Skip to main content

Test-MsIdCBATrustStoreConfiguration

SYNOPSIS

Test & report for common mis-configuration issues with the Entra ID Certificate Trust Store

SYNTAX

Test-MsIdCBATrustStoreConfiguration

DESCRIPTION

The following is a list of checks performed by this cmdlet.

  • CertificateRevocationListUrl Format Validation Test: Checks for a correctly formatted CRL Distribution Point (CDP) URL
  • Certificate Time Validity Test: Checks that the CA certificate being evaluated is time valid
  • CRL Download and Latency Test: Checks to make sure the Certificate Revocation List (CRL) can be downloaded from the configured CRL and that the download completes in less then 12 seconds
  • CRL Size Test: Checks that the CRL is less then 44MB
  • Certificate Trust Chain Test: Checks that any certificate that is not marked as a root has its issuer also present in the certificate store.
  • CRL Authority Test: Checks that the CRL downloaded from the configured CA lists the CA certificate being evaluated as the its authority.
  • CRL Time Validity Test: Checks that the CRL being evaluated is time valid
  • Additional CRL Information: This include properties of the tested CRL including thisUpdate(Issued), nextPublish, nextUpdate(Expiry) and amount of time remaining

This Powershell cmdlet require Windows command line utility Certutil. This cmdlet can only be run from Windows device.

Since the CRL Distribution Point (CDP) needs to be accessible to Entra ID. It is best to run this script from outside a corporate network on an internet connected Windows device.

EXAMPLES

EXAMPLE 1

Test-MsIdCBATrustStoreConfiguration

Run tests against the current tenant's Certificate Trust Store

PARAMETERS

INPUTS

None

OUTPUTS

NOTES

https://aka.ms/aadcba