Inventory SSL Root Cert Remotely Using PowerShell

Question

I am not well versed with PowerShell but after researching it appears PowerShell might be the tool I need. I have a need to inventory all computers on my AD to confirm whether or not they have the necessary SSL root certs that I have attempted to push out via GPO.

Most computers do have the certs but I need to identify the ones that do not.

All examples I've run across seem to include "Path Cert :\localmachine". How do I replace 'localmachine' for 'computer name' to gather SSL cert info from remote computers on my LAN?

One example but it is not entirely clear how I would modify this script to connect remotely to each machine:

https://devblogs.microsoft.com/scripting/get-certificate-info-into-a-csv-by-using-powershell/

http://notesofascripter.com/2016/09/19/using-powershell-work-ssl-certificates/

vasilmichev · Answer

"LocalMachine" is the name of the cert container, it will have the same value on all computers. You can either use Invoke-Command to run the cmdlet against each computer (example https://www.powershellbros.com/powershell-tip-of-the-week-get-certificate-remotely/) or use the built-in capabilities of the .NET method (example here:&nbsp;https://www.experts-exchange.com/questions/28623585/Need-to-get-certificates-inventory-for-each-server-into-the-spreadsheet-such-as-expiration-date-name-of-the-cert-issuer-cert-purpose.html)

drawson · Answer

Thanks&nbsp;VasilMichev&nbsp;,&nbsp;I've been trying to get up to speed by reviewing the links you sent. I can manually add the list of computers to scan as I learn how to read a CSV. But my question now is how do I turn "LocalMachine" into reading the "Trusted Root Certificate Authorities\Certificates" for both 'Current User' &amp; 'Local Computer'?

vasilmichev · Answer

It's as simple as:
&nbsp;
dir Cert:\CurrentUser\Root\
dir Cert:\LocalMachine\Root\

drawson · Answer

Hi VasilMichev, That seems simple enough in theory. But sadly once I ask for details on certs in that location I get nothing but the computer name when using the following example.:&nbsp;&nbsp;I'm trying to find 2 specific certs in this location. And if they don't exist in this location I need to know which computer it is that needs them installed. Or stated another way if I can get a report that tells me the cert "IssuedTo" descriptor and the "Expiration Date". Ultimately I need to install the proper certs if they don't exist. I can do that manually. Heck, I can do all of this manually but it would be nice if I work smarter not harder.&nbsp;So if I could do this I would like to parse a csv that contains the computer names that I need to check for certs in 'CurrentUser\Root' &amp; 'LocalMachine\Root' that have an 'Issue To' name of 'SSL_Cert_1' &amp; 'SSL_Cert_2' and also display the 'Expiration Date' associated with each cert.&nbsp;Each computer that does not have the required certs I would like to install these certs. Or at the very least list them so I can pay a visit.&nbsp;Unfortunately I can't even begin to write the proper syntax to include something like the following.:&nbsp;&nbsp;

vasilmichev · Answer

The first example will only list certificates with CN matching the name of the computer, so it's seem to me its working as expected. You can simply remove the where clause and get a full list of certificates, the filter it out in excel or something.

Forum Discussion

Inventory SSL Root Cert Remotely Using PowerShell

8 Replies

Resources