Resources For IT Professionals
Post an article
Wikis - Page Details
  • First published by (6Microsof)
  • When: 20 Sep 2010 12:20 PM
  • Last revision by (cMVP, Microsoft Community Contributo)
  • When: 13 Aug 2013 3:53 PM
  • Revisions: 14
  • Comments: 8
Options
RSSSubscribe to Article (RSS)
Can You Improve This Article?
Positively! Click Sign In to add the tip, solution, correction or comment that will help other users.

Report inappropriate content using these instructions.
Wiki  >  TechNet Articles  >  Display Subject Alternative Names of a Certificate with PowerShell

Display Subject Alternative Names of a Certificate with PowerShell

Display Subject Alternative Names of a Certificate with PowerShell

Subject Alternative Names (SANs) are stored as System.Security.Cryptography.X509Certificates.X509Extension objects in the PowerShell Certificate Provider.

First you can get the cert you want to view.

  $cert = get-childitem cert:\localmachine\my\73844B2206C170903185E777F65E969247462741

You can check the OID friendlyname of each extension to see where the subject alternative names reside, but simply viewing the extensions is not very useful since the RawData is encoded. So if the certificate that you assigned to $cert in the step above does include a subject alternative name, the command below will output a byte array, but not the human-readable text we are looking for.

  ($sanExt=$cert.Extensions | Where-Object {$_.Oid.FriendlyName -match "subject alternative name"}).RawData

However you can convert the ASN to a hex array and then decode it with the InitializeDecode method of the X509Enrollment.CX509ExtensionAlternativeNames COM object to get to human-readable text.

The whole script looks like this:

$cert=Get-ChildItem cert:\localmachine\my\73844B2206C170903185E777F65E969247462741            
$sanExt=$cert.Extensions | Where-Object {$_.Oid.FriendlyName -match "subject alternative name"}            
$sanObjs = new-object -ComObject X509Enrollment.CX509ExtensionAlternativeNames            
$altNamesStr=[System.Convert]::ToBase64String($sanExt.RawData)            
$sanObjs.InitializeDecode(1, $altNamesStr)            
Foreach ($SAN in $sanObjs.AlternativeNames) {$SAN.strValue}

Another option to display extension value in user-friendly format is to use standard .NET X509Extension::Format() (Inherited from AsnEncodedData.) method as follows:

$cert = Get-ChildItem cert:\localmachine\my\73844B2206C170903185E777F65E969247462741
$sanExt=$cert.Extensions | Where-Object {$_.Oid.FriendlyName -eq "subject alternative name"}
$sanExt.Format(1)

Or here's a simpler version:
$cert = Get-ChildItem cert:\localmachine\my\73844B2206C170903185E777F65E969247462741
($cert.Extensions | Where-Object {$_.Oid.FriendlyName -eq "subject alternative name"}).Format(1)

 

, , , , , , , [Edit tags]
Leave a Comment
  • Please add 6 and 7 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
Comments
  • 13 Aug 2013 3:51 PM

    Richard Mueller edited Revision 11. Comment: Removed (en-US) from title

  • 23 Apr 2012 12:07 PM

    Ed Price - MSFT edited Revision 10. Comment: Was missing a space. And clarified a sentence. Great article!

  • 19 Feb 2012 3:09 AM

    Craig Lussier edited Revision 9. Comment: added en-US to tags and title

  • 25 Dec 2010 6:42 AM

    Vadims Podans edited Revision 8. Comment: added advanced PowerShell example using native .NET methods

  • 21 Sep 2010 7:39 AM

    Craig Landis MSFT edited Revision 5. Comment: Reverting formatting.

  • 21 Sep 2010 7:37 AM

    Craig Landis MSFT edited Revision 4. Comment: Reverting formatting.

Page 1 of 1 (6 items)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
Comments
  • Posted by
    on 21 Sep 2010 7:37 AM

    Craig Landis MSFT edited Revision 4. Comment: Reverting formatting.

  • Posted by
    on 21 Sep 2010 7:39 AM

    Craig Landis MSFT edited Revision 5. Comment: Reverting formatting.

  • Posted by
    on 25 Dec 2010 6:42 AM

    Vadims Podans edited Revision 8. Comment: added advanced PowerShell example using native .NET methods

  • Posted by
    on 27 May 2011 8:31 AM

    is this possible using the following :

    $cert = Get-ChildItem c:\ttemp\test13.cer

    I want to look at the SANs of a list of CERTs I have, by putting this into the above code I receive the following:

    PS C:\Windows\system32> $cert = gc c:\ttemp\test13.cer

    PS C:\Windows\system32> $sanExt=$cert.Extensions | Where-Object{$_.Oid.FriendlyName -eq "subject alternative name"}

    PS C:\Windows\system32> $sanExt.Format(1)

    You cannot call a method on a null-valued expression.

    At line:1 char:15

    + $sanExt.Format <<<< (1)

       + CategoryInfo          : InvalidOperation: (Format:String) [], RuntimeException

       + FullyQualifiedErrorId : InvokeMethodOnNull

  • Posted by
    on 19 Feb 2012 3:09 AM

    Craig Lussier edited Revision 9. Comment: added en-US to tags and title

  • Posted by
    on 23 Apr 2012 12:07 PM

    Ed Price - MSFT edited Revision 10. Comment: Was missing a space. And clarified a sentence. Great article!

  • Posted by
    on 13 Aug 2013 3:51 PM

    Richard Mueller edited Revision 11. Comment: Removed (en-US) from title

  • Posted by
    on 13 Aug 2013 10:20 PM

    you need to instantiate a X509Certificate2 object first. The first line should be:

    $cert = new-object security.cryptography.x509certificates.x509certificate2 c:\ttemp\test13.cer

Page 1 of 1 (8 items)