Display Subject Alternative Names of a Certificate with PowerShell

Display Subject Alternative Names of a Certificate with PowerShell

Subject Alternative Names (SANs) are stored as System.Security.Cryptography.X509Certificates.X509Extension objects in the PowerShell Certificate Provider.

First you can get the cert you want to view.

  $cert = get-childitem cert:\localmachine\my\73844B2206C170903185E777F65E969247462741

You can check the OID friendlyname of each extension to see where the subject alternative names reside, but simply viewing the extensions is not very useful since the RawData is encoded. So if the certificate that you assigned to $cert in the step above does include a subject alternative name, the command below will output a byte array, but not the human-readable text we are looking for.

  ($sanExt=$cert.Extensions | Where-Object {$_.Oid.FriendlyName -match "subject alternative name"}).RawData

However you can convert the ASN to a hex array and then decode it with the InitializeDecode method of the X509Enrollment.CX509ExtensionAlternativeNames COM object to get to human-readable text.

The whole script looks like this:

$cert=Get-ChildItem cert:\localmachine\my\73844B2206C170903185E777F65E969247462741            
$sanExt=$cert.Extensions | Where-Object {$_.Oid.FriendlyName -match "subject alternative name"}            
$sanObjs = new-object -ComObject X509Enrollment.CX509ExtensionAlternativeNames            
$altNamesStr=[System.Convert]::ToBase64String($sanExt.RawData)            
$sanObjs.InitializeDecode(1, $altNamesStr)            
Foreach ($SAN in $sanObjs.AlternativeNames) {$SAN.strValue}

Another option to display extension value in user-friendly format is to use standard .NET X509Extension::Format() (Inherited from AsnEncodedData.) method as follows:

$cert = Get-ChildItem cert:\localmachine\my\73844B2206C170903185E777F65E969247462741
$sanExt=$cert.Extensions | Where-Object {$_.Oid.FriendlyName -eq "subject alternative name"}
$sanExt.Format(1)

Or here's a simpler version:
$cert = Get-ChildItem cert:\localmachine\my\73844B2206C170903185E777F65E969247462741
($cert.Extensions | Where-Object {$_.Oid.FriendlyName -eq "subject alternative name"}).Format(1)

 

Leave a Comment
  • Please add 2 and 4 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
Comments
  • Richard Mueller edited Revision 11. Comment: Removed (en-US) from title

  • Ed Price - MSFT edited Revision 10. Comment: Was missing a space. And clarified a sentence. Great article!

  • Craig Lussier edited Revision 9. Comment: added en-US to tags and title

  • Vadims Podans edited Revision 8. Comment: added advanced PowerShell example using native .NET methods

  • Craig Landis MSFT edited Revision 5. Comment: Reverting formatting.

  • Craig Landis MSFT edited Revision 4. Comment: Reverting formatting.

Page 1 of 1 (6 items)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
Comments
  • Craig Landis MSFT edited Revision 4. Comment: Reverting formatting.

  • Craig Landis MSFT edited Revision 5. Comment: Reverting formatting.

  • Vadims Podans edited Revision 8. Comment: added advanced PowerShell example using native .NET methods

  • is this possible using the following :

    $cert = Get-ChildItem c:\ttemp\test13.cer

    I want to look at the SANs of a list of CERTs I have, by putting this into the above code I receive the following:

    PS C:\Windows\system32> $cert = gc c:\ttemp\test13.cer

    PS C:\Windows\system32> $sanExt=$cert.Extensions | Where-Object{$_.Oid.FriendlyName -eq "subject alternative name"}

    PS C:\Windows\system32> $sanExt.Format(1)

    You cannot call a method on a null-valued expression.

    At line:1 char:15

    + $sanExt.Format <<<< (1)

       + CategoryInfo          : InvalidOperation: (Format:String) [], RuntimeException

       + FullyQualifiedErrorId : InvokeMethodOnNull

  • Craig Lussier edited Revision 9. Comment: added en-US to tags and title

  • Ed Price - MSFT edited Revision 10. Comment: Was missing a space. And clarified a sentence. Great article!

  • Richard Mueller edited Revision 11. Comment: Removed (en-US) from title

  • you need to instantiate a X509Certificate2 object first. The first line should be:

    $cert = new-object security.cryptography.x509certificates.x509certificate2 c:\ttemp\test13.cer

Page 1 of 1 (8 items)