Get-Certificate

This advanced function allows you to query remote and local machines for their certificates and also report back which ones are expired or expiring.

 
 
 
 
 
4.7 Star
(13)
11,529 times
Add to favorites
Operating System
10/10/2015
E-mail Twitter del.icio.us Digg Facebook
  • Got an error for CurrentUser on my W10 box
    1 Posts | Last post October 16, 2016
    • Do you know how to solve following error?
      
      PS C:\Windows\system32> Get-Certificate -StoreName My -StoreLocation CurrentUser
      WARNING: DESKTOP-3QUQ3OS: Exception calling "Open" with "1" argument(s): "The parameter is incorrect.
      "
      LocalMachine however works fine as storelocation..
      Many thanks for your great script
  • Something missing
    1 Posts | Last post December 02, 2015
    • Hi Boe,
      
      Is this an update to Get-PKICertificates (03/23/2010)?  On your WordPress page, you have a Get-Certificate script that has parameters related to the expiration of certs, but this script does not have any filtering switches beyond naming the server, store, etc.
      
      Thanks,
      
      J
  • Run Command on Multiple servers with Output in TXT file
    1 Posts | Last post July 07, 2015
    • Hello Boe,
      
      Nice piece of work. We are trying to find expired certificates in our SCCM env. (Native Mode) and have around 250 servers.
      
      I have the command as shown below.
      
      Get-PKICertificates -computer 'SCCM-ME1' -StoreLocation LocalMachine -StoreName My -OpenFlag ReadOnly -ExpiresIn 20 | Format-Table Subject,NotBefore, @{Label="ExpiresIn";Expression={($_.NotAfter - (get-Date)).Days}} -auto
      
      How do i run it on multiple servers? With output in a text file.
  • Play with output
    3 Posts | Last post June 23, 2015
    • My suggestion for output:
      "PKI" { 
           #List all certificates in the store 
           Write-Verbose "Listing all certificates in store"
           $Headers="ServerName","ThumbPrint","FriendlyName","Subject","ExpireDate"
           $Certificates = For($Loop=0; $Loop -lt ($ce.Certificates).count;$Loop++) {
                [PSCustomObject] @{
                    $headers[0]=$c
                    $headers[1]=$ce.Certificates.ThumbPrint[$Loop]
                    $headers[2]=$ce.Certificates.FriendlyName[$Loop]
      	      $headers[3]=$ce.Certificates.Subject[$Loop]
                    $headers[4]=$ce.certificates.NotAfter[$Loop]
                }
           }
           $Certificates
      }
      
      Similar approach for Expired and Expiring
      
      "Expired"
      ...
      $Certificates = For($Loop=0; $Loop -lt ($ce.Certificates).count;$Loop++) {
           If($ce.certificates.NotAfter[$Loop] -le (get-date)) {
      ...
      
      "Expiring"
      ...
      $deadline = (Get-Date).AddDays($ExpiresIn)
      $Certificates = For($Loop=0; $Loop -lt ($ce.Certificates).count;$Loop++) {
         If($ce.certificates.NotAfter[$Loop] -le ($deadline)) {
      ...
      
      Hope it helps.
      
      Regards
      
    • I like the output format of this suggestion however when I try to list expired or expiring certificates, I don't get any results returned.  I do get results returned when using original script.  I also get results if I just do the standard query without the -expired or -expiring switches.  Any suggestions?
    • Sorry - after some more testing, have just realised that I missed putting the $Certificates at the end of these queries :)
  • Server name?
    1 Posts | Last post September 15, 2014
    • How do I include the server name in the output table?
  • Results are empty?
    2 Posts | Last post July 01, 2014
    • Hi Boe.
      
      Im trying to get  your script to work.
      When I run this command in PS2 or 3 im not getting any results... or errors:
      
      PS C:\cert> .\Get-PKICertificates -computer 'servername' -StoreLocation LocalMachine -StoreName My -OpenFlag ReadOnly -ListExpired
      
      Happens on remote access and on the CA itself
      
      Best regards 
    • You need to dot source the script first in order to load the function:
      . .\Get-PKICertificates.ps1 <--- Note the space between the periods.
      
      Then you can run the function:
      Get-PKICertificates -computer 'servername' -StoreLocation LocalMachine -StoreName My -OpenFlag ReadOnly -ListExpired
      
  • Works only on 2008 and win7 based OS.
    4 Posts | Last post November 07, 2013
    • Boe, 
      
      I have tried this one, work well with 2008/win 7 boxes. Great way to use the X509Store .Net class .
       Now this doesn't work in win 2003 or XP boxes. At first I was unable to get any return, I realized it was going to the catch block as it was returning the server name in yellow. (btw, the $error[0] doesn't work as well.)
      Removed the try/catch error handling and found that it is getting a Access in Denied message. 
      when it tries the open method on the store 
      $store.Open <<<< ("ReadOnly")
      
      Any Suggestions to work around this problem for 2k3 based systems.
    • I've never had an issue with Win2K3 boxes and accessing the certificate stores. I've ran this against a couple hundred Win2K3 systems without issue. Thanks for the heads up on using $error[0]. I've been using an alternate means of displaying the error instead of that way ("{0}" -f $_.Exception.Message). I will add this script to my list of things to update the code on. 
    • Strangely it doesn't work for me if I remotely target win2k3 hosts. it fails (Access denied)when it tries to open the store with the read only parameter. 
      I have executed locally in the same 2k3 host and got success. Well I am running as a domain admin, that should rule out any permission issue. Only other thing which I can think of is that , I am actually executing this with a different credential (run as) instead of the log ed in account. But that doesn't explain why it works for 2k8 systems.
    • Ok I did find the issue, (it's been sometime, sorry for such a late response)
      Now this was to do with a AD GPO which was causing this menace.
      GPO which breaks Remote Registry access on servers by removing the permissions for “Local Service” from the registry key “HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg”.
      Thanks Boe, I had to work around this problem ..and the script work well!
      All I had to do is a create a "push script" . What is does is when it catches that Access Denied Exception if pushes a downscaled version to the server and executes it locally and captures it in a file. It works!
  • Set-PKICertificates
    2 Posts | Last post September 23, 2013
    • Hi, cloned your script and made a Set-PKICertificates (published here on technet). Hope it's okay :)
    • Great stuff! It is absolutely Ok! I kept meaning to do a follow-up Set* function but was always sidetracked by something else. Just in case anyone, here is the link to the script. http://gallery.technet.microsoft.com/scriptcenter/Set-PKICertificates-831530db
  • Really Useful
    2 Posts | Last post August 09, 2013
    • Thanks Boe, this just helped me solve a problem at work.
    • Thanks, Jason! This is one of the scripts that I really need to update just so it matches my current coding style and add some better error handling, features, etc... But definitely glad that you found it useful!
  • How to Run Against Multiple Servers
    1 Posts | Last post May 08, 2013
    • How would I run this script to query multiple servers?
1 - 10 of 11 Items