Using PowerShell to retrieve CAC Information

In this article, we will cover Using PowerShell to retrieve CAC Information

So today, we have a very niche PowerShell tutorial.  If you’re part of DOD or Army IT, you’ll probably recognize this as the scripting component of the FASCN project. For everyone else, I hope there’s something here you can use.

Scenario

Users have received new smart cards that contain the fourth certificate to be used for Domain authentication. These certificates have a value, that while based on the EDIPI contained in existing certificates, is expanded and will only be used for this one purpose.   Several forests full of domains full of users now have UserPrincipalName (UPN) values that must be updated to take advantage of the new certificate.

Solution

PowerShell. Thanks for coming out, everyone. Have a nice night…

Actually, this is a very straightforward script if all you care about is “lines of code.”  Right now, we only wish to collect the FASCN value from each user upon login, so we need something that can run as a scheduled task in the user’s context. We also want to make sure that we don’t get the wrong values. For example, if two smart cards are inserted into a computer (e.g. maybe a technician has logged into a user’s PC to install software), we don’t want the certificate information from the technician’s card to update the account information of the user who was originally logged in.

The Code

• To start the script, we want to isolate the current user’s UPN, which should be their EDIPI number if you’re rocking that DoD life.  I don’t want to require the ActiveDirectory module on each user’s computer, so we’re going to get it locally with whoami /upn instead. A little bit of string manipulation later, and the @mil is gone, leaving just the number.
• Next, we have to isolate the certificates from the CAC.  The certificate containing the FASCN is referred to as the Authentication certificate, so we look for that in the FriendlyName value. However, we want to make sure we get a certificate that matches the right user, so we’re also going to make sure the EDIPI value exists in the Subject value. Lastly, we don’t want any expired or cached certificates getting in our way, and checking for the HasPrivateKey value guarantees that the certificate belongs to a CAC that is currently inserted in the reader.
• We also want to get the user’s email address for this project, so we’re going to check the same values again, except against the Signature certificate. Variables corresponding to both the Signature and Authentication certificates are saved so we can do more work.
• Both the FASCN and the email address are values saved in their certificates’ Subject Alternative Name values. Unfortunately, the raw data for these values is hideous, so we need a couple of COMobjects to decode them. You can’t use the same one to decode both values, so I create two.  While I’m at it, I save the raw data to some Strings so it’s easier to get.

• Once you’ve used the COMObjects to decode the raw data. We want to get the strValue values from each of them. There may be some null entries hanging around. So just throw a quick FOR loop in there to only get the entries you want.
• Now that you have the FASCN and Email values from the certificate. You can output them to a CSV file, write them to a text file. Then write back to Active Directory, or maybe send it to a printer. So you can wallpaper your bodega with useless information.

Now that you have an outline, here is the code that does all the work:

$myEDIPI = (whoami /upn).replace('@mil','')
$comOBJS = @()
$PIVCERT = gci Cert:\CurrentUser\My | ? {$_.Subject -like "*$($myEDIPI)*" -and $_.FriendlyName -like "Authentication -*" -and $_.HasPrivateKey -eq $true}     	 
$EMAILCERT = gci Cert:\CurrentUser\My | ? {$_.Subject -like "*$($myEDIPI)*" -and $_.FriendlyName -like "Signature -*" -and $_.HasPrivateKey -eq $true}     	 
$Extensions=$pivcert.Extensions | Where-Object {$_.Oid.FriendlyName -eq "Subject Alternative Name"}       	 
$EmailAddress=$EMAILCERT.Extensions | Where-Object {$_.Oid.FriendlyName -eq "Subject Alternative Name"}
$comOBJS += new-object -ComObject X509Enrollment.CX509ExtensionAlternativeNames       	 
$comOBJS += new-object -ComObject X509Enrollment.CX509ExtensionAlternativeNames       	 
$FASCNString=[System.Convert]::ToBase64String($Extensions.RawData)       	 
$emailString=[System.Convert]::ToBase64String($EmailAddress.RawData)
$comObjs[0].InitializeDecode(1, $FASCNString)       	 
$FASCN = ($comOBJS[0].AlternativeNames | ?{$_.StrValue -like "*$($myEDIPI)*"}  ).strvalue
$comOBJS[1].InitializeDecode(1, $emailString)
$email = ($comOBJS[1].AlternativeNames | ?{$_.StrValue -like "*@mail.mil"}).strvalue
write-host "FASCN discovered: " $FASCN
write-host "Email discovered: " $email

Read more Using PowerShell to retrieve CAC Information