#Refcerts.csv is already generated, see blog post for more info
$ref = import-csv RefCerts.csv
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store("Root","LocalMachine")
$store.Open("ReadOnly")
$TrustedCA = $store.certificates | select thumbprint, Issuer, Subject
$store.Close()

#Compare CSV and local machine trusted certificate store
$compares = Compare-Object $ref $TrustedCA -property Thumbprint
 if ($compares -ne $null){
  foreach($compare in $compares){
    if ($compare.SideIndicator -eq "<=") {
      
        #A certificate is missing on the computer, in comparison to the CSV file, info is logged in log.txt
        $ref | foreach {if($_.Thumbprint -match $compare.Thumbprint){'Missing cert:' + $_.Subject  + ',Thumbprint:' + $_.Thumbprint >> Log.txt}}
         }


   if ($compare.SideIndicator -eq "=>") {
        #A certificate is present on the trusted root certificate store but is not prensent in Refcerts.csv, certificate is deleted
        $store2 = New-Object System.Security.Cryptography.X509Certificates.X509Store("Root","LocalMachine")
         $store2.Open("ReadWrite")  
        $certs = $store2.certificates         
         foreach ($cert in $certs){
          if ($cert.Thumbprint -eq $compare.Thumbprint){ 
          'Removing Cert:' + $cert.subject + ',Thumbprint:' + $cert.Thumbprint >> log.txt
           $store2.Remove($cert)
          }
         }
        $store2.Close()
        }
  }
 }