Skip to main content

PowerShell function to retrieve a list of SSL/TLS certificates installed on the system (Windows only).

function Get-Certificate
{
    <#
    .SYNOPSIS
        Retrieves certificates from a local or remote system.

    .DESCRIPTION
        Retrieves certificates from a local or remote system. Also includes the
        time until expiration and allows for filtering of certificates and includes
        archived certificates.

    .PARAMETER Computername
        A single or list of computernames to perform search against.

    .PARAMETER StoreName
        The name of the certificate store name that you want to search.

    .PARAMETER StoreLocation
        The location of the certificate store.

    .PARAMETER IncludeArchive
        Includes certificates that have been archived.

    .PARAMETER Issuer
        Filter by certificate issuer.

    .PARAMETER Subject
        Filter by certificate subject.

    .PARAMETER Thumbprint
        Filter by certificate thumbprint.

    .EXAMPLE
        PS > Get-Certificate -Computername 'boe-pc' -StoreLocation LocalMachine -StoreName My

        Thumbprint                                 Subject
        ----------                                 -------
        F29B6CB248E3395B2EB45FCA6EA15005F64F2B4E   CN=SomeCert
        B93BA840652FB8273CCB1ABD804B2A035AA39877   CN=YetAnotherCert
        B1FF5E183E5C4F03559E80B49C2546BBB14CCB18   CN=BOE
        65F5A012F0FE3DF8AC6B5D6E07817F05D2DF5104   CN=SomeOtherCert
        63BD74490E182A341405B033DFE6768E00ECF21B   CN=www.example.com

        Lists all certificates

    .EXAMPLE
        PS > Get-Certificate -Computername 'boe-pc' -StoreLocation LocalMachine -StoreName My -Subject '*Boe*'

        Thumbprint                                 Subject
        ----------                                 -------
        B1FF5E183E5C4F03559E80B49C2546BBB14CCB18   CN=BOE

        Lists certificates that contain the subject 'Boe'

    .LINK
        https://github.com/proxb/PowerShell_Scripts/blob/master/Get-Certificate.ps1

    .NOTES
        Name: Get-Certificate
        Author: Boe Prox
        Version History:
            1.3 //Boe Prox
                -Added parameters for filtering
                -Removed parametersetnames
                -Fixed computername output in verbose streams
            1.0 //Boe Prox
                -Initial Version
    #>
    [CmdletBinding()]
    param (
        [Parameter(ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
        [Alias('PSComputername', '__Server', 'IPAddress', 'Server')]
        [string[]]
        $ComputerName = $env:COMPUTERNAME,

        [Parameter()]
        [System.Security.Cryptography.X509Certificates.StoreLocation]
        $StoreLocation = 'LocalMachine',

        [Parameter()]
        [System.Security.Cryptography.X509Certificates.StoreName]
        $StoreName = 'My',

        [Parameter()]
        [switch]
        $IncludeArchive,

        [Parameter()]
        [string]
        $Issuer,

        [Parameter()]
        [string]
        $Subject,

        [Parameter()]
        [string]
        $Thumbprint
    )
    begin
    {
        $whereList = New-Object System.Collections.ArrayList

        if ($PSBoundParameters.ContainsKey('Issuer'))
        {
            [void]$whereList.Add('$_.Issuer -LIKE $Issuer')
        }

        if ($PSBoundParameters.ContainsKey('Subject'))
        {
            [void]$whereList.Add('$_.Subject -LIKE $Subject')
        }

        if ($PSBoundParameters.ContainsKey('Thumbprint'))
        {
            [void]$whereList.Add('$_.Thumbprint -LIKE $Thumbprint')
        }

        if ($whereList.count -gt 0)
        {
            $where = [scriptblock]::Create($whereList -join ' -AND ')
            Write-Debug "WhereBlock: $($where)"
        }
    }

    process
    {
        foreach ($computer in  $ComputerName)
        {
            try
            {
                Write-Verbose ('Connecting to \\{0}\{1}\{2}' -f $computer, $StoreLocation, $StoreName)

                $certStore = New-Object System.Security.Cryptography.X509Certificates.X509Store -ArgumentList "\\$($computer)\$($StoreName)", $StoreLocation

                if ($PSBoundParameters.ContainsKey('IncludeArchive'))
                {
                    $flags = [System.Security.Cryptography.X509Certificates.OpenFlags]'ReadOnly', 'IncludeArchived'
                }
                else
                {
                    $flags = [System.Security.Cryptography.X509Certificates.OpenFlags]'ReadOnly'
                }

                $certStore.Open($flags)

                if ($whereList.count -gt 0)
                {
                    $certificates = $certStore.Certificates | Where-Object $where
                }
                else
                {
                    $certificates = $certStore.Certificates
                }

                $certificates | ForEach-Object {
                    $Days = Switch ((New-TimeSpan -End $_.NotAfter).Days)
                    {
                        { $_ -gt 0 } { $_ }
                        Default { 'Expired' }
                    }

                    $_ | `
                        Add-Member -MemberType NoteProperty -Name ExpiresIn -Value $Days -PassThru | `
                        Add-Member -MemberType NoteProperty -Name ComputerName -Value $computer -PassThru
                }
            }
            catch
            {
                Write-Warning "$($computer): $_"
            }
        }
    }
}