Verifying the private key property for a certificate in the store

I was recently asked as to how to figure out if the private key associated with a certificate is exportable or not. Typically the following code should work: >$cert = (dir cert:\localmachine\my)[0]>$cert.PrivateKey.CspKeyContainerInfo.Exportable  However, at times you would notice that $cert.PrivateKey is really null. However if you run “certutil -v -verify My 0”, you can observe…


Instantiate Microsoft Certificate Authority management interface using powershell

Microsoft’s Certificate Authority management interface as mentioned in is implemented in certadm.dll. certadm.dll does not ship by default on client system and is part of admin pack (or called Remote Server Administration tools that can be installed on the client system. Once installed, you can quickly test the interface using powershell with this sample…

exporting certificate from user store to PFX using powershell

Alright, so today someone tried to contact me with an interesting email about exporting the certificate user store to PFX using powershell.  Below is the code that was contained in the email:   $cert = (dir cert:\currentuser\my)[0] $type = [System.Security.Cryptography.X509Certificates.X509ContentType]::pfx $pass = read-host “pass” -assecurestring $bytes = $cert.export($type, $pass)   so far so good. Last line of…


Importing a PFX into user store using powershell

This is a short post as someone asked me to give a sample for importing a pfx into user store using powershell:   $pfxcert = new-object $pfxcert.Import(“pfxtest.pfx”, “mypwd”, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]”UserKeySet”) $store = new-object -argumentlist “MY”, CurrentUser $store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]”ReadWrite”) $store.Add($pfxcert)

Generating a certificate (self-signed) using powershell and CertEnroll interfaces

In this article I will explore using the certenroll interfaces to create certificates for testing/local usage. To scope the discussion, we would look at various options exposed via makecert.exe tool ( .  We will start by looking at a sample powershell script that creates a self-signed machine certificate that has “server auth” eku: $name = new-object -com “X509Enrollment.CX500DistinguishedName.1″$name.Encode(“CN=TestServer”, 0) $key…


Adding certificates for a serialized store (sst) file to an actual physical store

In my previous post I used the CMS type to open a PKCS7. Apparently X509Certificate2Collection Import method can also be used to open up a PKCS7. This would be far more simpler then using CMS. Additionally, you might be asked to add the certificates you obtained from PKCS7 file or a serialized store (sst) file to an…


PKCS7 (p7b) bag of certificates and powershell

Recently I was asked how to extract the certificates within a PKCS7 (p7b) files using powershell. After a little research the following seems to work fine: [reflection.assembly]::LoadWithPartialName(“System.Security”)$data = [System.IO.File]::ReadAllBytes(“certificates.p7b”)$cms = new-object$cms.Decode($data)$cms.Certificates | foreach {New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $_} | echo