Export all your Trusted Root Certificate from Local Machine store


Today I was working on a case for a customer where every web page he visited he got a security error in all browsers.

The main message was “Could not Establish a Trust”

It was a Windows 2008 R2 Server and after validating the name was correct on the certificate they were trying to connect to I looked at the certificate chain and verified it against the Trusted Root Certificate Store on the LocalMachine

Anyway we found that there was only 8 certificates in the Trusted Root Store which is definitely not correct!

So we need to take them from another box and import and here is a little PowerShell Script to help you do it!

First we define the Type variable which will be specifying for later that we will export a certificate

$type = [System.Security.Cryptography.X509Certificates.X509ContentType]::Cert

Next we gather all the certificates from the Trusted Root Store in a working Machine

$certs = get-childitem -path cert:\LocalMachine\AuthRoot

Finally we loop true all certificates and in my examples case we export to a .DER file in the c:\temp directory

foreach($cert in $certs)
    $hash = $cert.GetCertHashString()
    $path = "c:\temp\" + $hash + ".der"
     [System.IO.File]::WriteAllBytes($path, $cert.export($type) )

It gives the name of the file as the Certificate Hash

And voila all the root certificates have been exported and you can copy and import on to the “broken” machine!

Comments (2)
  1. turbomcp says:


  2. Sean G says:

    How do you then import using PS ? and can you specify PK7 for all ?
    I have been tasked with exporting all In the [local computer] Trusted Root Certificate Authorities to a new machine…. both are 2k8r2.

Comments are closed.

Skip to main content