{"id":2483,"date":"2013-12-04T00:01:00","date_gmt":"2013-12-04T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2013\/12\/04\/getting-started-with-powershell-the-certificate-provider\/"},"modified":"2013-12-04T00:01:00","modified_gmt":"2013-12-04T00:01:00","slug":"getting-started-with-powershell-the-certificate-provider","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/getting-started-with-powershell-the-certificate-provider\/","title":{"rendered":"Getting Started with PowerShell: The Certificate Provider"},"content":{"rendered":"

Summary<\/strong>: Microsoft Scripting Guy, Ed Wilson, talks about using the Windows PowerShell Certificate provider.<\/p>\n

Microsoft Scripting Guy, Ed Wilson, is here. Today I have an excerpt from my new Microsoft Press book, Windows PowerShell 3.0 First Steps<\/a>.<\/p>\n

\"Image<\/a><\/p>\n

To find information about the Windows PowerShell Certificate provider, use the Get-Help<\/strong> cmdlet. If you are unsure what topics in Help may be related to certificates, you can use the wildcard character asterisk (*) parameter. This command is shown here:<\/p>\n

Get-Help *cer*<\/p>\n

The Certificate provider gives you the ability to sign scripts, and it allows Windows PowerShell to work with signed and unsigned scripts. It also gives you the ability to search for, copy, move, and delete certificates. With the Certificate provider, you can open the Certificates Microsoft Management Console (MMC) by using the Invoke-Item<\/strong> cmdlet. The following command illustrates this technique:<\/p>\n

Invoke-Item cert:<\/p>\n

Note <\/strong> The Certificate provider does not load by default. The module that contains the Certificate provider, Microsoft.PowerShell.Security, does not automatically import into every session. To use the Cert: drive, use the Import-Module<\/strong> cmdlet to import the module, or run a command that uses the Cert:<\/strong> drive, such as a “Set-Location Cert:<\/strong>” command.<\/p>\n

Searching for specific certificates<\/h3>\n

To search for specific certificates, you may want to examine the Subject<\/strong> property. For example, the following command examines the Subject<\/strong> property of every certificate in the CurrentUser<\/strong> <\/em>store, beginning at the root <\/em>level. It does a recursive search, and returns only the certificates that contain the word test <\/em>in some form in the Subject<\/strong> property. This command and its associated output are shown here:<\/p>\n

PS C:\\Users\\administrator.IAMMRED> dir Cert:\\CurrentUser -Recurse | ? subject -match
‘test’<\/p>\n

    Directory: Microsoft.PowerShell.Security\\Certificate::CurrentUser\\Root<\/p>\n

Thumbprint                                Subject
———-                                ——-
8A334AA8052DD244A647306A76B8178FA215F344  CN=Microsoft Testing Root Certificate A…
2BD63D28D7BCD0E251195AEB519243C13142EBC3  CN=Microsoft Test Root Authority, OU=Mi…<\/p>\n

Deleting these test <\/em>certificates simply requires piping the results of the previous command to the Remove-Item<\/strong> cmdlet.<\/p>\n

Note <\/strong> When you perform any operation that may alter system state, it is a good idea to use the Whatif<\/strong> parameter to prototype the command prior to actually executing it.<\/p>\n

The following command uses the Whatif<\/strong> parameter from Remove-Item<\/strong> to prototype the command to remove all of the certificates from the CurrentUser<\/strong> store that contain the word test <\/em>in the Subject<\/strong> <\/em>property. After completion, retrieve the command via the Up arrow and remove the Whatif<\/strong> switched parameter from the command prior to actual execution. This technique is shown here:<\/p>\n

PS C:\\Users\\administrator.IAMMRED> dir Cert:\\CurrentUser -Recurse | ? subject -match
‘test’ | Remove-Item -WhatIf<\/p>\n

What if: Performing operation “Remove certificate” on Target “Item: CurrentUser\\Root\\
8A334AA8052DD244A647306A76B8178FA215F344 “.<\/p>\n

What if: Performing operation “Remove certificate” on Target “Item: CurrentUser\\Root\\
2BD63D28D7BCD0E251195AEB519243C13142EBC3 “.<\/p>\n

PS C:\\Users\\administrator.IAMMRED> dir Cert:\\CurrentUser -Recurse | ? subject -match
‘test’ | Remove-Item<\/p>\n

