A pre-req for a particular application deployment is that we need a particular PKI certificate installed in the Windows Trusted Publishers cert store of the PCs before installing.
Is there any way to detect if a particular cert has already been installed? Ideally using a one-liner command or a short script (that could be used for pre-req detection, or as a dependency check in SCCM 2012)?
There seem to be lots of commands and scripts out there for listing all installed certs, or all installed certs expiring soon, but nothing that I can see for identifying if one particular cert is installed.
This is possible with a PowerShell one-liner, you just need an easy way to identify that cert (I'm using the cert's ThumbPrint).
If you already have a known machine that you know definitely has the cert installed (easiest way to check interactively is by just using
certmgr.msc
) then you can use that machine to find the cert's thumbprint.The following PowerShell command will list all certs installed in the Trusted Publisher store in the local machine context:
Obviously the path above can be modified, to list other cert stores, or you can view (a long list of) all locally installed certs using:
The first command should give you an output something like this:
Once you've found the Thumbprint of the cert that you're looking for, you can use that to filter the results like this:
That should return the details of the cert if it's installed, and nothing if it's not. Amongst other uses, this Powershell one-liner can be used as a Custom Script Detection method in an SCCM 2012 Application.
(Resources used: Use PowerShell to Find Certificates that are About to Expire | PowerTip: Use PowerShell to Discover Certificate Thumbprints | Using the Where-Object Cmdlet)