Get Installed Certificates from a remote computer using alternate credentials in Powershell

Managing certificates is painful. It’s kind of like brushing your teeth, if you ignore it bad things happen. Sure I’d rather deal with an expired certificate then a painful abscessed rotting tooth, but any business would not want to deal with the impact of an expired certificate on critical services. Hmm, for some reason i have lost my appetite!

Again with good house keeping, windows will alert you when certificates are about to expire, which is awesome. However the way it tells you this is far from awesome. Trawling through event logs, you might get an incredibly informative alert as follows:

Now I don’t know about you, but I remember the hexadecimal thumbprints for all my certificates at my workplace. Surely you do as well? It’s part of the job description right?? no??. OK, let’s suppose you are some kind of savant and you know exactly what that certificate is. Well, the next statement, “it’s about to expire or ready expired”, pfftb details right?? it doesn’t make that much of a difference…. Actually, it’s a massive difference. So in summary, nice one Microsoft!

Options for checking certificate details

When it comes to checking your certificate details you have a couple of options available to you

  1. Do it manually with mmc and adding the certificate snapin…. Really?, sure this will work, but if you want to do that why are you reading my blog?
  2. Script it. Now you are talking, read on 🙂

When it comes to scripting (with Powershell of course), like most things with scripts there’s more than one way to skin a cat (I wonder where that phrase came from??, quick google.. well that’s gruesome, I wont share). Anyway, here are some scripting options

Using PSDrive to check certificates

the PSDrive “Cert” is great, you can easily browse your certificates, and get more info than just the thumbprint! (such as expiry date). Here is a quick example

The drawback to this approach is it is harder to use remotely. If Powershell Remoting is enabled, then awesome, wrap it around an Invoke-Command ScriptBlock and Baza’s your uncle, Shaz is your aunt (that’s my Aussie take  on that saying) you are done.

Use an existing script

There is an existing script in the MS scripting gallery here

https://gallery.technet.microsoft.com/scriptcenter/a2a500e5-1dd2-4898-9721-ed677399679c#content

This is good, it let’s you query a remote computer for certificate details, so ticks that box. However, you cannot specify alternate credentials. It’s funny how often this is a requirement for me!

I also found some methods using com objects that were ported from original vbscripts, I’d suggest keeping clear of that confusing mess!

My way

Right, so 500 words later, I’m actually writing something of use! The approach I’ve taken is a little different but it ticks all the boxes for me. In my research I’ve found a couple of things:

  1. Local Machine certificates are stored in the registry under HKLM\SOFTWARE\Microsoft\SystemCertificates
  2. They are stored as a ByteArray
  3. This ByteArray contains the raw certificate data we can turn into an X509Certificate.
  4. Since it’s stored in the registry, I can specify alternate credentials as per my early blog post (the person who wrote that’s a legend).
  5. I need to tidy my desk

So, using what I’ve learned I put together the below script to assist with getting certificate details from a remote computer with alternate credentials. Win!, enjoy..

And here is an example of it in action!