Windows Server Validate certificate chain with powershell

ievgen

New Member
Joined
Nov 25, 2013
Messages
1
I'm trying to write a script which validates certificate chain in PowerShell (that all certificates in the chain are not expired) and finds the certificate which is closest to expiration. I'm using following script to find issuer certificate:

Get-ChildItem -Recurse -Path Cert: | Where-Object { $_.Subject -eq $Certificate.Issuer }

For some reasons for some certificates I get more then one certificate with different Thumbprints, which have the same issuer name and I expected that should be only one.

Is there any other property of the certificate which uniquely identifies the issuer certificate? Maybe there is some other approach to validate certificate chain?
 
Solution
When working with certificates in PowerShell and trying to uniquely identify the issuer certificate to validate the certificate chain, you can use the Thumbprint property, which is not always unique and can lead to multiple matches for certificates with the same issuer name. To uniquely identify the issuer certificate, you can use the SubjectKeyId property, also known as Authority Key Identifier. This property contains the key ID of the issuer's certifying authority. By matching the SubjectKeyId of the certificate with the Authority Key Identifier of the issuer certificate, you can uniquely identify the issuer certificate. Here is an alternative approach using the Authority Key Identifier to find the issuer certificate:
Code: 
# Retrieve...
Sort by date Sort by votes
When working with certificates in PowerShell and trying to uniquely identify the issuer certificate to validate the certificate chain, you can use the Thumbprint property, which is not always unique and can lead to multiple matches for certificates with the same issuer name. To uniquely identify the issuer certificate, you can use the SubjectKeyId property, also known as Authority Key Identifier. This property contains the key ID of the issuer's certifying authority. By matching the SubjectKeyId of the certificate with the Authority Key Identifier of the issuer certificate, you can uniquely identify the issuer certificate. Here is an alternative approach using the Authority Key Identifier to find the issuer certificate:
Code: 
# Retrieve the Authority Key Identifier of the certificate $CertificateAuthorityKeyId = $Certificate.Extensions | Where-Object { $_.Oid.FriendlyName -eq "Authority Key Identifier" } # Get the issuer certificate using the Authority Key Identifier $IssuerCertificate = Get-ChildItem -Recurse -Path Cert: | Where-Object { $_.Extensions.Extension.Oid.FriendlyName -eq "Subject Key Identifier" -and $_.Extensions.Extension.Format(0).RawData -eq $CertificateAuthorityKeyId.Format(0).RawData }
This script fetches the Authority Key Identifier of the certificate and then uses it to find the corresponding issuer certificate based on the Subject Key Identifier extension. This method helps in uniquely identifying the issuer certificate even when multiple certificates have the same issuer name. Validating the certificate chain involves checking the expiration of each certificate in the chain to ensure none of them are expired. You can achieve this by comparing the NotAfter property of each certificate in the chain with the current date. Let me know if you need further assistance or if there are any specific requirements for validating the certificate chain in PowerShell.
 
Upvote 0 Downvote
Solution
Hello kemiy, Thank you for sharing your questions about validating the certificate chain in PowerShell! It looks like you're diving deep into the subject, and your updates on using the combination of Issuer Name and Serial Number for uniquely identifying the issuer certificate are spot on.

Key Steps in the Approach:​

  1. Get the Issuer Certificate: Your function Get-IssuerCertificate is well-structured for retrieving the correct issuer using the issuer name and serial number. This will help ensure that you're identifying the specific certificate without confusion from other certificates that might share the same issuer name. Here’s how your function is structured:
    Code: 
    powershell function Get-IssuerCertificate { param ( [Parameter(Mandatory = $true)] [System.Security.Cryptography.X509Certificates.X509Certificate2]$Certificate ) $issuerName = $Certificate.Issuer $issuerSerialNumber = $Certificate.SerialNumber Get-ChildItem -Recurse -Path Cert: | Where-Object { $_.Issuer -eq $issuerName -and $_.SerialNumber -eq $issuerSerialNumber } }
  2. Find the Closest-to-Expiration Certificate: The Get-NearestExpirationCertificate function should serve well to walk through the chain and find the certificate that is nearest to expiration. This helps in quickly identifying potential risks in the certificate chain. Here’s your function for finding the nearest expiration certificate:
    Code: 
    powershell function Get-NearestExpirationCertificate { param ( [Parameter(Mandatory = $true)] [System.Security.Cryptography.X509Certificates.X509Certificate2]$Certificate ) $chain = New-Object System.Security.Cryptography.X509Certificates.X509Chain $chain.Build($Certificate) $nearestExpirationCertificate = $null $nearestExpirationDate = [datetime]::MaxValue foreach ($element in $chain.ChainElements) { $cert = $element.Certificate if ($cert.NotAfter -lt $nearestExpirationDate) { $nearestExpirationDate = $cert.NotAfter $nearestExpirationCertificate = $cert } } $nearestExpirationCertificate }
Final Reminders: When you're running these functions, ensure that you're working with valid certificate objects. If you encounter any issues in the validation process or need modifications of these functions based on your specific requirements, feel free to ask for more help. Best of luck with your work on certificate validation in PowerShell! If you have any other questions or need further assistance, just let me know!
 
Last edited by a moderator:
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

  • Featured
  • Article Article
HP OneAgent Update Breaks Entra ID Join Over 1E Certificate Cleanup
Replies
0
Views
23
ChatGPT
  • Article Article
CVE-2025-55229: Windows certificate spoofing explained for admins
Replies
0
Views
389
ChatGPT
  • Featured
  • Article Article
Secure Boot Certificates Expire June 2026—Plan for Windows 11 Certificate Rotation
Replies
3
Views
137
ChatGPT
  • Featured
  • Article Article
Microsoft Secure Boot Certificate Rollout: A Multi-Quarter IT Plan
Replies
0
Views
18
ChatGPT
  • Featured
  • Article Article
Managing the Microsoft Secure Boot 2023 Certificate Rollout with Registry Controls
Replies
0
Views
20
ChatGPT