API Reference
CmdletGetCertificateInventoryRisk
Builds endpoint-level certificate risk posture from persisted inventory snapshots.
Inheritance
- PSCmdlet
- CmdletGetCertificateInventoryRisk
Examples
Assess risk posture for snapshots captured in the last 30 days
Get-DDCertificateInventoryRisk -SinceUtc (Get-Date).ToUniversalTime().AddDays(-30)
Include healthy endpoints and tune expiry thresholds
Get-DDCertificateInventoryRisk -IncludeHealthy -ExpiringWithinDays 45 -CriticalExpiringWithinDays 10
Return only high and critical endpoint rows
Get-DDCertificateInventoryRisk -MinimumSeverity High
Constructors
public CmdletGetCertificateInventoryRisk() #Methods
ProcessRecord() #Executes the cmdlet.
Inherited Methods
public PathInfo CurrentProviderLocation(String providerId) #PathInfoParameters
- providerId String
public override Boolean Equals(Object obj) #BooleanParameters
- obj Object
public Collection<String> GetResolvedProviderPathFromPSPath(String path, out ProviderInfo provider) #Collection<String>Parameters
- path String
- provider ProviderInfo
public override String GetResourceString(String baseName, String resourceId) #StringParameters
- baseName String
- resourceId String
public String GetUnresolvedProviderPathFromPSPath(String path) #StringParameters
- path String
public Object GetVariableValue(String name, Object defaultValue) #ObjectParameters
- name String
public Boolean ShouldContinue(String query, String caption) #BooleanParameters
- query String
- caption String
- hasSecurityImpact Boolean
- yesToAll Boolean
- noToAll Boolean
public Boolean ShouldProcess(String verboseDescription, String verboseWarning, String caption) #BooleanParameters
- verboseDescription String
- verboseWarning String
- caption String
- shouldProcessReason ShouldProcessReason
public Void ThrowTerminatingError(ErrorRecord errorRecord) #VoidParameters
- errorRecord ErrorRecord
public Void WriteCommandDetail(String text) #VoidParameters
- text String
public Void WriteError(ErrorRecord errorRecord) #VoidParameters
- errorRecord ErrorRecord
public Void WriteInformation(InformationRecord informationRecord) #VoidParameters
- messageData Object
- tags String[]
public Void WriteObject(Object sendToPipeline) #VoidParameters
- sendToPipeline Object
- enumerateCollection Boolean
public Void WriteProgress(ProgressRecord progressRecord) #VoidParameters
- progressRecord ProgressRecord
Properties
public String CacheDirectory { get; set; } #Parameter(Mandatory = false)Certificate monitor cache directory containing the inventory folder.
public Nullable<DateTime> SinceUtc { get; set; } #Parameter(Mandatory = false)Only include snapshots captured since this UTC date/time.
public SwitchParameter IncludeHealthy { get; set; } #Parameter(Mandatory = false)Include endpoints without detected risk findings.
public Int32 ExpiringWithinDays { get; set; } #Parameter(Mandatory = false) ValidateRange(0, 2147483647)Warning threshold window in days for expiring certificates.
public Int32 CriticalExpiringWithinDays { get; set; } #Parameter(Mandatory = false) ValidateRange(0, 2147483647)Critical threshold window in days for expiring certificates.
public Int32 MaxEndpoints { get; set; } #Parameter(Mandatory = false) ValidateRange(0, 2147483647)Maximum endpoint rows returned.
public String MinimumSeverity { get; set; } #Parameter(Mandatory = false) ValidateSet(["None", "Low", "Medium", "High", "Critical"])Optional minimum severity filter (None means no additional score filter).
public Nullable<Int32> ScoreMin { get; set; } #Parameter(Mandatory = false) ValidateRange(0, 100)Optional minimum endpoint risk score filter (0-100).
public Nullable<Int32> ScoreMax { get; set; } #Parameter(Mandatory = false) ValidateRange(0, 100)Optional maximum endpoint risk score filter (0-100).
public Nullable<Int32> ReasonCountMin { get; set; } #Parameter(Mandatory = false) ValidateRange(0, 2147483647)Optional minimum reason-count filter (0 or greater).
public Nullable<Int32> ReasonCountMax { get; set; } #Parameter(Mandatory = false) ValidateRange(0, 2147483647)Optional maximum reason-count filter (0 or greater).
public Nullable<Int32> ReuseEndpointCountMin { get; set; } #Parameter(Mandatory = false) ValidateRange(1, 2147483647)Optional minimum certificate-reuse endpoint-count filter (1 or greater).
public Nullable<Int32> ReuseEndpointCountMax { get; set; } #Parameter(Mandatory = false) ValidateRange(1, 2147483647)Optional maximum certificate-reuse endpoint-count filter (1 or greater).
public String RiskProfile { get; set; } #Parameter(Mandatory = false) ValidateSet(["Renewal14d", "Renewal30d", "FutureNotYetValid", "Expired", "HighRiskActive"])Optional risk profile preset (Renewal14d, Renewal30d, FutureNotYetValid, Expired, HighRiskActive).
public String ReasonContains { get; set; } #Parameter(Mandatory = false)Optional case-insensitive reason substring filter (for example CertificateExpired, WeakKey, CtNotObserved).
public String[] ReasonAnyOf { get; set; } #Parameter(Mandatory = false)Optional exact reason filters where any value can match.
public String[] ReasonAllOf { get; set; } #Parameter(Mandatory = false)Optional exact reason filters where all values must match.
public String IssuerContains { get; set; } #Parameter(Mandatory = false)Optional case-insensitive issuer/root-issuer substring filter (for example DigiCert, Let's Encrypt, ISRG).
public String[] IssuerContainsAnyOf { get; set; } #Parameter(Mandatory = false)Optional case-insensitive issuer/root-issuer substring filters where any value can match.
public String[] IssuerContainsAllOf { get; set; } #Parameter(Mandatory = false)Optional case-insensitive issuer/root-issuer substring filters where all values must match.
public String RootIssuerContains { get; set; } #Parameter(Mandatory = false)Optional case-insensitive root-issuer substring filter.
public String[] RootIssuerContainsAnyOf { get; set; } #Parameter(Mandatory = false)Optional case-insensitive root-issuer substring filters where any value can match.
public String[] RootIssuerContainsAllOf { get; set; } #Parameter(Mandatory = false)Optional case-insensitive root-issuer substring filters where all values must match.
public String AuthorityFamilyEquals { get; set; } #Parameter(Mandatory = false)Optional leaf authority family exact-match filter (for example DigiCert, LetsEncrypt).
public String RootAuthorityFamilyEquals { get; set; } #Parameter(Mandatory = false)Optional root authority family exact-match filter (for example DigiCert, LetsEncrypt).
public String CtSourceContains { get; set; } #Parameter(Mandatory = false)Optional CT/discovery source substring filter (for example crt.sh, shodan, censys).
public String CtTemplateErrorContains { get; set; } #Parameter(Mandatory = false)Optional CT template/configuration error substring filter.
public String ChainSourceContains { get; set; } #Parameter(Mandatory = false)Optional chain-source substring filter (for example tls-handshake, aia-download).
public String ThumbprintEquals { get; set; } #Parameter(Mandatory = false)Optional leaf-certificate thumbprint exact-match filter (hex string expected).
public String RootThumbprintEquals { get; set; } #Parameter(Mandatory = false)Optional root-certificate thumbprint exact-match filter (hex string expected).
public String SerialNumberEquals { get; set; } #Parameter(Mandatory = false)Optional leaf-certificate serial-number exact-match filter (hex string expected).
public String HostContains { get; set; } #Parameter(Mandatory = false)Optional case-insensitive host substring filter.
public String ServiceEquals { get; set; } #Parameter(Mandatory = false)Optional case-insensitive service exact-match filter (for example HTTPS, HTTPS-Alt, Custom TLS).
