Category filter

Script to check certificate expiry on Windows devices

Organizations may need to know the expiry dates of digital certificates on their devices so that they can delete the expired ones and replace them with new ones, making sure that the processes continue satisfactorily. Hexnode UEM allows IT admins to check the expiry dates of all the certificates on Windows devices remotely through the execution of Custom Scripts.

Disclaimer:

The sample scripts provided below are adapted from third-party open-source sites.

Batch script

Check expiry date of a certificate accessible to all the users on the device

To check the expiry date of a certificate accessible to all the users on the endpoint, use the following script:

certutil –store CertificateStoreName SerialNumber | findstr /C: “NotAfter” /C: “NotBefore”

1	certutil –store CertificateStoreName SerialNumber \| findstr /C: “NotAfter” /C: “NotBefore”

Parameter -store is used to specify the certificate and the folder where the certificate is present. Replace CertificateStoreName with the certificate folder name and Serial Number with the serial number of the certificate. Use findstr to search for the certificate details. NotBefore returns the date and time at which the certificate becomes valid, while NotAfter returns the date and time at which the certificate is set to expire or has expired.

E.g., To get the expiration date of a certificate with the serial number “0e28137ceb92” stored in the “Trusted Root Certification Authorities” folder of the local machine, use:

certutil –store Root 0e28137ceb92 | findstr /C:“NotAfter” /C:“NotBefore”

Check expiry date of a certificate accessible to current user of the device

Now, to check the expiration date of a certificate that is accessible only to the current user of the endpoint, use the following script:

certutil –store -user CertificateStoreName SerialNumber | findstr /C:“NotAfter” /C:“NotBefore”

1	certutil –store -user CertificateStoreName SerialNumber \| findstr /C:“NotAfter” /C:“NotBefore”

E.g., To get the expiry date of a certificate with the serial number “0f40e2e91287” present in the “Personal” folder of the current user, use:

certutil –store –user My 0f40e2e91287 | findstr /C:“NotAfter” /C:“NotBefore”

List certificates in a folder

In case you want to list the certificates in a folder for details including serial number, issuer, version, and expiration date, use the command:

#ForLocalMachine

certutil –store CertificateStoreName

1	certutil –store CertificateStoreName

E.g., To list all the certificates in the “Trusted Root Certification Authorities” folder of the local machine, use:

certutil -store Root

#ForCurrentUser

certutil –store -user CertificateStoreName

1	certutil –store -user CertificateStoreName

E.g., To list all the certificates in the “Personal” folder of the current user, use:

certutil -store –user My

PowerShell script

Check expiry date of a certificate accessible to all the users on the device

Get-Childitem cert:\LocalMachine\CertificateStoreName\ThumbPrint | Select-Object FriendlyName,NotAfter,NotBefore

1	Get-Childitem cert:\LocalMachine\CertificateStoreName\ThumbPrint \| Select-Object FriendlyName,NotAfter,NotBefore

The script retrieves the expiration dates of certificates accessible to all users on the device using the Get-Childitem cmdlet. Replace CertificateStoreName with the certificate folder name and ThumbPrint with the thumbprint of the certificate. FriendlyName returns the friendly name of the certificate, NotBefore returns the date and time at which the certificate becomes valid, and NotAfter returns the date and time at which the certificate is set to expire or has expired.

E.g., To obtain the expiry date of a certificate with the thumbprint “8F43288AD272F3103B6FB1428485EA3014C0BCFE” from the local machine’s “Trusted Root Certification Authorities” folder, use the command:

Get-Childitem cert:\LocalMachine\Root\8F43288AD272F3103B6FB1428485EA3014C0BCFE | Select-Object FriendlyName,NotAfter,NotBefore

Check expiry date of a certificate accessible to current user of the device

Get-Childitem cert:\CurrentUser\CertificateStoreName\ThumbPrint | Select-Object FriendlyName,NotAfter,NotBefore

1	Get-Childitem cert:\CurrentUser\CertificateStoreName\ThumbPrint \| Select-Object FriendlyName,NotAfter,NotBefore

E.g., To obtain the expiry date of a certificate with the thumbprint “D124D8B4979F396FE6D63638D97C4E9B87154AA4” from the current user’s “Personal” folder, use the command:

Get-Childitem cert:\CurrentUser\My\D124D8B4979F396FE6D63638D97C4E9B87154AA4 | Select-Object FriendlyName,NotAfter,NotBefore

List certificates in a folder

To list out the certificates in a folder with details including thumbprint, issuer, version, and expiration date, use the command:

#ForLocalMachine

Get-Childitem cert:\LocalMachine\CertificateStoreName | format-list

1	Get-Childitem cert:\LocalMachine\CertificateStoreName \| format-list

To give an example, we can list all the certificates in the “Trusted Root Certification Authorities” folder of the local machine using the command:

Get-Childitem cert:\LocalMachine\Root | format-list

#ForCurrentUser

Get-Childitem cert:\CurrentUser\CertificateStoreName | format-list

1	Get-Childitem cert:\CurrentUser\CertificateStoreName \| format-list

E.g., To list all the certificates in the “Personal” folder of the current user, use the command:

Get-Childitem cert:\CurrentUser\My | format-list

List certificates that have expired or are nearing expiry

Admins can check which certificates have expired or are going to expire within a certain period on the local machine using the following script:

Get-ChildItem -Path Cert:\localmachine\certificatestorename | ?{$_.NotAfter -lt (get-date).AddDays(<no of days from current date>)} | fl

1	Get-ChildItem -Path Cert:\localmachine\certificatestorename \| ?{$_.NotAfter -lt (get-date).AddDays(<no of days from current date>)} \| fl

E.g., To view a list of certificates from the “Trusted Root Certification Authorities” folder that have expired or will expire within the next 60 days on the local machine:

Get-ChildItem -Path Cert:\localmachine\root | ?{$_.NotAfter -lt (get-date).AddDays(60)} | fl

Replace LocalMachine with CurrentUser if you want to list certificates of the current user.

Find certificate details using friendly name

In case you only know the friendly name of a certificate on the local machine and want to search for the rest of the certificate details, you can use the following command:

Get-ChildItem Cert:\LocalMachine\CertificateStoreName | where{$_.FriendlyName -eq '<friendly name>'} | fl *

1	Get-ChildItem Cert:\LocalMachine\CertificateStoreName \| where{$_.FriendlyName -eq '<friendly name>'} \| fl *

To retrieve all of the other details of that certificate on the local machine, replace CertificateStoreName with the name of the certificate folder and with the friendly name of the certificate. Replace LocalMachine with CurrentUser if you want to retrieve certificate details from the current user.

E.g., To find the details of a certificate with the friendly name “Digicert” stored in the “Trusted Root Certification Authorities” folder of the local machine, run the command:

Get-ChildItem Cert:\LocalMachine\Root | where{$_.FriendlyName -eq 'Digicert'} | fl *

If you do not want to limit you search to a single folder on the local machine, use the Recurse parameter:

Get-ChildItem Cert:\LocalMachine\ -Recurse | where{$_.FriendlyName -eq '<friendlyname>'} | fl *

1	Get-ChildItem Cert:\LocalMachine\ -Recurse \| where{$_.FriendlyName -eq '<friendlyname>'} \| fl *

Notes:

Depending on the system store you need to get the certificate from, replace ‘certificatestorename’ with My, Root, CA, Trust, etc.
It is recommended to manually validate the script execution on a system before executing the action in bulk.
Hexnode will not be responsible for any damage/loss to the system on the behavior of the script.

Need more help?

Raise a Ticket

Ask Community

Chat With us