Certificates are stored in the registry in the following two locations the final key value is the same as the certificate thumb print. So providing you have the thumbprint value you would be able to query the correct regkey
[HKLM\SOFTWARE\Microsoft\SystemCertificates\] [HKCU\Software\Microsoft\SystemCertificates\] Using the PowerShell function from here Get-RegistryKeyLastWriteTime you can query the registry key for the Last Write Time.
Full code for the PowerShell function below in case link dies (This is not my work)
Function Get-RegistryKeyTimestamp < [OutputType('Microsoft.Registry.Timestamp')] [cmdletbinding( DefaultParameterSetName = 'ByValue' )] Param ( [parameter(ValueFromPipeline=$True, ParameterSetName='ByValue')] [Microsoft.Win32.RegistryKey]$RegistryKey, [parameter(ParameterSetName='ByPath')] [string]$SubKey, [parameter(ParameterSetName='ByPath')] [Microsoft.Win32.RegistryHive]$RegistryHive, [parameter(ParameterSetName='ByPath')] [string]$Computername ) Begin < #region Create Win32 API Object Try < [void][advapi32] >Catch < #region Module Builder $Domain = [AppDomain]::CurrentDomain $DynAssembly = New-Object System.Reflection.AssemblyName('RegAssembly') $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run) # Only run in memory $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('RegistryTimeStampModule', $False) #endregion Module Builder #region DllImport $TypeBuilder = $ModuleBuilder.DefineType('advapi32', 'Public, Class') #region RegQueryInfoKey Method $PInvokeMethod = $TypeBuilder.DefineMethod( 'RegQueryInfoKey', #Method Name [Reflection.MethodAttributes] 'PrivateScope, Public, Static, HideBySig, PinvokeImpl', #Method Attributes [IntPtr], #Method Return Type [Type[]] @( [Microsoft.Win32.SafeHandles.SafeRegistryHandle], #Registry Handle [System.Text.StringBuilder], #Class Name [UInt32 ].MakeByRefType(), #Class Length [UInt32], #Reserved [UInt32 ].MakeByRefType(), #Subkey Count [UInt32 ].MakeByRefType(), #Max Subkey Name Length [UInt32 ].MakeByRefType(), #Max Class Length [UInt32 ].MakeByRefType(), #Value Count [UInt32 ].MakeByRefType(), #Max Value Name Length [UInt32 ].MakeByRefType(), #Max Value Name Length [UInt32 ].MakeByRefType(), #Security Descriptor Size [long].MakeByRefType() #LastWriteTime ) #Method Parameters ) $DllImportConstructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String])) $FieldArray = [Reflection.FieldInfo[]] @( [Runtime.InteropServices.DllImportAttribute].GetField('EntryPoint'), [Runtime.InteropServices.DllImportAttribute].GetField('SetLastError') ) $FieldValueArray = [Object[]] @( 'RegQueryInfoKey', #CASE SENSITIVE!! $True ) $SetLastErrorCustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder( $DllImportConstructor, @('advapi32.dll'), $FieldArray, $FieldValueArray ) $PInvokeMethod.SetCustomAttribute($SetLastErrorCustomAttribute) #endregion RegQueryInfoKey Method [void]$TypeBuilder.CreateType() #endregion DllImport >#endregion Create Win32 API object > Process < #region Constant Variables $ClassLength = 255 [long]$TimeStamp = $null #endregion Constant Variables #region Registry Key Data If ($PSCmdlet.ParameterSetName -eq 'ByPath') < #Get registry key data $RegistryKey = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey($RegistryHive, $Computername).OpenSubKey($SubKey) If ($RegistryKey -isnot [Microsoft.Win32.RegistryKey]) < Throw "Cannot open or locate $SubKey on $Computername" >> $ClassName = New-Object System.Text.StringBuilder $RegistryKey.Name $RegistryHandle = $RegistryKey.Handle #endregion Registry Key Data #region Retrieve timestamp $Return = [advapi32]::RegQueryInfoKey( $RegistryHandle, $ClassName, [ref]$ClassLength, $Null, [ref]$Null, [ref]$Null, [ref]$Null, [ref]$Null, [ref]$Null, [ref]$Null, [ref]$Null, [ref]$TimeStamp ) Switch ($Return) < 0 < #Convert High/Low date to DateTime Object $LastWriteTime = [datetime]::FromFileTime($TimeStamp) #Return object $Object = [pscustomobject]@< FullName = $RegistryKey.Name Name = $RegistryKey.Name -replace '.*\\(.*)','$1' LastWriteTime = $LastWriteTime >$Object.pstypenames.insert(0,'Microsoft.Registry.Timestamp') $Object > 122 < Throw "ERROR_INSUFFICIENT_BUFFER (0x7a)" >Default < Throw "Error ($return) occurred" >> #endregion Retrieve timestamp > > $RegistryKey = Get-Item "HKLM:" $RegistryKey | Get-RegistryKeyTimestamp | Format-List