The Certificate Checker tool (Certchecker) performs the following checks:
- Read PFX. Checks for valid PFX file, correct password and warns if public information is not protected by the password.
- Signature Algorithm. Checks the Signature Algorithm is not SHA1
- Private Key. Checks the private key is present and is exported with the Local Machine attribute.
- Cert Chain. Checks certificate chain is in tact including for self-signed certificates.
- DNS Names. Checks the SAN contains relevant DNS names for each endpoint or if a supporting wildcard is present.
- Key Usage. Checks Key Usage contains Digital Signature and Key Encipherment and Enhanced Key Usage contains Server Authentication and Client Authentication.
- Key Size. Checks Key Size is 2048 or larger
- Chain Order. Checks the order of the other certificates making the chain is correct.
- Other Certificates. Ensure no other certificates have been packaged in PFX other than the relevant leaf certificate and its chain.
- No Profile. Checks a new user can load the PFX data without a user profile loaded, mimicking the behavior of gMSA accounts during certificate servicing.
You can download the script here: