<< A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

–A–

authorized root certificates, list

for current user:

dir Cert:\CurrentUser\AuthRoot

for Local Machine:

dir Cert:\LocalMachine\AuthRoot

–B–

–C–

CA property type information – not all that useful unless you're curious about what properties are available

certutil -capropinfo

only works if you're already on the server housing the CA. Otherwise:

CertUtil: No local Certification Authority; use -config option
CertUtil: No more data is available.

certificate authority, backup

exports the CA database and private key information to the specified path

Backup-CARoleService -Path "C:\CABackup"

exports the CA database to the specified path, does not back up the CA private key information.

Backup-CARoleService -Path "C:\CABackup" -DatabaseOnly

exports the CA private key information to the specified path, does not back up the CA database.

Backup-CARoleService -Path "C:\CABackup" -KeyOnly

certificate authority, find

This only pops up a form with an interactive list from which to choose. And if you inspect that list. If you actually pick one of the lines in the list with your mouse, then it'll display the server in the command line so you can copy that to supply to the inevitable requests to supply the name of that server when you issue other commands but aren't actually on that server.

certutil -config - -ping

And then it just hangs there waiting for you to select one or exit the command. If you just run certutil all by itself, it'll give you the info you want as just a bunch of lines, along with a bunch of other information that's probably irrelevant most of the time. Below ought to work to get more targeted info. It's kind of clunky trying to extract the pertinent info - especially since it displays one way in server 2016 and different delimiters in 2012 R2, but it works so far.

$result = @()
foreach ($line in (certutil)) {
    if ($line -like "Entry*") {
        $entry = (($line -split " ")[1] -split ":")[0]
    }
    elseif ($line -like "  Name:*") {
        $name = ($line -split '"')[1]
        if ($null -eq $name) { # if the line above didn't get anything, then Server 2012 R2 delineates begin "`" end "'"
            $name = ($line -split '`')[1]
            $name = ($name -split "'")[0]
        }
    }
    elseif ($line -like "  Server:*") {
        $server = ($line -split '"')[1]
        if ($null -eq $server) { # if the line above didn't get anything, then Server 2012 R2 delineates begin "`" end "'"
            $server = ($line -split '`')[1]
            $server = ($server -split "'")[0]
        }
        $result += New-Object -TypeName PSObject -Property @{
            entry = $entry
            name = $name
            server = $server}
    }
}
$result = $result | select entry, name, server
$result | ft

code signing

find all certs on local machine suitable to sign code

Get-ChildItem Cert:\LocalMachine\My -Recurse | ? {$_.EnhancedKeyUsages -contains "Code Signing"}

find cert for a script

Get-AuthenticodeSignature -FilePath "C:\Jobs\myscript.ps1"

if it isn't signed, it will return one row saying so

current user, list all certs for

$certs = Get-ChildItem -Path Cert:\CurrentUser\My
$certs | select Subject, NotAfter, FriendlyName, Issuer | ft -a

–D–

digitally sign a script – see code signing

–E–

expires – when do the certificates on this machine expire?

$certs = Get-ChildItem -Path Cert:\LocalMachine\My
$certs | select Subject, NotAfter, FriendlyName, Issuer | ft -a

–F–

–G–

–H–

–I–

Intermediate CA certificate store, view

pops up a form with a list

certutil -enterprise -viewstore CA

same window whether or not you include the ending “CA”

–J–

–K–

–L–

list all certs for or available to local PC

$certs = Get-ChildItem -Path Cert:\ -Recurse
$certs.Count
$certs | Get-Member | ? {$_.MemberType -like "*property*"}
$certs | select PSPath, Issuer | ogv

This lists all certs for or available to your local PC; this isn't the same as the certs residing on your local PC, which are likely fewer.

list all certs residing on local PC

Get-ChildItem -Path "Cert:\LocalMachine\My" | Select Thumbprint, Subject, NotAfter, FriendlyName | ogv

This lists all certs certs residing on your local PC; this isn't the same as the certs for or available to your local PC, which are likely more.

–M–

–N–

–O–

–P–

–Q–

–R–

–S–

script, digitally sign – see code signing

server where certificate authority resides – see certificate authority, find

–T–

Trusted Root CAs, view

pops up a form with a list

certutil -enterprise -viewstore Root

If you don't include the ending “Root”, seems to default to default to what you'd get if you instead specified “CA” at the end.

–U–

user, current, list all certs for – see current user, list all certs for

–V–

–W–

–X–

–Y–

–Z–