Home » PowerShell » How to Get Certificates using PowerShell

How to Get Certificates using PowerShell

Recently, I got an assignment to get all installed certificates on a windows computer and also get certificate information from a remote computer. If you have many certificates installed on a given computer, then getting certificate details manually will be a tiresome process.

As we know that, certificates are stored in Certificate Store. You can access the Certificate Store using Certmgr.msc command in a run window or you can go to Control Panel and search for manage computer certificates.

Using PowerShell to get the windows certificate details is very much easy and we can all certificates details and export them to CSV file.

In this post, I will explain to get certificate details from the root store, local user personal store. The certificate provider exposes the certificate namespace as Cert: drive in PowerShell.

Get Certificate details stored in Root directory on local machine

Get-ChildItem Cert:\LocalMachine\Root\* | ft -AutoSize

In the above example, PowerShell Get-ChildItem cmdlet gets the items from one or more specified locations. Here we have a requirement to get certificates information from the Root directory on a local machine account, use Cert:\LocalMachine\Root

The above command returns all certificates from the Root directory as below

 PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\Root

Thumbprint                               Subject                                                             
----------                               -------                                                             
E4C3B69139C26ED0620ADF4F727C9D19BF66391 CN=corp-in-252                                                   
EDD4EEAE6000A7F40C3202C171E30148030C072 CN=Microsoft Root Certificate Authority, DC=microsoft, DC=com       
EE36A4562FB2E05DBB3S32323ADF445084ED656 CN=Timestamping CA, OU=Certification, O=, L=D...
E43489159A5200D93D022CCAF37E7FE20A8B419 CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyrig...
784E459FF99D8FD97AFS46DCDCBCB90E0B7FCD5 CN=localhost                                                        
22B46C76E1305104F230517E6E504D43AB10B5 CN=Symantec Enterprise Mobile Root for Microsoft, O=Symantec Corp...
AF43288AD2722103B6AB1428485EA3014C0BCFE CN=Microsoft Root Certificate Authority 2011, O=Microsoft Corpora...

PowerShell Tip: Know how to print all environment variables in PowerShell!

Get Certificate stored in local user Personal Store

#Get installed certificates from localmachine 
$certs = Get-ChildItem Cert:\LocalMachine\My | ft -AutoSize
#Display results in console

In the above example, we get results on the console as all certificates stored on Cert:\LocalMachine\My

Above command, get certificates Thumbprint and Subject properties as below

Thumbprint                               Subject                    
----------                               -------                    
D4C3B69139C26AD0610FDF4F727C9D19BF66391 CN=corp-in-252          
984E459FF9987FD97AFC46DCDCBCB90E0B7FCD5 CN=localhost               
30B2EF587D70C873A46C34586599B94BF8F42B4 CN=localhost               
21E1CF06BA981753337D4773CF9CB1D29100684 CN=localhost               
10D6649DC0672CC1866F26B0E6BA4E7BFFCA4E3 CN=corp-in-252          
0B8DF4B103544C05FB9633DB5553727803BEE2D CN=corp-in-252.shellgeek.org

PowerShell Tip: The best way to download zip files using PowerShell!

Find expiring certificates using Powershell

As an admin, we have to keep track of the certificate’s expiry date so that we can renew it well in advance. To get certificates about to expire in the next few days, we can use the ExpiringDays parameter with days as input

$expirecerts = Get-ChildItem Cert:\LocalMachine\WebHosting -ExpiringInDays 30

In the above example, the command will get the list of certificates from the WebHosting certificate store which is about to expire in the next 30 days using ExpiringInDays parameter.

Find Expired certificate on remote computers

Let’s consider a scenario where you need to get list of certificates that are expired on remote computers.

$remotecomputers = "corp-it-200","corp-it-201","corp-it-202"

$expiredcerts = Invoke-Command -ComputerName $remotecomputers {
Get-ChildItem -Path cert:\* -Recurse -ExpiringInDays 0

In the above example, we have three remote computers and we want to find expired certificates on these remote computer name.

Invoke-Command cmdlet run Get-ChildItem to get certificates on each of the remote computers which are expired. Here we have specified days as 0 in ExpiringInDays parameter.

PowerShell Tip: Do you know how to add newline to string output in PowerShell!


I hope, you may find the above article interesting about how to get windows certificate details using Powershell on the local machine or remote computer.

Get-ChildItem cmdlet, Cert:\ drive in PowerShell is used to get certificates information. As in the above article, you can easily get certificate details that are about to expire or expired on the local machine or remotely.

You can find more topics about PowerShell Active Directory commands and PowerShell basics on ShellGeek home page.

Leave a Comment