Verify a local machine certificate

Question

Verify a local machine certificate

I have tested the following PowerShell command Get-ChildItem -Path Cert:\localMachine\My | Test-Certificate -Policy SSL -DNSName "dns=mydns.com"

but it shows me the follwing three results and I did not really get their meaning :

WARNING: Chain status:

CERT_TRUST_IS_UNTRUSTED_ROOT Test-Certificate : A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. 0x800b0109 (-2146762487 CERT_E_UNTRUSTEDROOT)

At line:1 char:45
... achine\My | Test-Certificate -Policy SSL -DNSName "mydns.com ...
+ CategoryInfo          : NotSpecified: (:Certificate) [Test-Certificate], Exception
+ FullyQualifiedErrorId : CryptographicError,Microsoft.CertificateServices.Commands.TestCertificate
False

WARNING: Chain status:

CERT_TRUST_IS_NOT_TIME_VALID

CERT_TRUST_IS_UNTRUSTED_ROOT

Test-Certificate : A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. 0x800b0109 (-2146762487 CERT_E_UNTRUSTEDROOT)

At line:1 char:45
... achine\My | Test-Certificate -Policy SSL -DNSName "mydns.com ...
+ CategoryInfo          : NotSpecified: (:Certificate) [Test-Certificate], Exception
+ FullyQualifiedErrorId : CryptographicError,Microsoft.CertificateServices.Commands.TestCertificate
False

WARNING: Chain status: CERT_TRUST_IS_NOT_TIME_VALID Test-Certificate : A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495 CERT_E_EXPIRED)

At line:1 char:45
... achine\My | Test-Certificate -Policy SSL -DNSName "mydns.com ...
+ CategoryInfo          : NotSpecified: (:Certificate) [Test-Certificate], Exception
+ FullyQualifiedErrorId : CryptographicError,Microsoft.CertificateServices.Commands.TestCertificate
False

powershell

ssl

ssl-certificate

asked on Stack Overflow Apr 30, 2019 by

mamadou • edited Apr 30, 2019 by

mamadou

1 Answer

Certificates are all about validity and the chain.

First you have a trusted root Certificate installed on your machine (e.g. VeriSign).

Certificates then can be trusted from that root certificate (e.g. 3rd party Certificate providers). And then new certificates can can be trusted based on that next certificate and so on from there. e.g.

Root Certificate -> 3rd Party Certificate -> mydns.com

The first error message:

CERT_TRUST_IS_UNTRUSTED_ROOT

Means that your computer does not have the Root Certificate installed to the Trusted Publisher's location. That means your computer doesn't implicitly trust the certificate.

The second error message:

CERT_TRUST_IS_NOT_TIME_VALID

Usually means that the certificate has expired. i.e. most certificates are only valid for a year.

answered on Stack Overflow Apr 30, 2019 by

HAL9256

User contributions licensed under CC BY-SA 3.0