Finding expiring certificates<\/h3>\n

A common task in companies that use certificates is to identify certificates that have expired or are about to expire. By using the Certificate provider, it is simple to identify expired certificates. To do this, use the NotAfter<\/strong> <\/em>property from the certificate objects that are returned from the certificate drives. One approach is to look for certificates that expire prior to a specific date, as shown here:<\/p>\n

PS Cert:\\> dir .\\\\CurrentUser -Recurse | where notafter -lt “5\/1\/2012”<\/p>\n

A more flexible approach is to use the current date. Therefore, each time the command runs, it retrieves expired certificates. This technique is shown here:<\/p>\n

PS Cert:\\> dir .\\\\CurrentUser -Recurse | where notafter -lt (Get-Date)<\/p>\n

One problem with simply using the Get-ChildItem<\/strong> cmdlet on the CurrentUser<\/strong> <\/em>store is that it returns certificate stores in addition to certificates. To obtain only certificates, you must filter out the psiscontainer<\/strong> <\/em>property.<\/p>\n

Because you will also need to filter based on date, you can no longer use the simple Where-Object<\/strong> syntax. The following command retrieves the expiration dates, the thumbprints, and the subjects of all expired certificates. It also creates a table that displays the information. (The command is a single logical command, but it is broken at the pipeline character to permit better display in the book.)<\/p>\n

PS Cert:\\> dir .\\\\CurrentUser -Recurse |
where { !$_.psiscontainer -AND $_.notafter -lt (Get-Date)}  |
ft notafter, thumbprint, subject -AutoSize –Wrap<\/p>\n

Note <\/strong> All versions of Microsoft Windows ship with expired certificates to permit verification of old executables that were signed with those certificates. Do not arbitrarily delete an expired certificate or you could cause serious damage to your system.<\/p>\n

If you want to identify certificates that will expire in the next thirty days, you use the dynamic parameter –ExpiringInDays<\/strong> from the Get-ChildItem<\/strong> cmdlet. This dynamic parameter adds to the Get-ChildItem<\/strong> cmdlet when it is used on the Cert:<\/strong> drive. The command is shown here:<\/p>\n

PS Cert:\\> Get-ChildItem -Recurse -ExpiringInDays 30<\/p>\n

To produce a useful display, select the Subject<\/strong> and the NotAfter<\/strong> parameters and sort by the NotAfter<\/strong> parameter. Then pipe the output to a table that is autosized and wrapped. The command and its output are shown here:<\/p>\n

PS Cert:\\> gci -ExpiringInDays 30 -r | select subject, notafter | sort notafter | ft
notafter, subject -a -wr<\/p>\n

NotAfter             Subject
——–             ——-
2\/12\/2013 6:34:47 PM
2\/16\/2013 2:56:37 PM CN=KenMyer@microsoft.com
3\/4\/2013 4:42:09 PM  CN=Microsoft Corporation, OU=MOPR, O=Microsoft Corporation,
                     L=Redmond, S=Washington, C=US
3\/4\/2013 4:42:09 PM  CN=Microsoft Corporation, OU=MOPR, O=Microsoft Corporation,
                     L=Redmond, S=Washington, C=US<\/p>\n

That is all there is to working with the Certificate provider. Join me tomorrow when I will have another excerpt from my Microsoft Press book, Windows PowerShell 3.0 First Steps.<\/p>\n

I invite you to follow me on Twitter<\/a> and Facebook<\/a>. If you have any questions, send email to me at scripter@microsoft.com<\/a>, or post your questions on the Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.<\/p>\n

Ed Wilson, Microsoft Scripting Guy<\/strong> <\/p>\n","protected":false},"excerpt":{"rendered":"

Summary: Microsoft Scripting Guy, Ed Wilson, talks about using the Windows PowerShell Certificate provider. Microsoft Scripting Guy, Ed Wilson, is here. Today I have an excerpt from my new Microsoft Press book, Windows PowerShell 3.0 First Steps. To find information about the Windows PowerShell Certificate provider, use the Get-Help cmdlet. If you are unsure what […]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[51,3,4,45],"class_list":["post-2483","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-getting-started","tag-scripting-guy","tag-scripting-techniques","tag-windows-powershell"],"acf":[],"blog_post_summary":"

Summary: Microsoft Scripting Guy, Ed Wilson, talks about using the Windows PowerShell Certificate provider. Microsoft Scripting Guy, Ed Wilson, is here. Today I have an excerpt from my new Microsoft Press book, Windows PowerShell 3.0 First Steps. To find information about the Windows PowerShell Certificate provider, use the Get-Help cmdlet. If you are unsure what […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/2483","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=2483"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/2483\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=2483"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=2483"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=2483"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}