Saturday, February 06, 2010

Better Certificate Management in Powershell via CertificateHelper

If you’ve read my previous post here, you know powershell can do some basic certificate management via the certificate provider. However, the certificate provider has some limitations. The certificate provider can’t create,delete,copy or import/export certificates.

This annoyed me so I’m creating a powershell module called CertificateHelper that will provide these missing features.

So far the module implements:

  • New-Certificate
  • Remove-Certificate 

CertHelper can be found on codeplex.

You install it like this:

(You must have hg installed)
PS C:\>cd $home\Documents\WindowsPowerShell\Modules 
PS C:\Users\igord\Documents\WindowsPowerShell\Modules> hg clone 
destination directory: certificatehelper 
requesting all changes 
adding changesets 
adding manifests 
adding file changes 
added 5 changesets with 8 changes to 4 files 
updating to branch default 
4 files updated, 0 files merged, 0 files removed, 0 files unresolved 

Once installed, you can make it available in your powershell session like this:

PS C:\> Import-Module CertificateHelper

You can see the implemented commands like this:

PS C:\> dir function:\*-Certificate

CommandType     Name                                                     Definition
-----------     ----                                                     ----------
Function        New-Certificate                                          param([parameter(Mandatory=$true)]...
Function        Remove-Certificate                                       param($certificatePath)...

A walk through of using the module is:

PS C:\> dir cert:\LocalMachine\My | ? {$_.Subject -like "*Dog*"}
PS C:\> New-Certificate cert:\LocalMachine\My DogFood
PS C:\> dir cert:\LocalMachine\My | ? {$_.Subject -like "*Dog*"}

    Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\My

Thumbprint                                Subject
----------                                -------
A229E9FF2AA9DC55D06A35D0BBB0D0A98FEAC1A3  CN=DogFood

PS C:\> Remove-Certificate cert:\LocalMachine\My\A229E9FF2AA9DC55D06A35D0BBB0D0A98FEAC1A3
PS C:\> dir cert:\LocalMachine\My | ? {$_.Subject -like "*Dog*"}
PS C:\>

This is a work in progress, so holler if you hit any issues, or want to prioritize the order in which I provide the features.


Ketil said...

I'm trying to give a domain user read permissions to a certificate. Is that possible with your helper?

ig66 said...

No, my tool doesn't help yo with that.

John6 said...


Any idea as to how to use this to build something that would Delete all certificates issued from a given CA. So if someone had a ca we will call CA1, and wanted to Delete everything in the end users Other People keystore (Technicially the Address Book store) how could you build something to accomplish that