Installing Certificates on Windows
Using PowerShell to install into the Local Computer store
This can only be done with elevated privileges.
Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root -FilePath cert.crtViewing certificate store contents
Get-ChildItem Cert:\LocalMachine\My | Sort-Object -Property Subject
Get-ChildItem Cert:\LocalMachine\Root | Sort-Object -Property Subject
Get-ChildItem Cert:\LocalMachine\TrustedPublisher | Sort-Object -Property SubjectGet-ChildItem Cert:\CurrentUser\My | Sort-Object -Property Subject
Get-ChildItem Cert:\CurrentUser\Root | Sort-Object -Property Subject
Get-ChildItem Cert:\CurrentUser\TrustedPublisher | Sort-Object -Property SubjectViewing cert information from extensions
# Show all relevant local computer certificate information
Get-ChildItem Cert:\LocalMachine\My |
ForEach-Object {
$sanExtension = $_.Extensions |
Where-Object { $_.Oid.Value -eq '2.5.29.17' }
if ($sanExtension) {
[PSCustomObject]@{
Subject = $_.Subject
IssuingCA = $_.Issuer
Thumbprint = $_.Thumbprint
NotBefore = $_.NotBefore
NotAfter = $_.NotAfter
DnsNames = ($_.DnsNameList -join ', ')
}
}
}
Viewing certs and validate trust chain
Get-ChildItem Cert:\LocalMachine\My |
ForEach-Object {
$chain = New-Object System.Security.Cryptography.X509Certificates.X509Chain
$chain.ChainPolicy.RevocationMode = 'Online'
$chain.ChainPolicy.RevocationFlag = 'EntireChain'
$chain.ChainPolicy.VerificationFlags = 'NoFlag'
$chain.ChainPolicy.VerificationTime = Get-Date
$isTrusted = $chain.Build($_)
# Extract SAN (DNS names)
$san = $_.DnsNameList -join ', '
[PSCustomObject]@{
Subject = $_.Subject
IssuingCA = $_.Issuer
Thumbprint = $_.Thumbprint
NotAfter = $_.NotAfter
DnsNames = $san
Trusted = $isTrusted
ChainStatus = if ($isTrusted) {
'Success'
} else {
($chain.ChainStatus | Select-Object -ExpandProperty Status) -join ', '
}
ChainElements = ($chain.ChainElements |
ForEach-Object { $_.Certificate.Subject }) -join ' -> '
}
}end