Finding Expiring Certificates – Easily

We’ve all seen theĀ CertificateServicesClient #64 message that the “Certificate for local system with Thumbprint […] is about to expire or already expired.“:

CertificateExpiringEvtLog

Sometimes, it’s a pain in the arse to click through the MMC, load the Certificates snap-in, open each certificate … Powershell makes this easy. Just open a Powershell session and enter the following code:

Get-ChildItem cert:\ -recurse | Where-Object { $_.Thumbprint -like "*c11bc4e6" } | Select *

That’ll pull every certificate that looks like your thumbprint and display it:

CertificatePSOutput

Once you know you’ve got the correct one, you can delete it just as easily:

certutil -delstore my ( Get-ChildItem cert: -recurse | Where-Object { $_Thumbprint -like "*c11bc4e6" } ).Thumbprint

CertificateDeletedOk

Why am I using a non-PowerShell command? Because Powershell 2.0 doesn’t support certificate deletion using Remove-Item, or I would have piped the output to it and made it even simpler. The downside to this is you’ll have to enter the store in the command manually (the ‘my‘ above).

You can also use the Where-Object cmdlet to search for already expired, invalid, or otherwise bad certificates, and a foreach to delete them using the legacy certutil command.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>