The ServerCertificateValidationCallback process provides the opportunity to analyze errors during certificate validation.

The method is called asynchronously (in response to an event), therefore the variables created within either the class or script block are not available to PowerShell itself. Information may be exported to a file using a command such as Export-Clixml.

Invoke-WebRequest might throw an error if the validation callback is used. However, if the goal to validate the certificate and response to the web request is less important, System.Net.WebClient might be used.

A number of arguments are passed to the ServerCertificateValidationCallback. The following example provides parameters for each of the arguments:

using namespace System.Security.Cryptography.X509Certificates 
 
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { 
param( 
        [Object]$sender, 
        [X509Certificate2]$certificate, 
        [X509Chain]$chain, 
        [System.Net.Security.SslPolicyErrors]$sslPolicyErrors 
    ) 
 
    [PSCustomObject]@{ 
        Sender          = $sender 
        Certificate     = $certificate 
        Chain           = $chain 
SslPolicyErrors = $sslPolicyErrors 
    } | Export-Clixml $env:TEMPCertValidation.xml 
 
return $true 
} 
 
$webClient = New-Object System.Net.WebClient 
$webClient.DownloadString('https://expired.badssl.com/') | Out-Null 
 
$certValidation = Import-Clixml $env:TEMPCertValidation.xml  

Once the content of the XML file has been loaded, the content may be investigated. For example, the certificate that was exchanged can be viewed:

$certValidation.Certificate 

Or the response can be used to inspect all of the certificates in the key Chain:

$certValidation.Chain.ChainElements | Select-Object -ExpandProperty Certificate 

The ChainStatus property exposes details of any errors during chain validation:

$certValidation.Chain.ChainStatus 

The ChainStatus is summarized by the SslPolicyErrors property.