Checking multiple servers for a saved SSL certificate

I'm looking for a command that I can use to remotely connect to multiple servers (using Powershell or PSEXEC) and search for an installed SSL certificate.

I'd be using a domain admin account so authentication shouldn't be an issue, but I'm not sure how to search the SSL Certificate Store via command line / remotely.  Possibly installed SSL certificates are also in the Registry and if so searching the registry would also work if possible,

Any ideas?  I should add that I'm a terrible coder unfortunately so if you have any kind of sample script you've used in the past to do something similar it would be very much appreciated.

Thanks
LVL 1
VasAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

becraigCommented:
This should work:

The example below checks by thumbprint, but you can change to search by other criteria:
e.g. subject, serialnumber etc.
$_.thumbprint -like <thumbprint>
$_.subject -like  *<subject>*


function Get-Cert( $computer){
    $ro=[System.Security.Cryptography.X509Certificates.OpenFlags]"ReadOnly"
    $lm=[System.Security.Cryptography.X509Certificates.StoreLocation]"LocalMachine"
    $store=new-object System.Security.Cryptography.X509Certificates.X509Store("\\$computer\root",$lm)
    $store.Open($ro)
    $store.Certificates
                                                     }
gc  C:\serverlist.txt | % {
Get-Cert $_ | ?{$computer=$_;$_.thumbprint -like <thumbprint>; $report += "$computer, $_.thumbprint, $_.Subject" }
                                           }
write-host $report

Open in new window

0
VasAuthor Commented:
Thanks for the script -  so I tried it by changing this line since I want to search on Subject:

Get-Cert $_ | ?{$computer=$_;$_.subject -like "xxxxx"; $report += "$computer, $_.thumbprint, $_.Subject" }

(xxxx was a unique part of the hostname I'm looking for)



The script output every single SSL cert on all the servers it looks like (it output thousands of lines).  This wouldn't be terrible as I could always then paste the output in a text file and search for the hostname that way but the problem was that the computer name was not output so it would not show me which server it found it on, and also it's not showing any hostnames, not sure if it's not outputting this but it looks more like it's mostly outputting the root or intermediate certs rather than the "Personal Certificates"



Here is an example part of the output if it helps:



[Subject]
  CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

[Issuer]
  CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE

[Serial Number]
  2766EE56EB49F38EABD770A2FC84DE22

[Not Before]
  5/30/2000 6:48:38 AM

[Not After]
  5/30/2020 6:48:38 AM

[Thumbprint]
  F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0
, [Subject]
  CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

[Issuer]
  CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE

[Serial Number]
  2766EE56EB49F38EABD770A2FC84DE22

[Not Before]
  5/30/2000 6:48:38 AM

[Not After]
  5/30/2020 6:48:38 AM

[Thumbprint]
  F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0
.thumbprint, [Subject]
  CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

[Issuer]
  CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE

[Serial Number]
  2766EE56EB49F38EABD770A2FC84DE22

[Not Before]
  5/30/2000 6:48:38 AM

[Not After]
  5/30/2020 6:48:38 AM

[Thumbprint]
  F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0
.Subject[Subject]
  CN=Microsoft Root Certificate Authority, DC=microsoft, DC=com

[Issuer]
  CN=Microsoft Root Certificate Authority, DC=microsoft, DC=com

[Serial Number]
  79AD16A14AA0A5AD4C7358F407132E65

[Not Before]
  5/9/2001 7:19:22 PM

[Not After]
  5/9/2021 7:28:13 PM






Thanks
0
becraigCommented:
My bad, see updated script:
function Get-Cert( $computer){
    $ro=[System.Security.Cryptography.X509Certificates.OpenFlags]"ReadOnly"
    $lm=[System.Security.Cryptography.X509Certificates.StoreLocation]"LocalMachine"
    $store=new-object System.Security.Cryptography.X509Certificates.X509Store("\\$computer\My",$lm)
    $store.Open($ro)
    $store.Certificates

}
gc c:\serverlist.txt | % {
$computer=$_;
Get-Cert $_ | ?{
$_.subject -like "*domain.domain.com*";

} | % {

$sub = $_.subject;$report += "$computer, $sub`n" }

}
$report | out-file C:\certreport.csv

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
VasAuthor Commented:
YOU ROCK!

That script worked like a charm and saved me countless hours of tracking this cert down, thank you so much for that.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.