Dear all
In order to enable Secure LDAP on a lot of domain controllers I have placed certificates in the ADDS service cert store on all the domain controllers.
I can see the certificates here using the cert MMC
  Or like this:   C:\>reg query HKLM\Software\Microsoft\Cryptography\Services\NTDS\SystemCertificates\My\Certificates   HKEYLOCALMACHINE\Software\Microsoft\Cryptography\Services\NTDS\SystemCertificates\My\Certificates\5A0856802EAB54E70D6B062B3C564A8F9B153A80 HKEYLOCALMACHINE\Software\Microsoft\Cryptography\Services\NTDS\SystemCertificates\My\Certificates\FA63CA2CACA5130168929DA6C08C0544847A0B80   (numbers changed from the original ones)   How can I from a command line or PowerShell read the expiry date of these certificates?   In PowerShell I cannot figure out how to get to the ADDS/NTDS service store with “Get-ChildItem cert:\” It seems I can only browse the current user’s certificates and the Local Machine store:   PS C:\> Get-ChildItem cert:\   Location   : CurrentUser StoreNames : {SmartCardRoot, UserDS, AuthRoot, CA...}   Location   : LocalMachine StoreNames : {SmartCardRoot, Remote Desktop, AuthRoot, CA...}   With CertUtil I cannot figure out the syntax for “–store –service” to show me the certificates.   C:\>certutil -store –service NTDS\My NTDS\My CertUtil: -store command FAILED: 0x80070057 (WIN32: 87) CertUtil: The parameter is incorrect.


Hope that someone know the answer.
If I cannot get the data I am looking for via certutil or PowerShell, perhaps I can somehow manipulate the data in the registry to get it transformed into the data I am looking for?
Best regardsJakob