Manage your certificate store with PowerShell

You can use PowerShell to manage your local certificate store.

The default PowerShell Get-ChildItem cmdlet allows for accessing the local certificate store. But you must start your PowerShell shell session as an administrator, as access might be restricted by GPO settings.

List all certificate folder on the local machine

Get-ChildItem -Path Cert:\LocalMachine\Name : TrustedPublisherName : ClientAuthIssuerName : Remote DesktopName : RootName : TrustedDevicesName : SPCName : CAName : REQUESTName : AuthRootName : WebHostingName : TrustedPeopleName : MyName : SmartCardRootName : TrustName : Disallowed

List all available certificates for the computer

Get-ChildItem -Path Cert:\LocalMachine\My    
Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\My

Thumbprint                                Subject
----------                                -------EC225A0183DC64D864C8BEA1477822858FCEC767  CN=WMSvc-EXSRV02
E2BC29B1445FD267E5A2823591A5221D67D0D94F  CN=Microsoft Exchange Server Auth Certificate
D8EE794A39A8E04BE32A1E8BED93A3C46D15E0EF  CN=EXSRV02
60246A87C12BEB365E7B4044C926587590A3D7B6  CN=mobile.mcmemail.de, O=mcmemail, C=DE
5F103D6C61BF57D86DB4AAA05597B0D1E8155884  CN=EXSRV02.mcmemail.de, CN=EXSRV02, CN=127.0.0.1, CN=localhost, O=Trend Micro.

Retrieve certificate details

The example shows a self-signed certificate of a Trend Micro ScanMail for Exchange setup.

$cert = Get-ChildItem -Path Cert:\LocalMachine\My\5F103D6C61BF57D86DB4AAA05597B0D1E8155884
$cert | fl

Subject      : CN=EXSRV02.mcmemail.de, CN=EXSRV02, CN=127.0.0.1, CN=localhost, O=Trend Micro ScanMail for Microsoft Exchange
Issuer       : CN=EXSRV02.mcmemail.de, CN=EXSRV02, CN=127.0.0.1, CN=localhost, O=Trend Micro ScanMail for Microsoft Exchange
Thumbprint   : 5F103D6C61BF57D86DB4AAA05597B0D1E8155884
FriendlyName :
NotBefore    : 17.11.2014 00:00:00
NotAfter     : 16.11.2017 00:00:00
Extensions   : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid}

A certificate issued by an Enterprise CA looks like this

$cert = Get-ChildItem -Path Cert:\LocalMachine\My\60246A87C12BEB365E7B4044C926587590A3D7B6
$cert | fl

Subject      : CN=mobile.mcmemail.de, O=mcmemail, C=DE
Issuer       : CN=mcmemail-DC01-CA, DC=mcmemail, DC=de
Thumbprint   : 60246A87C12BEB365E7B4044C926587590A3D7B6
FriendlyName : mcmemail Exchange Server 2013 Certificate
NotBefore    : 28.08.2014 15:14:04
NotAfter     : 28.08.2015 15:24:04
Extensions   : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid...}

Export a single certificate

$cert | Export-Certificate -FilePath C:tmpcert1.p7b -Type p7b    

Directory: C:tmp
Mode                LastWriteTime     Length Name
----                -------------     ------ ----
-a---        23.12.2014     11:56       1380 cert1.p7b

Export multiple certificates as serialized certificates

$certarray = @()
$certarray += $cert
$cert = Get-ChildItem -Path Cert:\LocalMachine\My\D8EE794A39A8E04BE32A1E8BED93A3C46D15E0EF
$certarray += $cert
$certarray

Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\My
Thumbprint                                Subject
----------                                -------
60246A87C12BEB365E7B4044C926587590A3D7B6  CN=mobile.mcmemail.de, O=mcmemail, C=DE
D8EE794A39A8E04BE32A1E8BED93A3C46D15E0EF  CN=EXSRV02

$certarray | Export-Certificate -FilePath c:tmpcerts.sst -Type SST    
Directory: C:tmp
Mode                LastWriteTime     Length Name
----                -------------     ------ ----
-a---        23.12.2014     11:58       3056 certs.sst 

Enjoy working with certificates.


Do you plan to upgrade to Exchange Server 2019? Do you wonder what the benefits of Microsoft 365 are? Contact us at info@granikos.eu

%d Bloggern gefällt das: