Validate Azure Stack PKI certificates

The Certificate Checker tool (Certchecker) performs the following checks:

  • Read PFX. Checks for valid PFX file, correct password and warns if public information is not protected by the password.
  • Signature Algorithm. Checks the Signature Algorithm is not SHA1
  • Private Key. Checks the private key is present and is exported with the Local Machine attribute.
  • Cert Chain. Checks certificate chain is in tact including for self-signed certificates.
  • DNS Names. Checks the SAN contains relevant DNS names for each endpoint or if a supporting wildcard is present.
  • Key Usage. Checks Key Usage contains Digital Signature and Key Encipherment and Enhanced Key Usage contains Server Authentication and Client Authentication.
  • Key Size. Checks Key Size is 2048 or larger
  • Chain Order. Checks the order of the other certificates making the chain is correct.
  • Other Certificates. Ensure no other certificates have been packaged in PFX other than the relevant leaf certificate and its chain.
  • No Profile. Checks a new user can load the PFX data without a user profile loaded, mimicking the behavior of gMSA accounts during certificate servicing.

You can download the script here:

https://docs.microsoft.com/en-us/azure/azure-stack/validate-pki-certs

Post author

Leave a Reply