Jump To
Organizations may need to know the expiry dates of digital certificates on their devices so that they can delete the expired ones and replace them with new ones, making sure that the processes continue satisfactorily. Hexnode UEM allows IT admins to check the expiry dates of all the certificates on Windows devices remotely through the execution of Custom Scripts.
Disclaimer:
The sample scripts provided below are adapted from third-party open-source sites.
Batch script
Check expiry date of a certificate accessible to all the users on the device
To check the expiry date of a certificate accessible to all the users on the endpoint, use the following script:
Batch script to check expiry date of a certificate accessible to all the users on the device
1 | certutil –store CertificateStoreName SerialNumber | findstr /C: “NotAfter” /C: “NotBefore” |
Parameter -store is used to specify the certificate and the folder where the certificate is present. Replace CertificateStoreName with the certificate folder name and Serial Number with the serial number of the certificate. Use findstr to search for the certificate details. NotBefore returns the date and time at which the certificate becomes valid, while NotAfter returns the date and time at which the certificate is set to expire or has expired.
E.g., To get the expiration date of a certificate with the serial number “0e28137ceb92” stored in the “Trusted Root Certification Authorities” folder of the local machine, use:
certutil –store Root 0e28137ceb92 | findstr /C:“NotAfter” /C:“NotBefore”
Check expiry date of a certificate accessible to current user of the device
Now, to check the expiration date of a certificate that is accessible only to the current user of the endpoint, use the following script:
Batch script to check expiry date of a certificate accessible to current user on the device
1 | certutil –store -user CertificateStoreName SerialNumber | findstr /C:“NotAfter” /C:“NotBefore” |
E.g., To get the expiry date of a certificate with the serial number “0f40e2e91287” present in the “Personal” folder of the current user, use:
certutil –store –user My 0f40e2e91287 | findstr /C:“NotAfter” /C:“NotBefore”
List certificates in a folder
In case you want to list the certificates in a folder for details including serial number, issuer, version, and expiration date, use the command:
#ForLocalMachine
Batch script to list certificates in a folder accessible to local machine
1 | certutil –store CertificateStoreName |
E.g., To list all the certificates in the “Trusted Root Certification Authorities” folder of the local machine, use:
certutil -store Root
#ForCurrentUser
Batch script to list certificates in a folder accessible to current user
1 | certutil –store -user CertificateStoreName |
E.g., To list all the certificates in the “Personal” folder of the current user, use:
certutil -store –user My
PowerShell script
Check expiry date of a certificate accessible to all the users on the device
PowerShell script to check expiry date of a certificate accessible to all the users on the device
1 | Get-Childitem cert:\LocalMachine\CertificateStoreName\ThumbPrint | Select-Object FriendlyName,NotAfter,NotBefore |
The script retrieves the expiration dates of certificates accessible to all users on the device using the Get-Childitem cmdlet. Replace CertificateStoreName with the certificate folder name and ThumbPrint with the thumbprint of the certificate. FriendlyName returns the friendly name of the certificate, NotBefore returns the date and time at which the certificate becomes valid, and NotAfter returns the date and time at which the certificate is set to expire or has expired.
E.g., To obtain the expiry date of a certificate with the thumbprint “8F43288AD272F3103B6FB1428485EA3014C0BCFE” from the local machine’s “Trusted Root Certification Authorities” folder, use the command:
Get-Childitem cert:\LocalMachine\Root\8F43288AD272F3103B6FB1428485EA3014C0BCFE | Select-Object FriendlyName,NotAfter,NotBefore
Check expiry date of a certificate accessible to current user of the device
PowerShell script to check expiry date of a certificate accessible to current user of the device
1 | Get-Childitem cert:\CurrentUser\CertificateStoreName\ThumbPrint | Select-Object FriendlyName,NotAfter,NotBefore |
E.g., To obtain the expiry date of a certificate with the thumbprint “D124D8B4979F396FE6D63638D97C4E9B87154AA4” from the current user’s “Personal” folder, use the command:
Get-Childitem cert:\CurrentUser\My\D124D8B4979F396FE6D63638D97C4E9B87154AA4 | Select-Object FriendlyName,NotAfter,NotBefore
List certificates in a folder
To list out the certificates in a folder with details including thumbprint, issuer, version, and expiration date, use the command:
#ForLocalMachine
PowerShell script to list certificates in a folder accessible to local machine
1 | Get-Childitem cert:\LocalMachine\CertificateStoreName | format-list |
To give an example, we can list all the certificates in the “Trusted Root Certification Authorities” folder of the local machine using the command:
Get-Childitem cert:\LocalMachine\Root | format-list
#ForCurrentUser
PowerShell script to list certificates in a folder accessible to current user
1 | Get-Childitem cert:\CurrentUser\CertificateStoreName | format-list |
E.g., To list all the certificates in the “Personal” folder of the current user, use the command:
Get-Childitem cert:\CurrentUser\My | format-list
List certificates that have expired or are nearing expiry
Admins can check which certificates have expired or are going to expire within a certain period on the local machine using the following script:
PowerShell script to list certificates that have expired or are nearing expiry
1 | Get-ChildItem -Path Cert:\localmachine\certificatestorename | ?{$_.NotAfter -lt (get-date).AddDays(<no of days from current date>)} | fl |
E.g., To view a list of certificates from the “Trusted Root Certification Authorities” folder that have expired or will expire within the next 60 days on the local machine:
Get-ChildItem -Path Cert:\localmachine\root | ?{$_.NotAfter -lt (get-date).AddDays(60)} | fl
Replace LocalMachine with CurrentUser if you want to list certificates of the current user.
Find certificate details using friendly name
In case you only know the friendly name of a certificate on the local machine and want to search for the rest of the certificate details, you can use the following command:
PowerShell script to find certificate details using friendly name
1 | Get-ChildItem Cert:\LocalMachine\CertificateStoreName | where{$_.FriendlyName -eq '<friendly name>'} | fl * |
To retrieve all of the other details of that certificate on the local machine, replace CertificateStoreName with the name of the certificate folder and LocalMachine with CurrentUser if you want to retrieve certificate details from the current user.
E.g., To find the details of a certificate with the friendly name “Digicert” stored in the “Trusted Root Certification Authorities” folder of the local machine, run the command:
Get-ChildItem Cert:\LocalMachine\Root | where{$_.FriendlyName -eq 'Digicert'} | fl *
If you do not want to limit you search to a single folder on the local machine, use the Recurse parameter:
PowerShell script to find certificate details using friendly name from all folders on local machine
1 | Get-ChildItem Cert:\LocalMachine\ -Recurse | where{$_.FriendlyName -eq '<friendlyname>'} | fl * |
Notes:
- Depending on the system store you need to get the certificate from, replace ‘
certificatestorename’ withMy,Root,CA,Trust, etc. - It is recommended to manually validate the script execution on a system before executing the action in bulk.
- Hexnode will not be responsible for any damage/loss to the system on the behavior of the script.
