Validate certificate chain with powershell


I’m trying to write a script which validates certificate chain in PowerShell (that all certificates in the chain are not expired) and finds the certificate which is closest to expiration. I’m using following script to find issuer certificate:

Get-ChildItem -Recurse -Path Cert: | Where-Object { $_.Subject -eq $Certificate.Issuer }

For some reasons for some certificates I get more then one certificate with different Thumbprints, which have the same issuer name and I expected that should be only one.

Is there any other property of the certificate which uniquely identifies the issuer certificate? Maybe there is some other approach to validate certificate chain?


Check out Test-Certificate:

Tests specified certificate for certificate chain and revocation

There is a Test-Certificate cmdlet included in 4.0

I ran this on my localhost just testing it out,

It gives a nice error when a cert in the chain is expired.

WARNING: Chain status:
CERT_TRUST_IS_NOT_TIME_VALID Test-Certificate : A required certificate is not within its validity period when verifying against
the current system clock or the timestamp in the signed file.


Validate certificate chain with powershell by licensed under CC BY-SA | With most appropriate answer!

Leave a Reply