Domain Detective

API Reference

Class

CmdletGetCertificateInventoryQuery

Namespace DomainDetective.PowerShell
Assembly DomainDetective.PowerShell
Base PSCmdlet
Modifiers sealed
Attributes
Cmdlet("Get", "DDCertificateInventoryQuery") Alias(["Get-CertificateInventoryQuery"]) OutputType([typeof(CertificateInventoryQueryResult)])

Queries persisted certificate inventory snapshots using structured filters.

Inheritance

  • PSCmdlet
  • CmdletGetCertificateInventoryQuery

Examples

Find known-CA certificates expiring within 30 days


Get-DDCertificateInventoryQuery -KnownCaOnly -ExpiringWithinDays 30 -MaxResults 1000
        

Find likely mTLS issues


Get-DDCertificateInventoryQuery -ClientAuthOnly -ChainIncompleteOnly -HostnameMismatchOnly
        

Filter by CA families and CT source


Get-DDCertificateInventoryQuery -AuthorityFamilyEquals LetsEncrypt -KnownRootCaOnly -CtSourceContains shodan
        

Find invalid but reachable endpoints


Get-DDCertificateInventoryQuery -InvalidOnly -ReachableOnly
        

Return only latest endpoint observations


Get-DDCertificateInventoryQuery -LatestOnly -HostContains \"example.com\"
        

Constructors

Methods

ProcessRecord() #

Executes the cmdlet.

Properties

public String CacheDirectory { get; set; } #
Parameter(Mandatory = false)

Certificate monitor cache directory containing the inventory folder.

public Nullable<DateTime> SinceUtc { get; set; } #
Parameter(Mandatory = false)

Only include snapshots captured since this UTC date/time.

public Nullable<DateTime> UntilUtc { get; set; } #
Parameter(Mandatory = false)

Only include snapshots captured up to this UTC date/time.

public String HostContains { get; set; } #
Parameter(Mandatory = false)

Host substring filter.

public String SubjectContains { get; set; } #
Parameter(Mandatory = false)

Certificate subject substring filter.

public String SanContains { get; set; } #
Parameter(Mandatory = false)

Certificate SAN substring filter.

public String ServiceEquals { get; set; } #
Parameter(Mandatory = false)

Service equality filter (for example HTTPS, HTTPS-Alt, Custom TLS).

public String IssuerContains { get; set; } #
Parameter(Mandatory = false)

Issuer substring filter.

public String AuthorityFamilyEquals { get; set; } #
Parameter(Mandatory = false)

Leaf authority family exact-match filter.

public String RootContains { get; set; } #
Parameter(Mandatory = false)

Root issuer/subject substring filter.

public String RootAuthorityFamilyEquals { get; set; } #
Parameter(Mandatory = false)

Root authority family exact-match filter.

public String CtSourceContains { get; set; } #
Parameter(Mandatory = false)

CT source substring filter.

public String CtTemplateErrorContains { get; set; } #
Parameter(Mandatory = false)

CT template/configuration error substring filter.

public String ChainSourceContains { get; set; } #
Parameter(Mandatory = false)

Certificate chain source substring filter.

public String ThumbprintEquals { get; set; } #
Parameter(Mandatory = false)

Leaf certificate thumbprint exact-match filter.

public String RootThumbprintEquals { get; set; } #
Parameter(Mandatory = false)

Root certificate thumbprint exact-match filter.

public String SerialNumberEquals { get; set; } #
Parameter(Mandatory = false)

Leaf certificate serial-number exact-match filter (hex string expected).

public SwitchParameter KnownCaOnly { get; set; } #
Parameter(Mandatory = false)

Only include certificates from recognized public CAs.

public SwitchParameter UnknownCaOnly { get; set; } #
Parameter(Mandatory = false)

Only include certificates from unrecognized or private CAs.

public SwitchParameter KnownRootCaOnly { get; set; } #
Parameter(Mandatory = false)