public Nullable<Int32> PortEquals { get; set; } #Parameter(Mandatory = false) ValidateRange(1, 65535)Optional endpoint port exact-match filter (1-65535).
public Nullable<Int32> ChainLengthMin { get; set; } #Parameter(Mandatory = false) ValidateRange(0, 2147483647)Only include endpoints whose observed chain length is greater than or equal to this value.
public Nullable<Int32> ChainLengthMax { get; set; } #Parameter(Mandatory = false) ValidateRange(0, 2147483647)Only include endpoints whose observed chain length is less than or equal to this value.
public Nullable<Int32> IntermediateCountMin { get; set; } #Parameter(Mandatory = false) ValidateRange(0, 2147483647)Only include endpoints whose observed intermediate count is greater than or equal to this value.
public Nullable<Int32> IntermediateCountMax { get; set; } #Parameter(Mandatory = false) ValidateRange(0, 2147483647)Only include endpoints whose observed intermediate count is less than or equal to this value.
public SwitchParameter CtObservedOnly { get; set; } #Parameter(Mandatory = false)Only include endpoints whose certificates were observed in CT logs.
public SwitchParameter CtMissingOnly { get; set; } #Parameter(Mandatory = false)Only include endpoints whose certificates were not observed in CT logs.
public SwitchParameter ChainCompleteOnly { get; set; } #Parameter(Mandatory = false)Only include endpoints with complete certificate chains.
public SwitchParameter ChainIncompleteOnly { get; set; } #Parameter(Mandatory = false)Only include endpoints with incomplete certificate chains.
public SwitchParameter ReachableOnly { get; set; } #Parameter(Mandatory = false)Only include endpoints reachable on the scanned endpoint.
public SwitchParameter UnreachableOnly { get; set; } #Parameter(Mandatory = false)Only include endpoints that were not reachable on the scanned endpoint.
public SwitchParameter HostnameMatchOnly { get; set; } #Parameter(Mandatory = false)Only include endpoints whose certificate matches the requested hostname.
public SwitchParameter HostnameMismatchOnly { get; set; } #Parameter(Mandatory = false)Only include endpoints whose certificate does not match the requested hostname.
public SwitchParameter SelfSignedOnly { get; set; } #Parameter(Mandatory = false)Only include endpoints using self-signed certificates.
public SwitchParameter CaSignedOnly { get; set; } #Parameter(Mandatory = false)Only include endpoints using CA-signed certificates.
public SwitchParameter WeakKeyOnly { get; set; } #Parameter(Mandatory = false)Only include endpoints with weak keys.
public SwitchParameter StrongKeyOnly { get; set; } #Parameter(Mandatory = false)Only include endpoints without weak keys.
public SwitchParameter Sha1SignatureOnly { get; set; } #Parameter(Mandatory = false)Only include endpoints using SHA-1 signatures.
public SwitchParameter NonSha1SignatureOnly { get; set; } #Parameter(Mandatory = false)Only include endpoints not using SHA-1 signatures.
public SwitchParameter ExpiredOnly { get; set; } #Parameter(Mandatory = false)Only include endpoints with expired certificates.
public SwitchParameter NotExpiredOnly { get; set; } #Parameter(Mandatory = false)Only include endpoints with non-expired certificates.
public SwitchParameter NotYetValidOnly { get; set; } #Parameter(Mandatory = false)Only include endpoints with certificates that are not yet valid.
public SwitchParameter AlreadyValidOnly { get; set; } #Parameter(Mandatory = false)Only include endpoints with certificates that are already valid (not in future).
public SwitchParameter CurrentlyValidOnly { get; set; } #Parameter(Mandatory = false)Only include endpoints currently within certificate validity window.
public SwitchParameter CurrentlyInvalidOnly { get; set; } #Parameter(Mandatory = false)Only include endpoints currently outside certificate validity window.
public Nullable<Int32> DaysToExpireMin { get; set; } #Parameter(Mandatory = false)Only include endpoints whose days-to-expire is greater than or equal to this value.
