Forum Discussion

drawson's avatar
drawson
Brass Contributor
Aug 09, 2019

Inventory SSL Root Cert Remotely Using PowerShell

I am not well versed with PowerShell but after researching it appears PowerShell might be the tool I need.  I have a need to inventory all computers on my AD to confirm whether or not they have the n...
Windows PowerShell
VasilMichev's avatar
VasilMichev
MVP
Aug 09, 2019

"LocalMachine" is the name of the cert container, it will have the same value on all computers. You can either use Invoke-Command to run the cmdlet against each computer (example https://www.powershellbros.com/powershell-tip-of-the-week-get-certificate-remotely/) or use the built-in capabilities of the .NET method (example here: https://www.experts-exchange.com/questions/28623585/Need-to-get-certificates-inventory-for-each-server-into-the-spreadsheet-such-as-expiration-date-name-of-the-cert-issuer-cert-purpose.html)

  • drawson's avatar
    drawson
    Brass Contributor
    Aug 21, 2019

    Thanks VasilMichev ,

     

    I've been trying to get up to speed by reviewing the links you sent. I can manually add the list of computers to scan as I learn how to read a CSV. But my question now is how do I turn "LocalMachine" into reading the "Trusted Root Certificate Authorities\Certificates" for both 'Current User' & 'Local Computer'?

    • VasilMichev's avatar
      VasilMichev
      MVP
      Aug 22, 2019

      It's as simple as:

       

      dir Cert:\CurrentUser\Root\
dir Cert:\LocalMachine\Root\
      • drawson's avatar
        drawson
        Brass Contributor
        Aug 22, 2019

        Hi VasilMichev, That seems simple enough in theory. But sadly once I ask for details on certs in that location I get nothing but the computer name when using the following example.:

         

         

        I'm trying to find 2 specific certs in this location. And if they don't exist in this location I need to know which computer it is that needs them installed. Or stated another way if I can get a report that tells me the cert "IssuedTo" descriptor and the "Expiration Date". Ultimately I need to install the proper certs if they don't exist. I can do that manually. Heck, I can do all of this manually but it would be nice if I work smarter not harder.

         

        So if I could do this I would like to parse a csv that contains the computer names that I need to check for certs in 'CurrentUser\Root' & 'LocalMachine\Root' that have an 'Issue To' name of 'SSL_Cert_1' & 'SSL_Cert_2' and also display the 'Expiration Date' associated with each cert.

         

        Each computer that does not have the required certs I would like to install these certs. Or at the very least list them so I can pay a visit.

         

        Unfortunately I can't even begin to write the proper syntax to include something like the following.:

         

         

Resources