Test MsIdCBATrustStoreConfiguration
Github Action edited this page Nov 30, 2023
·
1 revision
Reference
Module: MSIdentityTools
Test & report for common mis-configuration issues with the Entra ID Certificate Trust Store
Test-MsIdCBATrustStoreConfiguration
The following is a list of checks performed by this cmdlet.
- CertificateRevocationListUrl Format Validation Test: Checks for a correctly formatted CRL Distribution Point (CDP) URL
- Certificate Time Validity Test: Checks that the CA certificate being evaluated is time valid
- CRL Download and Latency Test: Checks to make sure the Certificate Revocation List (CRL) can be downloaded from the configured CRL and that the download completes in less then 12 seconds
- CRL Size Test: Checks that the CRL is less then 44MB
- Certificate Trust Chain Test: Checks that any certificate that is not marked as a root has its issuer also present in the certificate store.
- CRL Authority Test: Checks that the CRL downloaded from the configured CA lists the CA certificate being evaluated as the its authority.
- CRL Time Validity Test: Checks that the CRL being evaluated is time valid
- Additional CRL Information: This include properties of the tested CRL including thisUpdate(Issued), nextPublish, nextUpdate(Expiry) and amount of time remaining
This Powershell cmdlet require Windows command line utility Certutil. This cmdlet can only be run from Windows device.
Since the CRL Distribution Point (CDP) needs to be accessible to Entra ID. It is best to run this script from outside a corporate network on an internet connected Windows device.
Test-MsIdCBATrustStoreConfiguration
None