PowerShell Logo Small


This is the built-in help made by Microsoft for the command 'Test-Certificate', in PowerShell version 5 - as retrieved from Windows version 'Microsoft Windows Server 2012 R2 Standard' PowerShell help files on 2016-06-23.

For PowerShell version 3 and up, where you have Update-Help, this command was run just before creating the web pages from the help files.


Verifies a certificate according to the input parameters.


Test-Certificate [-Cert] <Certificate> [-AllowUntrustedRoot] [-DNSName <String>] [-EKU <String>] [-Policy <TestCertificatePolicy>] [-User] [<CommonParameters>]

Search powershellhelp.space


The Test-Certificate cmdlet verifies a certificate according to input parameters. The revocation status of the certificate is verified by default. If the AllowUntrustedRoot
parameter is specified, then a certificate chain is built but an untrusted root is allowed. Other errors are still verified against in this case, such as expired. If the
DNSName parameter is used, then the DNS subject alternative name is used to verify SSL policy. If the EKU parameter is used, then the specified application policy object
identifiers are used to verify the chain. If the User parameter is used, then the specified user context is used is to build and verify the chain.

Delegation may be required when using this cmdlet with Windows PowerShell® remoting and changing user configuration.



Online Version: http://go.microsoft.com/fwlink/p/?linkid=287541





PS C:\>Get-ChildItem -Path Cert:\localMachine\My | Test-Certificate -Policy SSL -DNSName "dns=contoso.com"

This example verifies each certificate in the MY store of the local machine and verifies that it is valid for SSL with the DNS name specified.


PS C:\>Test-Certificate –Cert cert:\currentuser\my\191c46f680f08a9e6ef3f6783140f60a979c7d3b -AllowUntrustedRoot -EKU "" –User

This example verifies that the provided EKU is valid for the specified certificate and its chain. Revocation checking is not performed.