Domain Detective

API Reference

Class

CmdletGetCertificateInventoryRisk

Namespace DomainDetective.PowerShell
Assembly DomainDetective.PowerShell
Base PSCmdlet
Modifiers sealed
Attributes
Cmdlet("Get", "DDCertificateInventoryRisk") Alias(["Get-CertificateInventoryRisk"]) OutputType([typeof(CertificateInventoryRiskSummary)])

Builds endpoint-level certificate risk posture from persisted inventory snapshots.

Inheritance

  • PSCmdlet
  • CmdletGetCertificateInventoryRisk

Examples

Assess risk posture for snapshots captured in the last 30 days


Get-DDCertificateInventoryRisk -SinceUtc (Get-Date).ToUniversalTime().AddDays(-30)
        

Include healthy endpoints and tune expiry thresholds


Get-DDCertificateInventoryRisk -IncludeHealthy -ExpiringWithinDays 45 -CriticalExpiringWithinDays 10
        

Return only high and critical endpoint rows


Get-DDCertificateInventoryRisk -MinimumSeverity High
        

Constructors

Methods

ProcessRecord() #

Executes the cmdlet.

Properties

public String CacheDirectory { get; set; } #
Parameter(Mandatory = false)

Certificate monitor cache directory containing the inventory folder.

public Nullable<DateTime> SinceUtc { get; set; } #
Parameter(Mandatory = false)

Only include snapshots captured since this UTC date/time.

public SwitchParameter IncludeHealthy { get; set; } #
Parameter(Mandatory = false)

Include endpoints without detected risk findings.

public Int32 ExpiringWithinDays { get; set; } #
Parameter(Mandatory = false) ValidateRange(0, 2147483647)

Warning threshold window in days for expiring certificates.

public Int32 CriticalExpiringWithinDays { get; set; } #
Parameter(Mandatory = false) ValidateRange(0, 2147483647)

Critical threshold window in days for expiring certificates.

public Int32 MaxEndpoints { get; set; } #
Parameter(Mandatory = false) ValidateRange(0, 2147483647)

Maximum endpoint rows returned.

public String MinimumSeverity { get; set; } #
Parameter(Mandatory = false) ValidateSet(["None", "Low", "Medium", "High", "Critical"])

Optional minimum severity filter (None means no additional score filter).

public Nullable<Int32> ScoreMin { get; set; } #
Parameter(Mandatory = false) ValidateRange(0, 100)

Optional minimum endpoint risk score filter (0-100).

public Nullable<Int32> ScoreMax { get; set; } #
Parameter(Mandatory = false) ValidateRange(0, 100)

Optional maximum endpoint risk score filter (0-100).

public Nullable<Int32> ReasonCountMin { get; set; } #
Parameter(Mandatory = false) ValidateRange(0, 2147483647)

Optional minimum reason-count filter (0 or greater).

public Nullable<Int32> ReasonCountMax { get; set; } #
Parameter(Mandatory = false) ValidateRange(0, 2147483647)

Optional maximum reason-count filter (0 or greater).

public Nullable<Int32> ReuseEndpointCountMin { get; set; } #
Parameter(Mandatory = false) ValidateRange(1, 2147483647)

Optional minimum certificate-reuse endpoint-count filter (1 or greater).

public Nullable<Int32> ReuseEndpointCountMax { get; set; } #
Parameter(Mandatory = false) ValidateRange(1, 2147483647)

Optional maximum certificate-reuse endpoint-count filter (1 or greater).

public String RiskProfile { get; set; } #
Parameter(Mandatory = false) ValidateSet(["Renewal14d", "Renewal30d", "FutureNotYetValid", "Expired", "HighRiskActive"])

Optional risk profile preset (Renewal14d, Renewal30d, FutureNotYetValid, Expired, HighRiskActive).

public String ReasonContains { get; set; } #
Parameter(Mandatory = false)

Optional case-insensitive reason substring filter (for example CertificateExpired, WeakKey, CtNotObserved).

public String[] ReasonAnyOf { get; set; } #
Parameter(Mandatory = false)

Optional exact reason filters where any value can match.

public String[] ReasonAllOf { get; set; } #
Parameter(Mandatory = false)

Optional exact reason filters where all values must match.

public String IssuerContains { get; set; } #
Parameter(Mandatory = false)

Optional case-insensitive issuer/root-issuer substring filter (for example DigiCert, Let's Encrypt, ISRG).

public String[] IssuerContainsAnyOf { get; set; } #
Parameter(Mandatory = false)

Optional case-insensitive issuer/root-issuer substring filters where any value can match.

public String[] IssuerContainsAllOf { get; set; } #
Parameter(Mandatory = false)

Optional case-insensitive issuer/root-issuer substring filters where all values must match.

public String RootIssuerContains { get; set; } #
Parameter(Mandatory = false)

