Export all your Trusted Root Certificate from Local Machine store

Today I was working on a case for a customer where every web page he visited he got a security error in all browsers.

The main message was “Could not Establish a Trust”

It was a Windows 2008 R2 Server and after validating the name was correct on the certificate they were trying to connect to I looked at the certificate chain and verified it against the Trusted Root Certificate Store on the LocalMachine

Anyway we found that there was only 8 certificates in the Trusted Root Store which is definitely not correct!

So we need to take them from another box and import and here is a little PowerShell Script to help you do it!

First we define the Type variable which will be specifying for later that we will export a certificate

$type = [System.Security.Cryptography.X509Certificates.X509ContentType]::Cert

Next we gather all the certificates from the Trusted Root Store in a working Machine

$certs = get-childitem -path cert:\LocalMachine\AuthRoot

Finally we loop true all certificates and in my examples case we export to a .DER file in the c:\temp directory

foreach($cert in $certs)
{
    $hash = $cert.GetCertHashString()
    $path = "c:\temp\" + $hash + ".der"
     [System.IO.File]::WriteAllBytes($path, $cert.export($type) )
}

It gives the name of the file as the Certificate Hash

And voila all the root certificates have been exported and you can copy and import on to the “broken” machine!