Working with SSL certificate chains in PowerShell

When troubleshooting HTTPS connections and SSL errors, it's often useful to inspect the full certificate chain of a remote server. PowerShell can do this directly using .NET's X509Chain and ServicePointManager classes.

Let's take an example. To retrieve and print the chain for a remote host, you can say:

$url = "https://www.microsoft.com"
$req = [Net.HttpWebRequest]::Create($url)
$req.GetResponse() | Out-Null
$cert = $req.ServicePoint.Certificate
$chain = New-Object Security.Cryptography.X509Certificates.X509Chain
$chain.Build($cert) | Out-Null
$chain.ChainElements | ForEach-Object {
    $_.Certificate | Select-Object Subject, Issuer, NotAfter
}

This shows each certificate from leaf to root, along with expiration dates. You can use this in scripts that validate certificate health across multiple servers.

For local certificate store inspection, you can query certificates with:

Get-ChildItem Cert:\LocalMachine\My | Select Subject, NotAfter

PowerShell's ability to access to .NET cryptography classes makes it a handy tool for verifying SSL and TLS details without external utilities.