Optional case-insensitive root-issuer substring filter.

public String[] RootIssuerContainsAnyOf { get; set; } #
Parameter(Mandatory = false)

Optional case-insensitive root-issuer substring filters where any value can match.

public String[] RootIssuerContainsAllOf { get; set; } #
Parameter(Mandatory = false)

Optional case-insensitive root-issuer substring filters where all values must match.

public String AuthorityFamilyEquals { get; set; } #
Parameter(Mandatory = false)

Optional leaf authority family exact-match filter (for example DigiCert, LetsEncrypt).

public String RootAuthorityFamilyEquals { get; set; } #
Parameter(Mandatory = false)

Optional root authority family exact-match filter (for example DigiCert, LetsEncrypt).

public String CtSourceContains { get; set; } #
Parameter(Mandatory = false)

Optional CT/discovery source substring filter (for example crt.sh, shodan, censys).

public String CtTemplateErrorContains { get; set; } #
Parameter(Mandatory = false)

Optional CT template/configuration error substring filter.

public String ChainSourceContains { get; set; } #
Parameter(Mandatory = false)

Optional chain-source substring filter (for example tls-handshake, aia-download).

public String ThumbprintEquals { get; set; } #
Parameter(Mandatory = false)

Optional leaf-certificate thumbprint exact-match filter (hex string expected).

public String RootThumbprintEquals { get; set; } #
Parameter(Mandatory = false)

Optional root-certificate thumbprint exact-match filter (hex string expected).

public String SerialNumberEquals { get; set; } #
Parameter(Mandatory = false)

Optional leaf-certificate serial-number exact-match filter (hex string expected).

public String HostContains { get; set; } #
Parameter(Mandatory = false)

Optional case-insensitive host substring filter.

public String ServiceEquals { get; set; } #
Parameter(Mandatory = false)

Optional case-insensitive service exact-match filter (for example HTTPS, HTTPS-Alt, Custom TLS).

public Nullable<Int32> PortEquals { get; set; } #
Parameter(Mandatory = false) ValidateRange(1, 65535)

Optional endpoint port exact-match filter (1-65535).

public Nullable<Int32> ChainLengthMin { get; set; } #
Parameter(Mandatory = false) ValidateRange(0, 2147483647)

Only include endpoints whose observed chain length is greater than or equal to this value.

public Nullable<Int32> ChainLengthMax { get; set; } #
Parameter(Mandatory = false) ValidateRange(0, 2147483647)

Only include endpoints whose observed chain length is less than or equal to this value.

public Nullable<Int32> IntermediateCountMin { get; set; } #
Parameter(Mandatory = false) ValidateRange(0, 2147483647)

Only include endpoints whose observed intermediate count is greater than or equal to this value.

public Nullable<Int32> IntermediateCountMax { get; set; } #
Parameter(Mandatory = false) ValidateRange(0, 2147483647)

Only include endpoints whose observed intermediate count is less than or equal to this value.

public SwitchParameter CtObservedOnly { get; set; } #
Parameter(Mandatory = false)

Only include endpoints whose certificates were observed in CT logs.

public SwitchParameter CtMissingOnly { get; set; } #
Parameter(Mandatory = false)

Only include endpoints whose certificates were not observed in CT logs.

public SwitchParameter ChainCompleteOnly { get; set; } #
Parameter(Mandatory = false)

Only include endpoints with complete certificate chains.

public SwitchParameter ChainIncompleteOnly { get; set; } #
Parameter(Mandatory = false)

Only include endpoints with incomplete certificate chains.

public SwitchParameter ReachableOnly { get; set; } #
Parameter(Mandatory = false)

Only include endpoints reachable on the scanned endpoint.

public SwitchParameter UnreachableOnly { get; set; } #
Parameter(Mandatory = false)

Only include endpoints that were not reachable on the scanned endpoint.

public SwitchParameter HostnameMatchOnly { get; set; } #
Parameter(Mandatory = false)

Only include endpoints whose certificate matches the requested hostname.

public SwitchParameter HostnameMismatchOnly { get; set; } #
Parameter(Mandatory = false)

Only include endpoints whose certificate does not match the requested hostname.

public SwitchParameter SelfSignedOnly { get; set; } #
Parameter(Mandatory = false)

Only include endpoints using self-signed certificates.

public SwitchParameter CaSignedOnly { get; set; } #
Parameter(Mandatory = false)

Only include endpoints using CA-signed certificates.

public SwitchParameter WeakKeyOnly { get; set; } #
Parameter(Mandatory = false)

Only include endpoints with weak keys.

public SwitchParameter StrongKeyOnly { get; set; } #
Parameter(Mandatory = false)

Only include endpoints without weak keys.

public SwitchParameter Sha1SignatureOnly { get; set; } #
Parameter(Mandatory = false)