public Nullable<Int32> DaysToExpireMax { get; set; } #Parameter(Mandatory = false)Only include endpoints whose days-to-expire is less than or equal to this value.
public Nullable<Int32> DaysUntilValidMin { get; set; } #Parameter(Mandatory = false) ValidateRange(0, 2147483647)Only include endpoints whose days-until-valid is greater than or equal to this value.
public Nullable<Int32> DaysUntilValidMax { get; set; } #Parameter(Mandatory = false) ValidateRange(0, 2147483647)Only include endpoints whose days-until-valid is less than or equal to this value.
public String AuthenticationProfileEquals { get; set; } #Parameter(Mandatory = false)Optional authentication profile exact-match filter (for example ServerAuthOnly, ClientAuthOnly, MixedOrCustom).
public SwitchParameter KnownCaOnly { get; set; } #Parameter(Mandatory = false)Only include endpoints with recognized public CAs as the leaf issuer.
public SwitchParameter UnknownCaOnly { get; set; } #Parameter(Mandatory = false)Only include endpoints with unrecognized/private CAs as the leaf issuer.
public SwitchParameter KnownRootCaOnly { get; set; } #Parameter(Mandatory = false)Only include endpoints chaining to recognized public root CAs.
public SwitchParameter UnknownRootCaOnly { get; set; } #Parameter(Mandatory = false)Only include endpoints chaining to unrecognized/private root CAs.
public SwitchParameter ServerAuthOnly { get; set; } #Parameter(Mandatory = false)Only include endpoints whose certificate allows server authentication EKU.
public SwitchParameter ClientAuthOnly { get; set; } #Parameter(Mandatory = false)Only include endpoints whose certificate allows client authentication EKU.
public SwitchParameter SecureEmailOnly { get; set; } #Parameter(Mandatory = false)Only include endpoints whose certificate allows secure-email EKU.
public SwitchParameter ReuseCrossServiceOnly { get; set; } #Parameter(Mandatory = false)Only include endpoints where the same certificate is reused across more than one distinct service.
public SwitchParameter ReuseSingleServiceOnly { get; set; } #Parameter(Mandatory = false)Only include endpoints where the same certificate is reused within a single distinct service.
public Nullable<Int32> ReuseDistinctServiceCountMin { get; set; } #Parameter(Mandatory = false) ValidateRange(1, 2147483647)Optional minimum certificate-reuse distinct-service-count filter (1 or greater).
public Nullable<Int32> ReuseDistinctServiceCountMax { get; set; } #Parameter(Mandatory = false) ValidateRange(1, 2147483647)Optional maximum certificate-reuse distinct-service-count filter (1 or greater).
public Nullable<Int32> ReuseDistinctPortCountMin { get; set; } #Parameter(Mandatory = false) ValidateRange(1, 2147483647)Optional minimum certificate-reuse distinct-port-count filter (1 or greater).
public Nullable<Int32> ReuseDistinctPortCountMax { get; set; } #Parameter(Mandatory = false) ValidateRange(1, 2147483647)Optional maximum certificate-reuse distinct-port-count filter (1 or greater).
public SwitchParameter ReuseCrossPortOnly { get; set; } #Parameter(Mandatory = false)Only include endpoints where the same certificate is reused across more than one distinct port.
public SwitchParameter ReuseSinglePortOnly { get; set; } #Parameter(Mandatory = false)Only include endpoints where the same certificate is reused within a single distinct port.
Inherited Properties
public PSEventManager Events { get; } #public PSHost Host { get; } #public CommandInvocationIntrinsics InvokeCommand { get; } #public ProviderIntrinsics InvokeProvider { get; } #public JobManager JobManager { get; } #public JobRepository JobRepository { get; } #public InvocationInfo MyInvocation { get; } #public PagingParameters PagingParameters { get; } #public String ParameterSetName { get; } #public SessionState SessionState { get; } #public ICommandRuntime CommandRuntime { get; set; } #public Boolean Stopping { get; } #public CommandOrigin CommandOrigin { get; } #