I'm trying to write a script which validates certificate chain in PowerShell (that all certificates in the chain are not expired) and finds the certificate which is closest to expiration. I'm using following script to find issuer certificate:
Get-ChildItem -Recurse -Path Cert: | Where-Object { $_.Subject -eq $Certificate.Issuer }
For some reasons for some certificates I get more then one certificate with different Thumbprints, which have the same issuer name and I expected that should be only one.
Is there any other property of the certificate which uniquely identifies the issuer certificate? Maybe there is some other approach to validate certificate chain?
There are two different implementations of Test-Certificate.
Check out Vadim Podans' PowerShell function Test-Certificate from 2009: https://web.archive.org/web/20240000000000*/poshcode.org/1633 (Archived from the dead original at https://poshcode.org/1633)
Tests specified certificate for certificate chain and revocation
There is a Test-Certificate cmdlet included in PowerShell 4.0
http://technet.microsoft.com/en-us/library/hh848639.aspx
I ran this on my localhost just testing it out,
Get-childitem cert: -recurse | %{ write-host $_ ; Test-Certificate -cert $_ }
It gives a nice error when a cert in the chain is expired.
WARNING: Chain status: CERT_TRUST_IS_NOT_TIME_VALID Test-Certificate : A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.