Important Notice: On February 29th, this community was put into read-only mode. All existing posts will remain but customers are unable to add new posts or comment on existing. Please feel to join our Community Discord for any questions and discussions.

Looking for a way to inventory all SSL certificates

I have multiple certs with different expiration dates on lots of servers. Is there a way, maybe via registry or WMI, where I can query and store the cert info for each computer. This way, if I have to find every server with SSL certificate named "x", I can find every server and go update them? Thanks.

1

Comments

13 comments
Date Votes
  • Am I allowed to comment on my own posts? ha. I found a way to do it in Powershell, so I ran the following:

    Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -match '*.{my_domain}.com'}

    That found all the wildcard certs on a server. I then ran that against all servers and looked at the results. It worked great....BUT.... I would like to be able to query using Powershell and bring back the results into the PDQ Database so I can report on the results, rather than run a tool in real-time. Any ideas? Any plans for allowing me to run a powershell query and bring the results back into a "Powershell results" tab so I can query for it? Thanks

    0
  • Any plans for allowing me to run a powershell query and bring the results back into a "Powershell results" tab so I can query for it?

    Yes! We are working on a PowerShell scanner that will do exactly this. I don't have an ETA on when it will be available, but I'm hopeful that it will be sometime this year.

    0
  • Colby - I hate to bump an old thread, but is this feature closer to having an ETA?  This would be a great addition to the product!

    0
  • Sorry, no ETA. We're working on it, but it's difficult to say at this point when it will be ready.

    0
  • We would also very much like this functionality.  I have not found any way to pull a certificate list through WMI and I can get it very easily through PS.

    0
  • Here is a nice way to keep track of all your domain certs and the expiration.

    Get-ChildItem Cert:\ -Recurse | Where-Object {$_.Subject -Match '.youdomain.com'}|Select-Object Subject, NotAfter

     

    0
  • I know this is an old post but but is there a scanner for this yet?

    0
  • I just had to go through this.  I created a Powershell scanner:

    This one was specific for my domain, but could be easily modified

    Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Subject -Match ".mydomain.com"}|Select-Object Subject, Thumbprint, Issuer, NotBefore, NotAfter

    Something like this should get you all the certs for a machine

    Get-ChildItem Cert:\LocalMachine\My |Select-Object Subject, Thumbprint, Issuer, NotBefore, NotAfter

    Then I could build dynamic collections based on thumbprint, etc.

     

    1
  • rmcintire I have this working with Powershell and it brings back the info to PDQ. I use the Powershell scanner and the following code:

    Get-ChildItem Cert:\ -Recurse | Where-Object {$_.Subject -Match 'yourdomain.com'}|Select-Object Subject, Issuer, NotBefore, NotAfter

    Change "yourdomain.com" to your domain.

    This brings back all the certs into PDQ and then you can build reports based on things like names, start date, end date, cert issuer, etc.

    I have scheduled reports that let my team know, quarterly, when certs are coming due.

     

    1
  • Thank you Avi-Solomon and Mike Kercher. This is just what I needed.

    0
  • this is working good

     

    Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Subject -Match ".mydomain.com"}|Select-Object Subject, Thumbprint, Issuer, NotBefore, NotAfter

     

    How can I get a report now..   I can't find a way to build a report from output log.

    0
  • You can build collections based on the PS Scanner results and then generate reports on those collections.

    0
  • Thanks .. find it ! 

    0