Only include endpoints using SHA-1 signatures.

public SwitchParameter NonSha1SignatureOnly { get; set; } #
Parameter(Mandatory = false)

Only include endpoints not using SHA-1 signatures.

public SwitchParameter ExpiredOnly { get; set; } #
Parameter(Mandatory = false)

Only include endpoints with expired certificates.

public SwitchParameter NotExpiredOnly { get; set; } #
Parameter(Mandatory = false)

Only include endpoints with non-expired certificates.

public SwitchParameter NotYetValidOnly { get; set; } #
Parameter(Mandatory = false)

Only include endpoints with certificates that are not yet valid.

public SwitchParameter AlreadyValidOnly { get; set; } #
Parameter(Mandatory = false)

Only include endpoints with certificates that are already valid (not in future).

public SwitchParameter CurrentlyValidOnly { get; set; } #
Parameter(Mandatory = false)

Only include endpoints currently within certificate validity window.

public SwitchParameter CurrentlyInvalidOnly { get; set; } #
Parameter(Mandatory = false)

Only include endpoints currently outside certificate validity window.

public Nullable<Int32> DaysToExpireMin { get; set; } #
Parameter(Mandatory = false)

Only include endpoints whose days-to-expire is greater than or equal to this value.

public Nullable<Int32> DaysToExpireMax { get; set; } #
Parameter(Mandatory = false)

Only include endpoints whose days-to-expire is less than or equal to this value.

public Nullable<Int32> DaysUntilValidMin { get; set; } #
Parameter(Mandatory = false) ValidateRange(0, 2147483647)

Only include endpoints whose days-until-valid is greater than or equal to this value.

public Nullable<Int32> DaysUntilValidMax { get; set; } #
Parameter(Mandatory = false) ValidateRange(0, 2147483647)

Only include endpoints whose days-until-valid is less than or equal to this value.

public String AuthenticationProfileEquals { get; set; } #
Parameter(Mandatory = false)

Optional authentication profile exact-match filter (for example ServerAuthOnly, ClientAuthOnly, MixedOrCustom).

public SwitchParameter KnownCaOnly { get; set; } #
Parameter(Mandatory = false)

Only include endpoints with recognized public CAs as the leaf issuer.

public SwitchParameter UnknownCaOnly { get; set; } #
Parameter(Mandatory = false)

Only include endpoints with unrecognized/private CAs as the leaf issuer.

public SwitchParameter KnownRootCaOnly { get; set; } #
Parameter(Mandatory = false)

Only include endpoints chaining to recognized public root CAs.

public SwitchParameter UnknownRootCaOnly { get; set; } #
Parameter(Mandatory = false)

Only include endpoints chaining to unrecognized/private root CAs.

public SwitchParameter ServerAuthOnly { get; set; } #
Parameter(Mandatory = false)

Only include endpoints whose certificate allows server authentication EKU.

public SwitchParameter ClientAuthOnly { get; set; } #
Parameter(Mandatory = false)

Only include endpoints whose certificate allows client authentication EKU.

public SwitchParameter SecureEmailOnly { get; set; } #
Parameter(Mandatory = false)

Only include endpoints whose certificate allows secure-email EKU.

public SwitchParameter ReuseCrossServiceOnly { get; set; } #
Parameter(Mandatory = false)

Only include endpoints where the same certificate is reused across more than one distinct service.

public SwitchParameter ReuseSingleServiceOnly { get; set; } #
Parameter(Mandatory = false)

Only include endpoints where the same certificate is reused within a single distinct service.

public Nullable<Int32> ReuseDistinctServiceCountMin { get; set; } #
Parameter(Mandatory = false) ValidateRange(1, 2147483647)

Optional minimum certificate-reuse distinct-service-count filter (1 or greater).

public Nullable<Int32> ReuseDistinctServiceCountMax { get; set; } #
Parameter(Mandatory = false) ValidateRange(1, 2147483647)

Optional maximum certificate-reuse distinct-service-count filter (1 or greater).

public Nullable<Int32> ReuseDistinctPortCountMin { get; set; } #
Parameter(Mandatory = false) ValidateRange(1, 2147483647)

Optional minimum certificate-reuse distinct-port-count filter (1 or greater).

public Nullable<Int32> ReuseDistinctPortCountMax { get; set; } #
Parameter(Mandatory = false) ValidateRange(1, 2147483647)

Optional maximum certificate-reuse distinct-port-count filter (1 or greater).

public SwitchParameter ReuseCrossPortOnly { get; set; } #
Parameter(Mandatory = false)

Only include endpoints where the same certificate is reused across more than one distinct port.

public SwitchParameter ReuseSinglePortOnly { get; set; } #
Parameter(Mandatory = false)

Only include endpoints where the same certificate is reused within a single distinct port.

{{ include "footer" }}