public/Test-SSLCertificate.ps1

function Test-SSLCertificate {
    <#
.SYNOPSIS
    Test the validitiy of a given certificate.
.DESCRIPTION
    Verifies the entire certificates chain from a certificate object or hostname.
.PARAMETER Certificate
    An X509Certificate2 certificate object.
.PARAMETER RevocationMode
    The Revocation Mode to use in validation.
    NoCheck: No revocation check is performed on the certificate.
    Offline: A revocation check is made using a cached certificate revocation list (CRL).
    Online: A revocation check is made using an online certificate revocation list (CRL).
.PARAMETER ComputerName
    A hostname or Url of the server to retreive the certificate to test.
.PARAMETER Port
    The port to connect to the remote server.
.NOTES
    Test-SSLCertificate takes into consideration the status of each element in the chain.
.LINK
    Get-SSLCertificate
.LINK
    https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509chain?view=net-8.0#remarks
.INPUTS
    String, X509Certificates
.OUTPUTS
    Bool
.EXAMPLE
    Get-SSLCertificate google.com | Test-SSLCertificates
    True

    Test the validity of the google SSL Certificate.
.EXAMPLE
    Test-SSLCertificate expired.badssl.com -ErrorVariable validation
    Test-SSLCertificate: Certificate failed chain validation:
    A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
    False
    $validation.TargetObject.ChainElements.Certificate
    Thumbprint Subject EnhancedKeyUsageList
    ---------- ------- --------------------
    404BBD2F1F4CC2FDEEF13AABDD523EF61F1C71F3 CN=*.badssl.com, OU… {Server Authentication, Client Authentication}
    339CDD57CFD5B141169B615FF31428782D1DA639 CN=COMODO RSA Domai… {Server Authentication, Client Authentication}
    AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4 CN=COMODO RSA Certi…

    Tests an invalid certificates and inspect the error in variable `$validation` for the certificate details.
.EXAMPLE
    @('expired.badssl.com', 'google.com', 'https://self-signed.badssl.com' | Get-SSLCertificate | Test-SSLCertificate -ErrorVariable +testFailures

    Run multiple tests and accumulate any failures in the variable `$testFailures`.
#>

    [CmdletBinding(DefaultParameterSetName = 'Certificate')]
    param (
        [Parameter(Mandatory, Position = 0, ValueFromPipeline, ParameterSetName = 'Certificate')]
        [Security.Cryptography.X509Certificates.X509Certificate2]
        $Certificate,

        [Parameter(Position = 1, ParameterSetName = 'Certificate')]
        [Parameter(Position = 2, ParameterSetName = 'Host')]
        [Security.Cryptography.X509Certificates.X509RevocationMode]
        $RevocationMode = "Online",

        [Parameter(Mandatory, Position = 0, ParameterSetName = 'Host')]
        [Alias('Address', 'Url')]
        [string]$ComputerName,

        [Parameter(Position = 1, ParameterSetName = 'Host')]
        [ValidateRange(1, 65535)]
        [int]$Port = 443
    )

    begin {
        $Chain = [System.Security.Cryptography.X509Certificates.X509Chain]::new()
        $Chain.ChainPolicy.RevocationMode = $RevocationMode
    }

    process {

        if ($PSBoundParameters.ContainsKey('ComputerName')) {
            $Certificate = Get-SSLCertificate -ComputerName $ComputerName -Port $Port
        }

        $buildResult = $Chain.Build($Certificate)

        if (! $buildResult) {
            $exception = [Exception]::new(("Certificate failed chain validation for '{0}'.{1}{2}" -f $Certificate.Host, [System.Environment]::NewLine, ($Chain.ChainStatus.StatusInformation -join [System.Environment]::NewLine)))
            Write-Error -Exception $exception -Category SecurityError -ErrorId 100 -TargetObject $Chain
        }

        $buildResult | Write-Output
    }

    end {

    }
}