PowerTip: Use PowerShell to Import Certificate


Summary: Use Windows PowerShell to import a certificate.

Hey, Scripting Guy! Question How can I use Windows PowerShell to automate the installation of a certificate?

Hey, Scripting Guy! Answer Use the Import-Certificate cmdlet, and specify the certificate store location and the path to
           the certificate file, for example:

Import-Certificate –filepath c:\fso\mycert.cert –certStorelocation cert:\currentuser\my

Comments (5)

  1. $user ="domainuserName"
    $pass = "pass" | ConvertTo-SecureString -asPlainText -Force
    $cred = New-Object System.Management.Automation.PSCredential($user,$pass)
    $computer = "10.10.10.10"
    $job=Start-Job -ScriptBlock {
    $store=New-Object System.Security.Cryptography.X509Certificates.X509Store("\$computerMy","LocalMachine")
    $store.Open("ReadOnly")
    $store.Certificates |
    % {
    # Get all extensions for one cert
    $cert=$_
    $cert.Extensions |
    % {
    # Find "Enhanced Key Usage" extension
    $extension=$_
    If ($extension.Oid.FriendlyName -eq"Enhanced Key Usage")
    {
    # Get all enhanced key usages for the cert
    $enhancedKeyUsageExtension=[System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]$extension
    $enhancedKeyUsageExtension.EnhancedKeyUsages |
    % {
    # Find "Server Authentication" enhanced key usage
    $enhancedKeyUsage=$_
    If ($enhancedKeyUsage.FriendlyName -eq"Server Authentication")
    {
    # We found a cert that will get listed in Server Certificates list in IIS Manager. Show its info
    $cert|Select Subject,Issuer,NotBefore,NotAfter,Thumbprint,SerialNumber
    }
    }
    }
    }
    }
    $store.Close()
    } -Credential $cred

    Wait-Job $job
    Receive-Job $job

    If I key in a user/pass that is different from the current logged in user I get the following error message. What am I missing here?

    Receive-Job : [localhost] There is an error launching the background process. Error reported: The directory name is invalid.
    At line:37 char:12
    + Receive-Job <<<< $job
    + CategoryInfo : OpenError: (:) [Receive-Job], PSRemotingTransportException
    + FullyQualifiedErrorId : PSSessionStateBroken

  2. Carl Kuck says:

    This doesn’t seem to work in Powershell v4 running on Windows 7 (yeah, I know; but that’s what our customer is running…) Any ideas? Is there a snap-in or module with this? I can delete certificates just fine but that’s only the first half of the replacement
    process and doesn’t do much good if we can’t install the replacements…

  3. yacoob says:

    Since some time we have a possibility to protect the certificate exported with private key (.pfx) not only with a password, but also by limiting usage to specific AD users or groups.
    Does anybody know if it is possible to import such certificate using powershell? I’m trying to do that using the permitted account but keep failing with the ‘wrong password’ information.
    Thanks in advance

    yacoob

Skip to main content