Use this PowerShell script to verify whether certificates in your store have a trusted root and a valid chain of trust. The script outputs certificate details to a CSV file, making it easy to identify which certificates are trusted.
Example output
<#
.SYNOPSIS
Validates the certificate chain for all certificates in specified stores.
.NOTES
Author: Julian Dalley
Version: 1.0
Date: 2025-09-25
Description: Uses .NET X509Chain to validate the certificate chain for each certificate.
#>
# Ensure script runs with elevated privileges
if (!([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
Start-Process powershell.exe "-NoProfile -ExecutionPolicy Bypass -File `"$PSCommandPath`"" -Verb RunAs; exit
}
# Function to validate certificate chain
function Test-CertificateChain {
param (
[System.Security.Cryptography.X509Certificates.X509Certificate2]$Certificate
)
$chain = New-Object System.Security.Cryptography.X509Certificates.X509Chain
$chain.ChainPolicy.RevocationMode = [System.Security.Cryptography.X509Certificates.X509RevocationMode]::Online
$chain.ChainPolicy.RevocationFlag = [System.Security.Cryptography.X509Certificates.X509RevocationFlag]::EntireChain
$chain.ChainPolicy.VerificationFlags = [System.Security.Cryptography.X509Certificates.X509VerificationFlags]::NoFlag
$isValid = $chain.Build($Certificate)
return [PSCustomObject]@{
Subject = $Certificate.Subject
Issuer = $Certificate.Issuer
Thumbprint = $Certificate.Thumbprint
NotBefore = $Certificate.NotBefore
NotAfter = $Certificate.NotAfter
StoreLocation = $Certificate.PSParentPath
ChainIsValid = $isValid
ChainStatus = ($chain.ChainStatus | ForEach-Object { $_.Status }) -join ', '
ChainStatusInfo = ($chain.ChainStatus | ForEach-Object { $_.StatusInformation }) -join '; '
}
}
# Certificate store paths
$storePaths = @(
"cert:\CurrentUser\My",
"cert:\LocalMachine\My",
"cert:\CurrentUser\CA",
"cert:\LocalMachine\CA"
)
# Collect and validate certificates
$results = foreach ($storePath in $storePaths) {
try {
Get-ChildItem -Path $storePath -ErrorAction Stop | ForEach-Object {
Test-CertificateChain -Certificate $_
}
} catch {
Write-Warning "Failed to access store: $storePath. Error: $_"
}
}
# Export results to CSV
$timestamp = Get-Date -f yyyy-MM-dd-HH.mm.ss
$csvPath = "C:\Temp\CertificateChainValidation_$timestamp.csv"
$results | Export-Csv -Path $csvPath -NoTypeInformation
Write-Host "Certificate chain validation results exported to '$csvPath'."Was this helpful?
0/255
Upload Attachment
File Upload
Maximum file
size allowed is 3 MB.
Supported file types:
Documents (.txt, .doc, .docx, .pdf), Images (.jpg, .png), Comma Separated Files
(.csv) Speadsheets (.xlsx, .xls)
Are you sure you want to cancel the case creation?
Case closed successfully
File Upload
Maximum file size allowed is 3 MB.
Supported file types:
Documents (.txt, .doc, .docx, .pdf), Images (.jpg, .png), Comma Separated Files
(.csv) Speadsheets (.xlsx, .xls)
Are you sure you want to close this case
| Products | Region | Phone Numbers |
|---|---|---|
| FlexNet Operations FlexNet Embedded FlexNet Publisher FlexNet Connect FlexNet Code Insight InstallAnywhere InstallShield |
North America * |
+1 630-332-2513 (toll) +1 877-279-2853 (toll-free in North America) |
| Europe * |
+44 1925 944367 (toll) +44 800 047 8642 (toll-free in Europe) |
|
| Japan * | +81 3-4540-5335 (select option 2) | |
| Australia * |
+61 3 9895 2177 +61 1800 560 603 (toll-free in Australia) |
|
|
Usage Intelligence (formerly
Revulytics) Compliance Intelligence |
Please use the Case Portal to submit your support ticket or reach out to your Revenera contact. | |
File Upload
Maximum file
size allowed is 3 MB.
Supported file types:
Documents (.txt, .doc, .docx, .pdf), Images (.jpg, .png), Comma Separated Files
(.csv) Speadsheets (.xlsx, .xls)
Case id: 00001065
Activity: Status change: 2 hours ago