Getting Started with PowerShell: The Certificate Provider

Getting Started with PowerShell: The Certificate Provider

  • Comments 2
  • Likes

Summary: Microsoft Scripting Guy, Ed Wilson, talks about using the Windows PowerShell Certificate provider.

Microsoft Scripting Guy, Ed Wilson, is here. Today I have an excerpt from my new Microsoft Press book, Windows PowerShell 3.0 First Steps.

Image of book cover

To find information about the Windows PowerShell Certificate provider, use the Get-Help cmdlet. If you are unsure what topics in Help may be related to certificates, you can use the wildcard character asterisk (*) parameter. This command is shown here:

Get-Help *cer*

The Certificate provider gives you the ability to sign scripts, and it allows Windows PowerShell to work with signed and unsigned scripts. It also gives you the ability to search for, copy, move, and delete certificates. With the Certificate provider, you can open the Certificates Microsoft Management Console (MMC) by using the Invoke-Item cmdlet. The following command illustrates this technique:

Invoke-Item cert:

Note  The Certificate provider does not load by default. The module that contains the Certificate provider, Microsoft.PowerShell.Security, does not automatically import into every session. To use the Cert: drive, use the Import-Module cmdlet to import the module, or run a command that uses the Cert: drive, such as a "Set-Location Cert:" command.

Searching for specific certificates

To search for specific certificates, you may want to examine the Subject property. For example, the following command examines the Subject property of every certificate in the CurrentUser store, beginning at the root level. It does a recursive search, and returns only the certificates that contain the word test in some form in the Subject property. This command and its associated output are shown here:

PS C:\Users\administrator.IAMMRED> dir Cert:\CurrentUser -Recurse | ? subject -match
'test'

    Directory: Microsoft.PowerShell.Security\Certificate::CurrentUser\Root


Thumbprint                                Subject
----------                                -------
8A334AA8052DD244A647306A76B8178FA215F344  CN=Microsoft Testing Root Certificate A...
2BD63D28D7BCD0E251195AEB519243C13142EBC3  CN=Microsoft Test Root Authority, OU=Mi...

Deleting these test certificates simply requires piping the results of the previous command to the Remove-Item cmdlet.

Note  When you perform any operation that may alter system state, it is a good idea to use the Whatif parameter to prototype the command prior to actually executing it.

The following command uses the Whatif parameter from Remove-Item to prototype the command to remove all of the certificates from the CurrentUser store that contain the word test in the Subject property. After completion, retrieve the command via the Up arrow and remove the Whatif switched parameter from the command prior to actual execution. This technique is shown here:

PS C:\Users\administrator.IAMMRED> dir Cert:\CurrentUser -Recurse | ? subject -match
'test' | Remove-Item -WhatIf

What if: Performing operation "Remove certificate" on Target "Item: CurrentUser\Root\
8A334AA8052DD244A647306A76B8178FA215F344 ".

What if: Performing operation "Remove certificate" on Target "Item: CurrentUser\Root\
2BD63D28D7BCD0E251195AEB519243C13142EBC3 ".

PS C:\Users\administrator.IAMMRED> dir Cert:\CurrentUser -Recurse | ? subject -match
'test' | Remove-Item

Finding expiring certificates

A common task in companies that use certificates is to identify certificates that have expired or are about to expire. By using the Certificate provider, it is simple to identify expired certificates. To do this, use the NotAfter property from the certificate objects that are returned from the certificate drives. One approach is to look for certificates that expire prior to a specific date, as shown here:

PS Cert:\> dir .\\CurrentUser -Recurse | where notafter -lt "5/1/2012"

A more flexible approach is to use the current date. Therefore, each time the command runs, it retrieves expired certificates. This technique is shown here:

PS Cert:\> dir .\\CurrentUser -Recurse | where notafter -lt (Get-Date)

One problem with simply using the Get-ChildItem cmdlet on the CurrentUser store is that it returns certificate stores in addition to certificates. To obtain only certificates, you must filter out the psiscontainer property.

Because you will also need to filter based on date, you can no longer use the simple Where-Object syntax. The following command retrieves the expiration dates, the thumbprints, and the subjects of all expired certificates. It also creates a table that displays the information. (The command is a single logical command, but it is broken at the pipeline character to permit better display in the book.)

PS Cert:\> dir .\\CurrentUser -Recurse |
where { !$_.psiscontainer -AND $_.notafter -lt (Get-Date)}  |
ft notafter, thumbprint, subject -AutoSize –Wrap

Note  All versions of Microsoft Windows ship with expired certificates to permit verification of old executables that were signed with those certificates. Do not arbitrarily delete an expired certificate or you could cause serious damage to your system.

If you want to identify certificates that will expire in the next thirty days, you use the dynamic parameter –ExpiringInDays from the Get-ChildItem cmdlet. This dynamic parameter adds to the Get-ChildItem cmdlet when it is used on the Cert: drive. The command is shown here:

PS Cert:\> Get-ChildItem -Recurse -ExpiringInDays 30

To produce a useful display, select the Subject and the NotAfter parameters and sort by the NotAfter parameter. Then pipe the output to a table that is autosized and wrapped. The command and its output are shown here:

PS Cert:\> gci -ExpiringInDays 30 -r | select subject, notafter | sort notafter | ft
notafter, subject -a -wr

NotAfter             Subject
--------             -------
2/12/2013 6:34:47 PM
2/16/2013 2:56:37 PM CN=KenMyer@microsoft.com
3/4/2013 4:42:09 PM  CN=Microsoft Corporation, OU=MOPR, O=Microsoft Corporation,
                     L=Redmond, S=Washington, C=US
3/4/2013 4:42:09 PM  CN=Microsoft Corporation, OU=MOPR, O=Microsoft Corporation,
                     L=Redmond, S=Washington, C=US

That is all there is to working with the Certificate provider. Join me tomorrow when I will have another excerpt from my Microsoft Press book, Windows PowerShell 3.0 First Steps.

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy 

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Could the search & deletion of expired certificates be done for user certificates stored in Active Directory?

  • @BrianWhy

    Yes, but the code to do so wouldn't use PowerShell's Certificate Provider.  The code to identify an expiring certificate might look something like this:

    $expiryDate = Get-Date

    $user = Get-ADUser -Identity SomeGuy -Properties userCertificate

    foreach ($byteArray in $user.userCertificate)

    {

       $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(,$byteArray)

       if ($cert.NotAfter -lt $expiryDate)

       {

           Write-Host "User $($user.SamAccountName)'s certificate with thumbprint $($cert.Thumbprint) expired on $($cert.NotAfter)."

       }

    }