Monthly Archives: July 2013

Finding Expiring Certificates – Easily

We’ve all seen the CertificateServicesClient #64 message that the “Certificate for local system with Thumbprint […] is about to expire or already expired.“:

CertificateExpiringEvtLog

Sometimes, it’s a pain in the arse to click through the MMC, load the Certificates snap-in, open each certificate … Powershell makes this easy. Just open a Powershell session and enter the following code:

Get-ChildItem cert:\ -recurse | Where-Object { $_.Thumbprint -like "*c11bc4e6" } | Select *

That’ll pull every certificate that looks like your thumbprint and display it:

CertificatePSOutput

Once you know you’ve got the correct one, you can delete it just as easily:

certutil -delstore my ( Get-ChildItem cert: -recurse | Where-Object { $_Thumbprint -like "*c11bc4e6" } ).Thumbprint

CertificateDeletedOk

Why am I using a non-PowerShell command? Because Powershell 2.0 doesn’t support certificate deletion using Remove-Item, or I would have piped the output to it and made it even simpler. The downside to this is you’ll have to enter the store in the command manually (the ‘my‘ above).

You can also use the Where-Object cmdlet to search for already expired, invalid, or otherwise bad certificates, and a foreach to delete them using the legacy certutil command.

 

Internet Explorer 10 Removes ‘Internet Explorer Maintenance’ GPO Templates

Just a quick note that took me some time to figure out …

If you are trying to edit the “Internet Explorer Maintenance” section of a Group Policy object and it appears missing, know that the ADM templates for IE9 and earlier are removed – by the install of IE10. I can’t explain the logic, but it’s true nevertheless.

If you see this in your GPO Results/RSOP Report:
RSPOReport

Yet you don’t see the Internet Explorer Maintenance item in the GPO Editor:
Tree-No-IEM

Know that you’re not going crazy. Just uninstall IE10 and then you are able to edit that GPO section again:
Tree-With-IEM