Test-Certificate

Syntax

Test-Certificate
    [-Policy <TestCertificatePolicy>]
    [-User]
    [-EKU <String[]>]
    [-DNSName <String>]
    [-AllowUntrustedRoot]
    [-Cert] <Certificate>
    [<CommonParameters>]

Description

The Test-Certificate cmdlet verifies a certificate according to input parameters. The revocation status of the certificate is verified by default. If the AllowUntrustedRoot parameter is specified, then a certificate chain is built but an untrusted root is allowed. Other errors are still verified against in this case, such as expired. If the DNSName parameter is used, then the DNS subject alternative name is used to verify SSL policy. If the EKU parameter is used, then the specified application policy object identifiers are used to verify the chain. If the User parameter is used, then the specified user context is used is to build and verify the chain.

Delegation may be required when using this cmdlet with Windows PowerShell remoting and changing user configuration.

Examples

EXAMPLE 1

Get-ChildItem -Path Cert:\LocalMachine\My |
    Test-Certificate -Policy SSL -DNSName 'dns=contoso.com'

This example verifies each certificate in the MY store of the local machine and verifies that it is valid for SSL with the DNS name specified.

EXAMPLE 2

$params = @{
    Cert = 'Cert:\CurrentUser\My\191C46F680F08A9E6EF3F6783140F60A979C7D3B'
    AllowUntrustedRoot = $true
    EKU = '1.3.6.1.5.5.7.3.1'
    User = $true
}
Test-Certificate @params

This example verifies that the provided EKU is valid for the specified certificate and its chain. Revocation checking is not performed.

Parameters

-AllowUntrustedRoot

-Cert

-DNSName

-EKU

-Policy

-User

Inputs

Microsoft.CertificateServices.Commands.Certificate

The Certificate object can either be provided as a Path object to a certificate or an X509Certificate2 object.

Outputs

Boolean

If the verification succeeds, then the return value is True; otherwise the return value is False.

Related Links

• Get-ChildItem