Certificates in powershell are generally used for authentication or encryption and can be generated, read from, and exported from the local store quite easily if you know what you’re doing. I don’t know what I’m doing, and I had a bit of trouble writing a script that connects to Microsoft Graph with an X.509 certificate. This is for windows – don’t really know what needs to change for Linux/Mac/etc systems but also, who uses powershell on a Mac?
Making a self-signed certificate
To make the actual certificate:
$Cert = New-SelfSignedCertificate -DnsName "example.com" -CertStoreLocation "Cert:\CurrentUser\My" -FriendlyName "FriendlyCertName" -Subject "Description of certificate"That stores it in your user cert store. Alternatively to put it in the localmachine store you can change CertStoreLocation to “Cert:\LocalMachine\My”.
Then you likely want to export the certificate you generated using Powershell as a .cer file:
Get-ChildItem "Cert:\CurrentUser\My\$($Cert.thumbprint)" | Export-Certificate -FilePath C:\temp\Filename.cerIf you’re looking to get super fancy with your certificate generation, keep scrolling a bit.
Reading the certificate from the .cer file
To read the cert details out of the cer file and back into powershell, you can use the constructor of the X509Certificate2 class (a .net object). This just takes the file path:
$Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 'C:\Shhh\SuperSecretCertificate.cer'Then to get details out of that you can do things like | fl to format it as a list for human readable viewing.
$Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 'C:\Shhh\SuperSecretCertificate.cer'
$Cert | fl
Subject : CN=example.com
Issuer : CN=example.com
Thumbprint : 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
FriendlyName :
NotBefore : 8/10/2022 11:50:56 AM
NotAfter : 8/10/2023 12:10:56 PM
Extensions : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid,
System.Security.Cryptography.Oid, System.Security.Cryptography.Oid}In my case, I just needed the thumbprint to put into the connect-graph cmdlet:
$Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 'C:\Shhh\SuperSecretCertificate.cer'
$Thumbprint = $Cert.thumbprint
Connect-Graph -CertificateThumbprint $ThumbprintOr, to be a little bit neater and save a line of code, I could have done:
$Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 'C:\Shhh\SuperSecretCertificate.cer'
Connect-Graph -CertificateThumbprint $Cert.Thumbprint Reading Certificate Details From Local Certificate Store
Similar to above, we can read certificates from the local store.
# See all certificates in your personal folder
Get-ChildItem -path cert:\CurrentUser\My
# or to see them in a pretty table
Get-ChildItem -path cert:\CurrentUser\My | Format-Table Subject, FriendlyName, Thumbprint -AutoSize
# Find a cert based on its thumbprint
Get-ChildItem -path cert:\CurrentUser\My "Thumbprint"
# Find a cert based on its subject
Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Subject -like "*localsite.com"}Getting Fancy with Generating Certificates
Sometimes, the default settings aren’t good enough. The examples below shouldn’t be used on their own, but combined to get the certificate you need.
# Just make a cert in the local machine store
New-SelfSignedCertificate -Subject example.com
# Adding more SANs to your certificate
New-SelfSignedCertificate -DnsName example.com,www.example.com,example.net
# Custom Expiry (6 months here)
$cert = New-SelfSignedCertificate -DnsName localsite.com -NotAfter (Get-Date).AddMonths(6)
Making a Code Signing Certificate using Powershell
To make a certificate to sign your powershell script or other code with, you can use -Type CodeSigningCert
<code>$cert = New-SelfSignedCertificate -Type CodeSigningCert</code>
Leave a Reply