Returns every certificate in the local machine cert store (as the agent is run as Local System).


Store (string; optional): On Windows, the name of the store certificates are to be retrieved from. On macOS, the absolute path of the keychain entry file.

On Windows, the short name of the store is preferable. If you use a long (friendly) name, the agent will attempt to map it to a store name. For example, 'Personal' would be mapped to 'My'. The agent can translate a number of default store names. If the agent cannot translate the name supplied, it will attempt to use the supplied string as the actual name of the store and open it anyway. From v8.4, if a friendly name is used then its case is not significant.

If this is not supplied, the agent will iterate through certain predefined system stores (Personal, Intermediate Certification Authorities, Trusted Root Certification Authorities, Third-Party Certification Authorities, Enterprise Trust, Other People, Trusted People, Trusted Publisher and Untrusted Certificates) for Windows and all the system keychain entry files for MacOS, and thus you may actually get multiple hits for a particular certificate if it exists in multiple stores.

Return values

FriendlyName (string): The "friendly name" field associated with the certificate. 

This is not actually part of the certificate, and a certificate could have a different friendly name associated with it on different devices, as it can be changed after issuing.

Only available on Windows.

Subject (string): The Subject field of the certificate. This contains the Common Name of the certificate, but may also contain other entries.

Issuer (string): The Issuer field of the certificate. This contains the Issuer of the certificate.

IssuerThumbprint (string): The thumbprint (SHA1 hash) of the issuing certificate. Empty if this is a root certificate or the issuer is unavailable. New in v8.1.

Only available on Windows.

Thumbprint (string): The SHA1 hash of the certificate, it identifies the certificate and is globally unique.

EffectiveDate (string): The date at which the certificate becomes valid. ('NotBefore')

ExpirationDate (string): The date at which the certificate is no longer valid. ('NotAfter')

SerialNumber (string): The serial number of the certificate. Do NOT use this to uniquely identify a certificate.

SerialNumber is only unique to the CA that issued the certificate; it is not globally unique.

StoreName (string): The long name of the store the certificate was retrieved from.


Get information about all certificates in the local machine's certificate store:


On WIndows, get just "My" certificates:

Security.GetCertificates(Store: "My");

On Mac, get just system keychain certificates:

Security.GetCertificates(Store: "/Library/Keychains/System.keychain");
  • Windows
  • MacOS New in v8.4

Use the Windows command certutil -enumstore to see mappings of the short name to long (friendly) name of all the certificate stores on your PC.
For example:

  My                 "Personal" "
  Root               "Trusted Root Certification Authorities"
  Trust              "Enterprise Trust"
  CA                 "Intermediate Certification Authorities"
  TrustedPublisher   "Trusted Publishers"
  Disallowed         "Untrusted Certificates"
  AuthRoot           "Third-Party Root Certification Authorities"
  TrustedPeople      "Trusted People"
  ClientAuthIssuer   "Client Authentication Issuers"
  ADDRESSBOOK        "Other People"
  Remote Desktop     "Remote Desktop"
  REQUEST            "Certificate Enrolment Requests"
  SmartCardRoot      "Smart Card Trusted Roots"
  TrustedAppRoot     "Trusted Packaged App Installation Authorities"
  TrustedDevices     "Trusted Devices"

Use the macOS command security list-keychains to enumerate all the keychain entries.
For example:


FriendlyName and IssuerThumbprint are only available on Windows.