How to get the Windows certificate details using PowerShell?


We know that the Windows Certificates are resided in the Certificate store but finding the certificate with its name or getting particular certificate details might be cumbersome sometimes.

You can access the certificate store using MMC or using CertMgr.msc command. There are certificates stored for CurrentUser, ServiceAccount, and Local Computer. To access the certificate store using PowerShell, you need to access the PSDrive, and Certificates are stored in the drive called Cert as you can see below.

PS C:\> Get-PSDrive cert | ft -AutoSize
Name Used (GB) Free (GB) Provider Root CurrentLocation
---- --------- --------- -------- ---- ---------------
Cert Certificate \

Let say we want to retrieve the details of the certificate stored in the Root directory in the local machine account then we can use the below command.

Example

Get-ChildItem Cert:\LocalMachine\Root\

Output

PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\Root
Thumbprint                               Subject
----------                               -------
CDD4EEAE6000AC7F40C3802C171E30148030C072 CN=Microsoft Root Certificate Authority
BE36A4562FB2EE05DBB3D32323ADF445084ED656 CN=Thawte Timestamping CA, OU=Thawte Ce
A43489159A520F0D93D032CCAF37E7FE20A8B419 CN=Microsoft Root Authority, OU=Microso
92B46C76E13054E104F230517E6E504D43AB10B5 CN=Symantec Enterprise Mobile Root for
8F43288AD272F3103B6FB1428485EA3014C0BCFE CN=Microsoft Root Certificate Authority
7F88CD7223F3C813818C994614A89C99FA3B5247 CN=Microsoft Authenticode(tm) Root Auth

Or you can also use the below command,

Get-Item Cert:\LocalMachine\Root\* | ft -AutoSize

The below command will get all the Microsoft certificates.

Get-ChildItem Cert:\LocalMachine\Root\ | where{$_.Subject -like "*Microsoft*"}

To find the specific certificate, you should know the certificate friendly name. For example, to find the “DigiCert” certificate from the Root store,

Example

Get-ChildItem Cert:\LocalMachine\Root\ | where{$_.FriendlyName -eq 'DigiCert'}

Output

Thumbprint                                Subject
----------                                -------
A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436  CN=DigiCert Global Root CA, OU=www.digicert.com,
0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43  CN=DigiCert Assured ID Root CA, OU=www.digicert.com

To search directly from the LocalComputer, CurrentUser, or Root store, use -Recurse parameter.

Get-ChildItem Cert:\LocalMachine\ -Recurse | where{$_.FriendlyName -eq 'DigiCert'}

Once you get the thumbprint or friendly Name, you can use the fl * pipeline to get the full details of the certificate.

Get-ChildItem Cert:\LocalMachine\root | where{$_.FriendlyName -eq 'DigiCert'} | fl *

For the remote servers, we can use Invoke-Command, the below example will get the certificates from the remote servers.

Example

Invoke-Command -ComputerName Test1Comp, Test2Comp -Scriptblock{
   Get-ChildItem Cert:\LocalMachine\root | where{$_.FriendlyName -eq 'DigiCert'}
}

Updated on: 08-Feb-2021

29K+ Views

Kickstart Your Career

Get certified by completing the course

Get Started
Advertisements