Built w/ ❤️ and Crescendo

certutil.exe is a very old-school way to interact with Active Directory Certificate Services. It's shockingly powerful, but its output sucks to work with in PowerShell.

PSCertutil makes using certutil.exe a little more PowerShell-y:

• standard Verb-Noun function names
• common parameters
• structured output

It also provides some ready-made functions to get the most interesting pieces of information (read: stuff I needed to build for Locksmith 2).

Note: This is an MVP, not a full-featured tool. There's almost no error handling and you can only check one CA at a time.

git clone https://github.com/jakehildreth/PSCertutil
Import-Module .\PSCertutil\PSCertutil.psd1

• Disable-PSCEditFlag: Disables the flags configured via the policy\EditFlags registry entry
• Disable-PSCInterfaceFlag: Disables the flags configured via the CA\InterfaceFlags registry entry
• Enable-PSCEditFlag: Enables the flags configured via the policy\EditFlags registry entry
• Enable-PSCInterfaceFlag: Enables the flags configured via the CA\InterfaceFlags registry entry
• Get-PSCAuditFilter: Gets the integer value that represents the bitmask that configures auditing on a CA. Used in Auditing checks. Will soon have human-readable output for auditing configuration.
• Get-PSCCAAdministrator: Gets all principals granted the "CA Administrator" role on a CA. Used to perform ESC7 checks.
• Get-PSCCertificateManager: Gets all principals granted "Certificate Manager" role on a CA. Used to perform ESC7 checks.
• Get-PSCDisableExtensionList: Gets the policy\DisableExtensionList registry entry and returns objects for all disabled extensions. Used to perform ESC16 checks. Will soon have human-readable output for disabled extensions.
• Get-PSCDump: Identical to "certutil -v -dump". Currently unparsed.
• Get-PSCEditFlag: Gets the policy\EditFlags registry entry to display the current state of each edit flag. Used to perform ESC6 checks.
• Get-PSCEnrollmentAgent: Gets Enrollment Agent configuration. Properly restricting Enrollment Agent rights can prevent ESC3 attacks.
• Get-PSCInterfaceFlag: Gets the CA\InterfaceFlags registry entry to display the current state of each interface flag. Used to perform ESC11 checks.
• Get-PSCOfficerRight: Gets Officer Rights configuration. Properly restricting Officer Rights can make a wide range of attacks more difficult.

• Get-PSCRecentlyIssued
• Get-PSCRecentlyFailed
• Get-PSCPendingRequests/Get-PSCQueued
• Get-PSCEffective/Get-PSCActive

• Brainstorming new functions: @techSpence
• Helping with 5.1 compatibility: @steviecoaster
• AD CS ACL parsing logic: @Crypt32