subject,Issuer
 
        # Open results in pop-up window
        $Results | Select-Object RelyingParty,NotAfter,NotBefore,Thumbprint,SerialNumber,Subject,Issuer | Sort-Object NotAfter | Out-GridView -Title "Certificates"
 
        # Export CSV
        $Results | Export-Csv -Path C:\users\$env:username\desktop\results.csv -NoTypeInformation
    }
 


}

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.