How To Query-Search for Certificate Using Thumbprint in Error Message?
Points of My Scenario:
1. I am admin of a Windows Server 2008 R2 computer
2. This server's Event Viewer application log continuously reports that a certificate is "about to expire or already expired." (the thumbprint is provided in the error)
3. Many certificates are deployed on this server (system and application)
4. I wish to avoid double-clicking each certificate and manually checking its thumbprint
QUESTION: How can I query the server to find which certificate has the matching thumbprint in the error?
1. I am admin of a Windows Server 2008 R2 computer
2. This server's Event Viewer application log continuously reports that a certificate is "about to expire or already expired." (the thumbprint is provided in the error)
3. Many certificates are deployed on this server (system and application)
4. I wish to avoid double-clicking each certificate and manually checking its thumbprint
QUESTION: How can I query the server to find which certificate has the matching thumbprint in the error?
ASKER
@oBdA: Thank you for the prompt and beautiful command. The command returns nothing for the thumbprint showing up in Event Viewer. So, as a test-control, I tried a thumbprint from a known certificate - and the command worked! (I love your command).
QUESTIONS:
(1) Does this mean that the certificate for the thumbprint in Event Viewer errors no longer exist? Is it possible Event Viewer is falsely reporting it?
OR
(2) Does it mean I'm running the command in the wrong context?
(NOTE: I executed "CD CERT:\\" in the PowerShell session before running your command).
QUESTIONS:
(1) Does this mean that the certificate for the thumbprint in Event Viewer errors no longer exist? Is it possible Event Viewer is falsely reporting it?
OR
(2) Does it mean I'm running the command in the wrong context?
(NOTE: I executed "CD CERT:\\" in the PowerShell session before running your command).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
@oBdA: as detailed below, I tried everything you mentioned above, except having other users login:
(1) Elevated console: I've always been using the PS console with elevated privileges
(2) Copy/Paste: I did copy/paste the thumbprint, and tried both with and without spaces. I also tried a known thumbprint - which worked.
(3) Partial Match: I tried partial match, using -like and * successfully for known thumbprint, but not for the 'ghost' thumbprints reported in Event Viewer errors
(4) Serial Number Replacement: Event Viewer errors provides no serial numbers - so serial numbers are unknown for the 'ghost' thumbprints.
(5) Computer 'Personal' Store: I ran the command for the LocalMachine\My store which returned known certificates, but not the ghost one.
(6) Finally, I redirected to text file, the output an a recursive listing of all certificates on the system ("ls -recurse | Out-File -FilePath C:\Data\ALL-CERTIFICATES-D
CONCLUSION: The persistent errors in Event Viewer are false positives. The certificates don't exist.
MY NEXT STEP (unless you advise otherwise): figure out how to stop these false error messages.
(1) Elevated console: I've always been using the PS console with elevated privileges
(2) Copy/Paste: I did copy/paste the thumbprint, and tried both with and without spaces. I also tried a known thumbprint - which worked.
(3) Partial Match: I tried partial match, using -like and * successfully for known thumbprint, but not for the 'ghost' thumbprints reported in Event Viewer errors
(4) Serial Number Replacement: Event Viewer errors provides no serial numbers - so serial numbers are unknown for the 'ghost' thumbprints.
(5) Computer 'Personal' Store: I ran the command for the LocalMachine\My store which returned known certificates, but not the ghost one.
(6) Finally, I redirected to text file, the output an a recursive listing of all certificates on the system ("ls -recurse | Out-File -FilePath C:\Data\ALL-CERTIFICATES-D
CONCLUSION: The persistent errors in Event Viewer are false positives. The certificates don't exist.
MY NEXT STEP (unless you advise otherwise): figure out how to stop these false error messages.
ASKER
Hi oBdA. I am very grateful for all your help. You taught me some very, very useful commands I will use again. Thank you very much.
Open in new window