Only include certificates chaining to recognized public root CAs.

public SwitchParameter UnknownRootCaOnly { get; set; } #
Parameter(Mandatory = false)

Only include certificates chaining to unrecognized or private root CAs.

public SwitchParameter ValidOnly { get; set; } #
Parameter(Mandatory = false)

Only include entries with valid certificates.

public SwitchParameter InvalidOnly { get; set; } #
Parameter(Mandatory = false)

Only include entries with invalid certificates.

public SwitchParameter ExpiredOnly { get; set; } #
Parameter(Mandatory = false)

Only include expired certificates.

public SwitchParameter ChainIncompleteOnly { get; set; } #
Parameter(Mandatory = false)

Only include entries with incomplete chains.

public SwitchParameter ChainCompleteOnly { get; set; } #
Parameter(Mandatory = false)

Only include entries with complete chains.

public SwitchParameter HostnameMismatchOnly { get; set; } #
Parameter(Mandatory = false)

Only include entries where hostname validation failed.

public SwitchParameter HostnameMatchOnly { get; set; } #
Parameter(Mandatory = false)

Only include entries where hostname validation succeeded.

public SwitchParameter SelfSignedOnly { get; set; } #
Parameter(Mandatory = false)

Only include self-signed certificates.

public SwitchParameter NotSelfSignedOnly { get; set; } #
Parameter(Mandatory = false)

Only include certificates that are not self-signed.

public SwitchParameter UnreachableOnly { get; set; } #
Parameter(Mandatory = false)

Only include unreachable endpoints.

public SwitchParameter ReachableOnly { get; set; } #
Parameter(Mandatory = false)

Only include reachable endpoints.

public SwitchParameter CtOnly { get; set; } #
Parameter(Mandatory = false)

Only include certificates observed in CT logs.

public SwitchParameter CtMissingOnly { get; set; } #
Parameter(Mandatory = false)

Only include certificates not observed in CT logs.

public SwitchParameter ServerAuthOnly { get; set; } #
Parameter(Mandatory = false)

Only include certificates allowing server authentication EKU.

public SwitchParameter NoServerAuthOnly { get; set; } #
Parameter(Mandatory = false)

Only include certificates that do not allow server authentication EKU.

public SwitchParameter ClientAuthOnly { get; set; } #
Parameter(Mandatory = false)

Only include certificates allowing client authentication EKU.

public SwitchParameter NoClientAuthOnly { get; set; } #
Parameter(Mandatory = false)

Only include certificates that do not allow client authentication EKU.

public SwitchParameter SecureEmailOnly { get; set; } #
Parameter(Mandatory = false)

Only include certificates allowing secure email EKU.

public SwitchParameter NoSecureEmailOnly { get; set; } #
Parameter(Mandatory = false)

Only include certificates that do not allow secure email EKU.

public SwitchParameter WeakKeyOnly { get; set; } #
Parameter(Mandatory = false)

Only include certificates that use weak keys.

public SwitchParameter Sha1SignatureOnly { get; set; } #
Parameter(Mandatory = false)

Only include certificates signed with SHA-1.

public SwitchParameter NotYetValidOnly { get; set; } #
Parameter(Mandatory = false)

Only include certificates that are not yet valid.

public Nullable<Int32> ExpiringWithinDays { get; set; } #
Parameter(Mandatory = false) ValidateRange(0, 2147483647)

Only include certificates expiring within this many days.

public String AuthenticationProfileEquals { get; set; } #
Parameter(Mandatory = false)

Authentication profile exact-match filter.

public SwitchParameter LatestOnly { get; set; } #
Parameter(Mandatory = false)

Only evaluate the latest observed entry per endpoint (host+port) in the selected snapshot window.

public Int32 MaxResults { get; set; } #
Parameter(Mandatory = false) ValidateRange(0, 2147483647)

Maximum number of results returned.

{{ include "footer" }}