Getting Certificate Information in PowerShell

When you have certificates expiring, you need to be able to gather the information about the certificates so that you can prepare the renewal requests properly and get the certificate renewed. Now, Windows doesn’t have a native application that is readily available to look up certificate data. You have to open the MMC console and then add the proper Certificate Snap-In to gain access to the certificate store.

In dealing with this, I have found that PowerShell is a great method to be able to gather all of this data quickly and in a way where you can copy/paste the information that you need in order to generate your request properly for a new certificate or a renewal.

First off, you have to make sure that the PKI Module is installed on your system that you are running PowerShell on:

Download and install PowerShell PKI module from the PowerShell Gallery using PowerShell

Module Requirements

  • Windows PowerShell 3.0 or higher
  • .NET Framework 4.0 or higher

This module can run on any of the specified operating systems:

  • Windows Server 2008*/2008 R2*/2012*/2012 R2*/2016*/2019*
  • Windows Vista/7/8/8.1/10

* — Server Core installation is not supported.

NOTE: Module installation requires installed RSAT (Remote System Administration Tools)

Once you have it installed, you can then begin accessing the Certificate Store on the server that you are on:

NOTE: Setting the location to LocalMachine\My will place PowerShell in the Personal Store of the Local Computer Account.

The Get-ChildItem cmdlet will return the information of the certificates that are in the directory that you are in. You can also amend the cmdlet with given parameters to get the information from another machine:

To get the properties of all certificates expiring in 120 days locally:

To get the properties of all certificates expiring in 120 days on a remote server:

Now, let’s say that you have certificates expiring in 120 days on all of your CAS Exchange Servers and you need to get the information on all those certificates since they do not have the same thumbprint. You can run the following commands in sequence to be able to get the information from all of those servers:

In another post I will expand on this topic and show how to generate CSRs, Import and Export Certificates, and renew certificates. I’m still doing research on those topics and will compile my information as soon as I can get it organized. Hope this helps!