In the Active Directory world not all Trusted Root Certificates are equal.

To allow a CA to issue certificates of Smart card logon or domain controller certificates. That CA needs to exist in the NTAuth store. Microsoft have a nice article on how to enter machines into this store.

But when we want to clean out the store. Or just want to verify which CAs are in the store I couldn’t find a simple command. So I built one.

A list of certificate authorities in NTAUTH in my test domain.
$Certificates=Get-ADObject "CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,$((get-addomain).DistinguishedName)" -Properties cAcertificate
Write-Host "Found $(([array]$Certificates.cAcertificate).count) certificates in NTAuth store"
ForEach ($Certificate in ($Certificates.cAcertificate|ForEach{[System.Security.Cryptography.X509Certificates.X509Certificate2]::new($_)}))
{
  Write-Host "`t $($certificate.Subject) [$($certificate.Issuer)] $(get-date $certificate.notbefore -format 'yyyy-MM-dd') - $(get-date $certificate.notafter -format 'yyyy-MM-dd')"
}