asked on 7/28/2021

Filter Certificates within Existing PowerShell Query

Hello,

I currently have the following PowerShell script to obtain a list of Certificates from the local certificate store:

$AllCertificates = Get-ChildItem -Path Cert:\LocalMachine\My -Recurse

# Create an empty list to keep the results

$CertificateList = @()

ForEach ( $Certificate in $AllCertificates )

{

    # Check to see if this is a "folder" or a "certificate"

    if ( -not ( $Certificate.PSIsContainer ) )

    {

        # Certificates are *not* containers (folders)

        # Get the important details and add it to the $CertificateList

        $CertificateList += $Certificate | Select-Object -Property FriendlyName, Issuer, Subject, Thumbprint, NotBefore, NotAfter

    }

}

$CertificateList

Open in new window

I would like to update this so that:

Only certificates that do not have the sole intended purpose of Client Authentication (So certs that have more than one purpose are always included in the final list)
That the output labels for each piece of returned data is customised. For example, currently we have NotBefore which I would like to display as "Issued On"
Include a comma delimited list of the Intended purposes in the final certificate list

I am somewhat of a novice with PowerShell, so any assistance would be greatly appreciated!!

Powershell

Last Comment

Michael B. Smith

7/29/2021

Michael B. Smith

7/29/2021

I don't know what you mean by "Intended purposes". But the rest of it just takes a few small mods to your existing script.

Just FYI, "NotBefore" is NOT the same as "Issued On". A cert can be issued long before it becomes valid. That's why it's called "NotBefore". A better phrase might be "Valid From" and "Valid To".

# qqq.ps1 - for MBS reference
$AllCertificates = Get-ChildItem -Path Cert:\LocalMachine\My -Recurse

# Create an empty list to keep the results
$CertificateList = @()

ForEach( $Certificate in $AllCertificates )
{
   if( $Certificate.PSIsContainer )
   {
      # Certificates are *not* containers (folders)
      continue
   }

   if( $Certificate.EnhancedKeyUsageList.Count -eq 1 -And
       $Certificate.EnhancedKeyUsageList[ 0 ].FriendlyName -eq 'Client Authentication' )
   {
      # Don't want certificates that *only* do Client Auth
      continue
   }

   # Get the important details and add it to the $CertificateList

   $CertificateList += $Certificate | Select-Object -Property FriendlyName, 
      Issuer, 
      Subject, 
      Thumbprint, 
      @{ Name = 'Issued On'; E = { $_.NotBefore } },
      @{ Name = 'Expires'  ; E = { $_.NotAfter  } }
}

$CertificateList

Open in new window

ASKER CERTIFIED SOLUTION

Terry Rogers

7/29/2021

THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.

View this solution by signing up for a free trial.

Members can start a 7-Day free trial and enjoy unlimited access to the platform.

See Pricing Options

Start Free Trial

Michael B. Smith

7/29/2021

EnhancedKeyUsageList can also be empty.

You accepted your own answer? Not cool.