To check if a specific certificate exists in the local certificate storage, the Script Sensor in combination with the following PowerShell script (QueryCertStore.ps1) is used.
The script can also be found in the installation directory in the 'Examples' directory.
if($args.Count -lt 1 )
{
exit -2
}
$pThumbprint = $args[0]
$ro=[System.Security.Cryptography.X509Certificates.OpenFlags]"ReadOnly"
$loc=[System.Security.Cryptography.X509Certificates.StoreLocation]"CurrentUser"
$store=new-object System.Security.Cryptography.X509Certificates.X509Store("My",$loc)
$store.Open($ro)
foreach ($thumbprint in $store.Certificates | Select -ExpandProperty Thumbprint) {
if ($thumbprint -like $pThumbprint) {
echo "found"
exit 0
}
}
exit -1
The configuration of the sensor looks as follows:
Host Settings
Host |
The host on which the script should be executed. |
Credential |
The credential which is needed to authenticate on the host. |
Process/Script Settings
Filename |
The path to the PowerShell script 'QueryCertStore.ps1' in the installation directory. |
Arguments |
The SHA1 thumbprint of the searched certificate which is passed to the script. |
Working Directory |
The path to the directory on which the script is working. In this case the 'Examples' directory. |
Conditions
Condition |
The action 'Set Status to Error' will be executed, if the script does not return an Exit Code of '0'. |
