Get chain of certificates for a file with PowerShell?


I am looking for a method, using PowerShell only, to list the certificate chain for signed files. Specifically to get the Root certificate.

As I need to get a list of which Non-Microsoft root certificates certain executables (on installed software), are dependent on. This is due to a OS-baseline guidelines, that uses the PKI procedure in Microsoft KB293781. Where only specific Root certificates shall be put on specific computers. E.g the much used “VeriSign Class 3 Primary CA – G5”, shall only be used when necessary.

Get-AuthenticodeSignature only lists the Issuer. E.g: Get-AuthenticodeSignature C:\windows\system32\MRT.exe

Tools like “SysInternals SigCheck” is able to do this sigcheck.exe -i C:\windows\System32\mrt.exe, and this infomation can be parsed further on. Also other tools like SignTool.exe from the Windows SDK, and AnalyzePESig by Didier Stevens can get this info.

But can this be done using only PowerShell? Perhaps using the WinVerifyTrust API in Windows.



This should be possible by accessing .NET directly in PowerShell. Here’s a snippet I whipped up using the example file you had referenced in your question:

Does that give you what you were looking for?


Get chain of certificates for a file with PowerShell? by licensed under CC BY-SA | With most appropriate answer!

Leave a Reply