Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

«
»

(2012-02-10) Managing Certificates On A Windows Computer With PowerShell

Posted by Jorge on 2012-02-10


To manage certificates on a computer, you can use the “Certificates” MMC. With that MMC you scope either the (local) computer or the current user or even both. For either scope you will find different certificate stores that contain the different certificates, with or without the private key.

image

Figure 1: Scoping The Certificates MMC And The Different Certificate Stores For Either Scope

Common management tasks are shown in the pictures below.

image

Figure 2a: Common Management Tasks For Certificates (For Existing Certificates In Stores)

image

Figure 2b: Common Management Tasks For Certificates (For New Certificates)

Now this is the way of doing it through the GUI. Can you do this through PowerShell to achieve automation? Yes, you can. I will provide you with examples for a few functions.

By default, when starting PowerShell a few default PowerShell Drivers are loaded and available. To view the current available PSDrives, use the CMDlet “Get-PSDrive”.

image

Figure 3: PS Drives Loaded And Available Right After Starting PowerShell

As you can see there is a PS Drive called “cert”. That’s the one you can use to manage existing certificates through PowerShell. When you issue the PoSH command “dir cert:\” you will see the two available scopes (or locations), including the available stores.

image

Figure 4: Scopes (Locations) And The Certificate Stores

When you issue the PoSH command “dir cert:\LocalMachine” or “dir cert:\CurrentUser”, you will see all the available stores for each scope more clear.

imageimage

Figure 5: All The Certificate Stores For Each Scope (Location) (! May Be Different For Another Computer !)

When you issue the PoSH command “dir cert:\LocalMachine\<Cert Store>” or “dir cert:\CurrentUser\<Cert Store>”, you will see all the available certificates in that store.

image

Figure 6: All The Available Certificates In The Personal Store Of The Local Computer

Now with this knowledge it is possible to manage those certificates.

Exporting Certificates WITHOUT The Private Key

By using the following PoSH commands you can export the certificate to a CER file without the private key, if any.

# Find And Target The Cert Required Based Upon Some Condition
$CertToExport = dir cert:\LocalMachine\My | where {$_.ThumbPrint -eq "EC9498B48CA4E48EB8D5BC557BCFBC09B5A02651"}

# Export The Targeted Cert In Bytes For The CER format
$CertToExportInBytesForCERFile = $CertToExport.export("Cert")

# Write The Files Based Upon The Exported Bytes
[system.IO.file]::WriteAllBytes("D:\Temp\CertToExportCERFile.CER", $CertToExportInBytesForCERFile)

Exporting Certificates WITH The Private Key

By using the following PoSH commands you can export the certificate to a PFX file with the private key and protect it with a password.

# Find And Target The Cert Required Based Upon Some Condition
$CertToExport = dir cert:\LocalMachine\My | where {$_.ThumbPrint -eq "EC9498B48CA4E48EB8D5BC557BCFBC09B5A02651"}

# Define Cert Type When Exporting To PFX
$CertType = [System.Security.Cryptography.X509Certificates.X509ContentType]::pfx

# Define The Password To Protect The Private Key
# (ALSO see: https://jorgequestforknowledge.wordpress.com/2011/12/15/passwords-containing-special-characters-in-powershell/)
$PrivateKeyPassword = 'Pa$$w0rd'

# Export The Targeted Cert In Bytes For The PFX format While Specifying A Password
# REMARK: It Must Be Allowed To Export The Private Key, Otherwise You Will See The Error "Key not valid for use in specified state"
$CertToExportInBytesForPFXFile = $CertToExport.export($CertType, $PrivateKeyPassword)

# Write The Files Based Upon The Exported Bytes
[system.IO.file]::WriteAllBytes("D:\Temp\CertToExportPFXFile.PFX", $CertToExportInBytesForPFXFile)

Managing The Permissions On The Private Keys

By using the following PoSH commands you can manage the permissions on the private key of a certificate.

# Find And Target The Cert Required Based Upon Some Condition
$CertToAdjustPermissions = dir cert:\LocalMachine\My | where {$_.ThumbPrint -eq "EC9498B48CA4E48EB8D5BC557BCFBC09B5A02651"}

# Possible Values For File System Based Access Rights Are
# * ListDirectory, ReadData, WriteData 
# * CreateFiles, CreateDirectories, AppendData 
# * ReadExtendedAttributes, WriteExtendedAttributes, Traverse
# * ExecuteFile, DeleteSubdirectoriesAndFiles, ReadAttributes 
# * WriteAttributes, Write, Delete 
# * ReadPermissions, Read, ReadAndExecute 
# * Modify, ChangePermissions, TakeOwnership
# * Synchronize, FullControl

# Specify The User, The Permissions And The Permission Type
$ACE = "ADCORP\ADM.ROOT","Read,Synchronize","Allow"

# Define A New File System Based Access Rule Based Upon The Previus ACE
$AccessRule = new-object System.Security.AccessControl.FileSystemAccessRule $ACE

