We know that the Windows Certificates are resided in the Certificate store but finding the certificate with its name or getting particular certificate details might be cumbersome sometimes.
You can access the certificate store using MMC or using CertMgr.msc command. There are certificates stored for CurrentUser, ServiceAccount, and Local Computer. To access the certificate store using PowerShell, you need to access the PSDrive, and Certificates are stored in the drive called Cert as you can see below.
PS C:\> Get-PSDrive cert | ft -AutoSizeName Used (GB) Free (GB) Provider Root CurrentLocation---- --------- --------- -------- ---- ---------------Cert Certificate \
Let say we want to retrieve the details of the certificate stored in the Root directory in the local machine account then we can use the below command.
Example
Get-ChildItem Cert:\LocalMachine\Root\
Output
PSParentPath:Microsoft.PowerShell.Security\Certificate::LocalMachine\RootThumbprint Subject---------- -------CDD4EEAE6000AC7F40C3802C171E30148030C072CN=MicrosoftRootCertificateAuthorityBE36A4562FB2EE05DBB3D32323ADF445084ED656CN=ThawteTimestampingCA,OU=ThawteCeA43489159A520F0D93D032CCAF37E7FE20A8B419CN=MicrosoftRootAuthority,OU=Microso92B46C76E13054E104F230517E6E504D43AB10B5CN=SymantecEnterpriseMobileRootfor8F43288AD272F3103B6FB1428485EA3014C0BCFECN=MicrosoftRootCertificateAuthority7F88CD7223F3C813818C994614A89C99FA3B5247CN=MicrosoftAuthenticode(tm)RootAuth
Or you can also use the below command,
Get-Item Cert:\LocalMachine\Root\* | ft -AutoSize
The below command will get all the Microsoft certificates.
Get-ChildItem Cert:\LocalMachine\Root\ | where{$_.Subject -like "*Microsoft*"}
To find the specific certificate, you should know the certificate friendly name. For example, to find the “DigiCert” certificate from the Root store,
Example
Get-ChildItem Cert:\LocalMachine\Root\ | where{$_.FriendlyName -eq 'DigiCert'}
Output
Thumbprint Subject---------- -------A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 CN=DigiCert Global Root CA, OU=www.digicert.com,0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 CN=DigiCert Assured ID Root CA, OU=www.digicert.com
To search directly from the LocalComputer, CurrentUser, or Root store, use -Recurse parameter.
Get-ChildItem Cert:\LocalMachine\ -Recurse | where{$_.FriendlyName -eq 'DigiCert'}
Once you get the thumbprint or friendly Name, you can use the fl * pipeline to get the full details of the certificate.
Get-ChildItem Cert:\LocalMachine\root | where{$_.FriendlyName -eq 'DigiCert'} | fl *
For the remote servers, we can use Invoke-Command, the below example will get the certificates from the remote servers.
Example
Invoke-Command -ComputerName Test1Comp, Test2Comp -Scriptblock{ Get-ChildItem Cert:\LocalMachine\root | where{$_.FriendlyName -eq 'DigiCert'}}
Updated on: 08-Feb-2021
37K+ Views
- Related Articles
- How to delete the windows certificate using PowerShell?
- How to check windows certificate expiry date using PowerShell?
- How to Get Windows features using PowerShell?
- How to get the windows performance counter using PowerShell?
- How to get the windows authentication settings using PowerShell?
- How to install a certificate to the certificate store using PowerShell?
- How to get installed windows update using PowerShell?
- How to get windows firewall profile settings using PowerShell?
- How to retrieve certificate thumbprint using PowerShell?
- How to Export a certificate from a certificate store using PowerShell?
- How to get empty files in Windows OS using PowerShell?
- How to get website SSL certificate validity dates with PowerShell?
- How to create a self-signed certificate using PowerShell?
- How to remove windows features using PowerShell?
- How to read the windows host file using PowerShell?
Advertisem*nts