Authenticating verification of certificates in Power Shell

Question

Hello,

in collaboration with AI, I came up with a script for verifying the authenticity of the certificates I have on my PC. What I need to know is how serious it is if the certificate is not verified, or how should I solve this situation and what consequences could it have had so far? Is there a certificate expert who can reveal more? Thank you - below I am attaching the input command and the output for my PC.

It is possible that the function used in the command is reserved only for certain certificates, please check this option if you are an expert.

The 1st mentioned command basically only generates those certificates that have some ailment with authenticity verification, etc.

$stores = @( "Cert:\CurrentUser\Root", "Cert:\LocalMachine\Root", "Cert:\LocalMachine\AuthRoot", "Cert:\CurrentUser\AuthRoot" )

foreach ($store in $stores) {
    $certificates = Get-ChildItem -Path $store

    foreach ($certificate in $certificates) {
        $verificationResult = $certificate.Verify()

        if (-not $verificationResult) {
            Write-Output "Certificate '$($certificate.Subject)' was not verified. There are authenticity issues."
        }
    }
}

The 2nd command will generate all certificates, including verified ones:

$stores = @( "Cert:\CurrentUser\Root", "Cert:\LocalMachine\Root", "Cert:\LocalMachine\AuthRoot", "Cert:\CurrentUser\AuthRoot" )
foreach ($store in $stores) {
    $certificates = Get-ChildItem -Path $store
    foreach ($certificate in $certificates) {
        $verificationResult = $certificate.Verify()
        if ($verificationResult) {
            Write-Output "Certificate '$($certificate.Subject)' was successfully verified."
        } else {
            Write-Output "Certificate '$($certificate.Subject)' was not verified. There are authenticity issues."
        }
    }
}

For the sake of clarity, I mainly needed the 1st command in power shell and here is my output:

Certificate 'CN=Microsoft Root Certificate Authority, DC=microsoft, DC=com' was not verified. There are authenticity issues.
Certificate 'CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, S=Western Cape, C=ZA' was not verified. There are authenticity issues.
Certificate 'CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright (c) 1997 Microsoft Corp.' was not verified. There are authenticity issues.
Certificate 'CN=Microsoft Authenticode(tm) Root Authority, O=MSFT, C=US' was not verified. There are authenticity issues.
Certificate 'OU=Copyright (c) 1997 Microsoft Corp., OU=Microsoft Time Stamping Service Root, OU=Microsoft Corporation, O=Microsoft Trust Network' was not verified. There are authenticity issues.
Certificate 'OU="NO LIABILITY ACCEPTED, (c)97 VeriSign, Inc.", OU=VeriSign Time Stamping Service Root, OU="VeriSign, Inc.", O=VeriSign Trust Network' was not verified. There are authenticity issues.
Certificate 'CN=QuoVadis Root Certification Authority, OU=Root Certification Authority, O=QuoVadis Limited, C=BM' was not verified. There are authenticity issues.
Certificate 'CN=DST Root CA X3, O=Digital Signature Trust Co.' was not verified. There are authenticity issues.
Certificate 'OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US' was not verified. There are authenticity issues.
Certificate 'CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE' was not verified. There are authenticity issues.
Certificate 'CN=Microsoft Root Certificate Authority, DC=microsoft, DC=com' was not verified. There are authenticity issues.
Certificate 'CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, S=Western Cape, C=ZA' was not verified. There are authenticity issues.
Certificate 'CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright (c) 1997 Microsoft Corp.' was not verified. There are authenticity issues.
Certificate 'CN=Microsoft Authenticode(tm) Root Authority, O=MSFT, C=US' was not verified. There are authenticity issues.
Certificate 'OU=Copyright (c) 1997 Microsoft Corp., OU=Microsoft Time Stamping Service Root, OU=Microsoft Corporation, O=Microsoft Trust Network' was not verified. There are authenticity issues.
Certificate 'OU="NO LIABILITY ACCEPTED, (c)97 VeriSign, Inc.", OU=VeriSign Time Stamping Service Root, OU="VeriSign, Inc.", O=VeriSign Trust Network' was not verified. There are authenticity issues.
Certificate 'CN=QuoVadis Root Certification Authority, OU=Root Certification Authority, O=QuoVadis Limited, C=BM' was not verified. There are authenticity issues.
Certificate 'CN=DST Root CA X3, O=Digital Signature Trust Co.' was not verified. There are authenticity issues.
Certificate 'OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US' was not verified. There are authenticity issues.
Certificate 'CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE' was not verified. There are authenticity issues.
Certificate 'CN=QuoVadis Root Certification Authority, OU=Root Certification Authority, O=QuoVadis Limited, C=BM' was not verified. There are authenticity issues.
Certificate 'CN=DST Root CA X3, O=Digital Signature Trust Co.' was not verified. There are authenticity issues.
Certificate 'OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US' was not verified. There are authenticity issues.
Certificate 'CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE' was not verified. There are authenticity issues.
Certificate 'CN=QuoVadis Root Certification Authority, OU=Root Certification Authority, O=QuoVadis Limited, C=BM' was not verified. There are authenticity issues.
Certificate 'CN=DST Root CA X3, O=Digital Signature Trust Co.' was not verified. There are authenticity issues.
Certificate 'OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US' was not verified. There are authenticity issues.
Certificate 'CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE' was not verified. There are authenticity issues.

BTW: The certificate 'CN=Microsoft Root Certificate Authority, DC=microsoft, DC=com' belongs to the certificate issuer Microsoft Root Certificate Authority, which is one of Microsoft's trusted Certificate Authorities (CA). This certificate is typically used to verify the trustworthiness and authenticity of certificates that have been issued or signed by Microsoft.

on the https://learn.microsoft.com/en-us/answers - missing free tags or tags for certificates.

Answer

Unless you've been diligent in removing expired/archived certs from your machine(s) a lot of those "problems" aren't really problems as you probably shouldn't be checking those for validity.

Here's one way of reducing the number of certificate failures:

$stores = @( "Cert:\CurrentUser\Root", "Cert:\LocalMachine\Root", "Cert:\LocalMachine\AuthRoot", "Cert:\CurrentUser\AuthRoot" )
$runtime = (Get-Date).Date
foreach ($store in $stores) { 
    Get-ChildItem -Path $store |
        ForEach-Object { 
            if ($_.NotBefore -lt $runtime -AND $_.NotAfter -gt $runtime){  # only check active and unexpired certs
                $ maybe include "$_,archived" in that check, too
                if (-not $_.Verify()) {
                    "In store '{0};, Certificate '{1}' was not verified. There are authenticity issues." -f $store,$_.Subject
                }
            }
    }    
}

Simply having invalid certs on a machine isn't a problem -- unless you've added an untrusted cert to the machine -- THEN it's a problem! Usually the bigger problem is someone being told a certificate can't be verified and accepting it as if it was!

Share via

Authenticating verification of certificates in Power Shell

1 answer