Certs don't always use the fqdn as the CN. We need to rely on the actual cert name instead.
This is specially true when windows hostnames are in upper case and the cert name is lowercase.
var_cmd = "powershell @(get-childitem certificate::localmachine/my ^| where-object { $_.issuer -eq '#{issuer_subject}' -and $_.subject -eq 'CN=#{Facter['fqdn'].value}' -and $_.hasprivatekey} ^| sort-object -property notafter -descending)[0].thumbprint"