The ServerCertificateValidationCallback process provides the opportunity to analyze errors during certificate validation.
The method is called asynchronously (in response to an event), therefore the variables created within either the class or script block are not available to PowerShell itself. Information may be exported to a file using a command such as Export-Clixml.
Invoke-WebRequest might throw an error if the validation callback is used. However, if the goal to validate the certificate and response to the web request is less important, System.Net.WebClient might be used.
A number of arguments are passed to the ServerCertificateValidationCallback. The following example provides parameters for each of the arguments:
using namespace System.Security.Cryptography.X509Certificates [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { param( [Object]$sender, [X509Certificate2]$certificate, [X509Chain]$chain, [System.Net.Security.SslPolicyErrors]$sslPolicyErrors ) [PSCustomObject]@{ Sender = $sender Certificate = $certificate Chain = $chain SslPolicyErrors = $sslPolicyErrors } | Export-Clixml $env:TEMPCertValidation.xml return $true } $webClient = New-Object System.Net.WebClient $webClient.DownloadString('https://expired.badssl.com/') | Out-Null $certValidation = Import-Clixml $env:TEMPCertValidation.xml
Once the content of the XML file has been loaded, the content may be investigated. For example, the certificate that was exchanged can be viewed:
$certValidation.Certificate
Or the response can be used to inspect all of the certificates in the key Chain:
$certValidation.Chain.ChainElements | Select-Object -ExpandProperty Certificate
The ChainStatus property exposes details of any errors during chain validation:
$certValidation.Chain.ChainStatus
The ChainStatus is summarized by the SslPolicyErrors property.