authorized root certificates, list
for current user:
dir Cert:\CurrentUser\AuthRoot
for Local Machine:
dir Cert:\LocalMachine\AuthRoot
CA property type information – not all that useful unless you’re curious about what properties are available
certutil -capropinfo
only works if you’re already on the server housing the CA. Otherwise:
CertUtil: No local Certification Authority; use -config option
CertUtil: No more data is available.
exports the CA database and private key information to the specified path
Backup-CARoleService -Path "C:\CABackup"
exports the CA database to the specified path, does not back up the CA private key information.
Backup-CARoleService -Path "C:\CABackup" -DatabaseOnly
exports the CA private key information to the specified path, does not back up the CA database.
Backup-CARoleService -Path "C:\CABackup" -KeyOnly
This only pops up a form with an interactive list from which to choose. And if you inspect that list. If you actually pick one of the lines in the list with your mouse, then it’ll display the server in the command line so you can copy that to supply to the inevitable requests to supply the name of that server when you issue other commands but aren’t actually on that server.
certutil -config - -ping
And then it just hangs there waiting for you to select one
or exit the command. If you just run certutil all by itself,
it’ll give you the info you want as just a bunch of lines,
along with a bunch of other information
that’s probably irrelevant most of the time. Below ought to work to
get more targeted info. It’s kind of clunky trying to extract the
pertinent info - especially since it displays one way in server 2016
and different delimiters in 2012 R2, but it works so far.
$result
=
@()
foreach
($line
in
(certutil)) {
if
($line
-like
"Entry*") {
$entry
= (($line
-split
" ")[1] -split
":")[0]
}
elseif
($line
-like
"
Name:*") {
$name
= ($line
-split
'"')[1]
if
($null
-eq
$name) {
# if the line above didn't get anything,
then Server 2012 R2 delineates begin "`" end "'"
$name
= ($line
-split
'`')[1]
$name
= ($name
-split
"'")[0]
}
}
elseif
($line
-like
" Server:*") {
$server
= ($line
-split
'"')[1]
if
($null
-eq
$server) {
# if the line above didn't get anything, then Server 2012 R2
delineates begin "`" end "'"
$server
= ($line
-split
'`')[1]
$server
= ($server
-split
"'")[0]
}
$result
+=
New-Object
-TypeName PSObject -Property
@{
entry
=
$entry
name
=
$name
server
=
$server}
}
}
$result
=
$result | select entry,
name, server
$result
| ft
certificate, inspect – see also openSSL, inspect
find all certs on local machine suitable to sign code
Get-ChildItem Cert:\LocalMachine\My -Recurse | ? {$_.EnhancedKeyUsages -contains "Code Signing"}
find cert for a script
Get-AuthenticodeSignature -FilePath "C:\Jobs\myscript.ps1"
if it isn’t signed, it will return one row saying so
current user, list all certs for
$certs
=
Get-ChildItem
-Path Cert:\CurrentUser\My
$certs
|
select Subject,
NotAfter,
FriendlyName,
Issuer
|
ft
-a
digitally sign a script – see code signing
expires – when do the certificates on this machine expire?
$certs
=
Get-ChildItem
-Path Cert:\LocalMachine\My
$certs
|
select Subject,
NotAfter,
FriendlyName,
Issuer
|
ft
-a
Intermediate CA certificate store, view
pops up a form with a list
certutil -enterprise -viewstore CA
same window whether or not you include the ending “CA”
list all certs for or available to local PC
$certs
=
Get-ChildItem
-Path Cert:\
-Recurse
$certs.Count
$certs
|
Get-Member
|
?
{$_.MemberType
-like
"*property*"}
$certs
|
select PSPath,
Issuer
|
ogv
This lists all certs for or available to your local PC; this isn’t the same as the certs residing on your local PC, which are likely fewer.
list all certs residing on local PC
Get-ChildItem -Path "Cert:\LocalMachine\My" | Select Thumbprint, Subject, NotAfter, FriendlyName | ogv
This lists all certs certs residing on your local PC; this isn’t the same as the certs for or available to your local PC, which are likely more.
OpenSSL, download – see also OpenSSL module, install
OpenSSL’s download page only lists tar.gz files. Shining Light has EXE and MSI. After download and install, inspect path to see whether it’s been added (probably not):
$Env:Path -split(";") | sort $_
and add if necessary
$Env:Path += ";C:\Program Files\OpenSSL-Win64\bin"
$path
=
"C:\certs\Dragoon.pem"
openssl
x509
-in
$path
-text
-noout
OpenSSL module, install – see also OpenSSL, download
I haven’t had much luck installing this module so have resorted to downloading and installing OpenSSL instead.
Install-Module -Name OpenSSL
after the obligatory
Untrusted repository
You are installing the modules from an untrusted repository. If you trust this repository, change its InstallationPolicy value by running the Set-PSRepository cmdlet. Are you sure you want to
install the modules from 'PSGallery'?
[Y] Yes [A] Yes to All [N] No
[L] No to All [S] Suspend [?] Help (default is "N"): y
returns
Install-Package: The following commands are already available on this system:'Get-Certificate,New-SelfSignedCertificate'. This module 'OpenSSL' may override the existing commands. If you still want to install this module 'OpenSSL', use -AllowClobber parameter.
when I go on to
Install-Module -Name OpenSSL -AllowClobber
immediately came back to the command prompt, not giving much assurance that it was really installed. When I run:
Get-Module
the module doesn’t show
Find-Module -Name OpenSSL
shows one from the PSGallery Repository. Run
Set-PSRepository -Name PSGallery -InstallationPolicy Trusted
seems to work (no error, anyway) but running
Install-Module -Name OpenSSL -AllowClobber
still fails to show the module after running
Get-Module
again. So, I gave up.
script, digitally sign – see code signing
server where certificate authority resides – see certificate authority, find
pops up a form with a list
certutil -enterprise -viewstore Root
If you don’t include the ending “Root”, seems to default to default to what you’d get if you instead specified “CA” at the end.
user, current, list all certs for – see current user, list all certs for