# The Location Of The Machine Related Keys Can Be Found In The Following Location
$MachineKeysLocation = $env:ALLUSERSPROFILE + "\Microsoft\Crypto\RSA\MachineKeys\"

# Configuring ACE On Private Key Of Targeted Cert To Allow User Account To READ It (EXAMPLE!)
$KeyFileCertToAdjustPermissions = $CertToAdjustPermissions.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName
$KeyFileLocationCertToAdjustPermissions = $MachineKeysLocation + $KeyFileCertToAdjustPermissions

# Get The Current ACL Of The Private Key
$KeyFileCertToAdjustPermissionsACL = Get-Acl $KeyFileLocationCertToAdjustPermissions

# Add The New ACE To The ACL Of The Private Key
$KeyFileCertToAdjustPermissionsACL.SetAccessRule($AccessRule)

# Write Back The New ACL
$KeyFileCertToAdjustPermissionsACL | Set-Acl $KeyFileLocationCertToAdjustPermissions

Importing Certificates WITHOUT The Private Key

By using the following PoSH commands you can import the targeted certificate without the private key into the specified store.

# Define The Cert File To Import
$CertFileToImport = "D:\Temp\CertToImportCERFile.CER"

# Target The Cert That Needs To Be Imported
$CertToImport = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $CertFileToImport

# Define The Scope And Certificate Store Within That Scope To Import The Certificate Into
# Available Cert Store Scopes are "LocalMachine" or "CurrentUser"
$CertStoreScope = "LocalMachine"
# For Available Cert Store Names See Figure 5 (Depends On Cert Store Scope)
$CertStoreName = "My"
$CertStore = New-Object System.Security.Cryptography.X509Certificates.X509Store $CertStoreName, $CertStoreScope

# Import The Targeted Certificate Into The Specified Cert Store Name Of The Specified Cert Store Scope
$CertStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
$CertStore.Add($CertToImport)
$CertStore.Close()

You can also find multiple scripts about this here.

Importing Certificates WITH The Private Key

By using the following PoSH commands you can import the targeted certificate with the private key into the specified store. For this the password protecting the private key is needed.

# Define The Cert File To Import
$CertFileToImport = "D:\Temp\CertToImportPFXFile.PFX"

# Define The Password That Protects The Private Key
# (ALSO see: https://jorgequestforknowledge.wordpress.com/2011/12/15/passwords-containing-special-characters-in-powershell/)
$PrivateKeyPassword = 'Pa$$w0rd'

# Target The Cert That Needs To Be Imported
$CertToImport = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $CertFileToImport,$PrivateKeyPassword

# Define The Scope And Certificate Store Within That Scope To Import The Certificate Into
# Available Cert Store Scopes are "LocalMachine" or "CurrentUser"
$CertStoreScope = "LocalMachine"
# For Available Cert Store Names See Figure 5 (Depends On Cert Store Scope)
$CertStoreName = "My"
$CertStore = New-Object System.Security.Cryptography.X509Certificates.X509Store $CertStoreName, $CertStoreScope

# Import The Targeted Certificate Into The Specified Cert Store Name Of The Specified Cert Store Scope
$CertStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
$CertStore.Add($CertToImport)
$CertStore.Close()

You can also find multiple scripts about this here.

So, what else can you use? Is there more than this? Yes, there is!

After you install the Quest Active Roles Management Shell For Active Directory (download here), you get lots of additional PowerShell CMDlets to use. To find those, just issue the command “Get-Command *QAD*” or have a look at the reference information. Just download and install the snap-in. To see the available snap-ins issue the command “Get-PSSnapIn -registered”. To import the snap-in issue the command “Add-PSSnapIn Quest.ActiveRoles.ADManagement”. The following CMDlets are available:

In addition, after you install the Public Key Infrastructure PowerShell Module available on Codeplex (download here), you get lots of additional PowerShell CMDlets to manage Microsoft Certificate Authorities. Just download and install the module. To see the available modules issue the command “Get-Module -ListAvailable”. To import the module issue the command “Import-Module PKI”. The following PowerShell CMDlets are available:

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

This entry was posted on 2012-02-10 at 00:06 and is filed under Active Directory Certificate Services (ADCS), PowerShell, Windows Client, Windows Server. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

4 Responses to “(2012-02-10) Managing Certificates On A Windows Computer With PowerShell”

  1. SW said

    2013-05-16 at 13:42

    Great article

    Like

    Reply

    • karthik said

      2013-06-13 at 12:11

      When i import the certificate with private key the private key is storing in C:\Documents and Settings\username\Application Data\Microsoft\Crypto\RSA instead of C:\Documents and Settings\all users\Application Data\Microsoft\Crypto\RSA\MachineKeys. Could you please help on this.

      Like

      Reply

  2. fredric said

    2013-09-10 at 19:15

    nice

    Like

    Reply

  3. Dhiraj Upadhyay said

    2018-02-22 at 21:28

    I am struggling with taking ownership of the certificate,without which I am not able to assign permission .

    Like

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

«
»
 
%d bloggers like this: