Understanding the Certificate Provider

In the preceding section, we explored working with the alias provider. Because the file system model applies to the certificate provider in much the same way as it did the alias provider, many of the same cmdlets can be used. To find information about the certificate provider, use the Get-Help cmdlet. If you are unsure what articles in Help may be related to certificates, you can use the wild card asterisk (*) parameter. This command is shown here:

 get-help *cer*

The certificate provider gives you the ability to sign scripts and allows Windows PowerShell to work with signed and unsigned scripts as well. It also gives you the ability search for, copy, move, and delete certificates. Using the certificate provider, you can even open the Certificates Microsoft Management Console (MMC). The commands used in the procedure are in the  ObtainingAListingOfCertificates.txt file.

Obtaining a listing of certificates

1. Open Windows PowerShell.

2. Set your location to the cert PSDrive. To do this, use the Set-Location cmdlet, as shown here:

    Set-Location cert:\

3. Use the Get-ChildItem cmdlet to produce a list of the certificates, as shown here:

    Get-ChildItem

4. The list produced is shown here:

    Location   : CurrentUser StoreNames : {?, UserDS, AuthRoot, CA...} Location   : LocalMachine StoreNames : {?, AuthRoot, CA, AddressBook...}

5. Use the -recurse argument to cause the Get-ChildItem cmdlet to produce a list of all the certificate stores. To do this, press the up arrow key one time, and add the -recurse argument to the previous command. This is shown here:

    Get-ChildItem -recurse

6. Use the -path argument for Get-ChildItem to produce a listing of certificates in another store, without having to use the Set-Location cmdlet to change your current location. Using the gci alias, the command is shown here:

    GCI -path currentUser

7. Your listing of certificate stores will look similar to the one shown here:

    Name : ? Name : UserDS Name : AuthRoot Name : CA Name : AddressBook Name : ? Name : Trust Name : Disallowed Name : _NMSTR Name : ?????k Name : My Name : Root Name : TrustedPeople Name : ACRS Name : TrustedPublisher Name : REQUEST

8. Change your working location to the currentuser\authroot certificate store. To do this, use the sl alias followed by the path to the certificate store. This command is shown here:

    sl currentuser\authroot

9. Use the Get-ChildItem cmdlet to produce a listing of certificates in the currentuser\authroot certificate store that contain the name C&W in the subject field. Use the gci alias to reduce the amount of typing. Pipeline the resulting object to a Where-Object cmdlet, but use the where alias instead of typing Where-Object. The code to do this is shown here:

    GCI | where {$_.subject -like "*c&w*"}

10. On my machine, there are four certificates listed. These are shown here:

     Thumbprint                                Subject ----------                                ------ F88015D3F98479E1DA553D24FD42BA3F43886AEF  O=C&W HKT SecureNet CA SGC Root, C=hk 9BACF3B664EAC5A17BED08437C72E4ACDA12F7E7  O=C&W HKT SecureNet CA Class A, C=hk 4BA7B9DDD68788E12FF852E1A024204BF286A8F6  O=C&W HKT SecureNet CA Root, C=hk 47AFB915CDA26D82467B97FA42914468726138DD  O=C&W HKT SecureNet CA Class B, C=hk

11. Use the up arrow, and edit the previous command so that it will return only certificates that contain the phrase SGC Root in the subject property. The revised command is shown here:

     GCI | where {$_.subject -like "*SGC Root*"}

12. The resulting output on my machine contains an additional certificate. This is shown here:

     Thumbprint                                Subject ----------                       ------ F88015D3F98479E1DA553D24FD42BA3F43886AEF  O=C&W HKT SecureNet CA SGC Root, C=hk 687EC17E0602E3CD3F7DFBD7E28D57A0199A3F44  O=SecureNet CA SGC Root, C=au

13. Use the up arrow, and edit the previous command. This time, change the Where-Object cmdlet so that it filters on the thumbprint attribute that is equal to F88015D3F98479E1DA553D24FD42BA3F43886AEF. You do not have to type that, however; to copy the thumbprint, you can highlight it and press Enter in Windows PowerShell, as shown in Figure 3-2. The revised command is shown here:

     GCI | where {$_.thumbprint -eq "F88015D3F98479E1DA553D24FD42BA3F43886AEF"}

    
    Figure 3-2: Highlight items to copy using the mouse

    Troubleshooting

    If copying from inside a Windows PowerShell window does not work, then you probably need to enable Quick Edit Mode. To do this, right-click the PowerShell icon in the upper left-hand corner of the Windows PowerShell window. Choose Properties, and select Quick Edit Mode. This is shown in Figure 3-3. Figure 3-3: Enable Quick Edit Mode to enable Clipboard Support

14. To see all the properties of the certificate, pipeline the certificate object to a Format-List cmdlet and choose all the properties. The revised command is shown here:

     GCI | where {$_.thumbprint -eq "F88015D3F98479E1DA553D24FD42BA3F43886AEF"} | Format-List *

15. The output contains all the properties of the certificate object and is shown here:

     PSPath             : Microsoft.PowerShell.Security\Certificate::currentuser\aut                      hroot\F88015D3F98479E1DA553D24FD42BA3F43886AEF PSParentPath       : Microsoft.PowerShell.Security\Certificate::currentuser\aut                      hroot PSChildName        : F88015D3F98479E1DA553D24FD42BA3F43886AEF PSDrive            : cert PSProvider         : Microsoft.PowerShell.Security\Certificate PSIsContainer      : False Archived           : False Extensions         : {} FriendlyName       : CW HKT SecureNet CA SGC Root IssuerName         : System.Security.Cryptography.X509Certificates.X500Distingu                      ishedName NotAfter           : 10/16/2009 5:59:00 AM NotBefore          : 6/30/1999 6:00:00 AM HasPrivateKey      : False PrivateKey         : PublicKey          : System.Security.Cryptography.X509Certificates.PublicKey RawData            : {48, 130, 2, 235...} SerialNumber       : 00 SubjectName        : System.Security.Cryptography.X509Certificates.X500Distingu                      ishedName SignatureAlgorithm : System.Security.Cryptography.Oid Thumbprint         : F88015D3F98479E1DA553D24FD42BA3F43886AEF Version            : 1 Handle             : 75655840 Issuer             : O=C&W HKT SecureNet CA SGC Root, C=hk Subject            : O=C&W HKT SecureNet CA SGC Root, C=hk

16. Open the Certificates MMC. This MMC is called Certmgr.msc and can be launched by simply typing the name inside Windows PowerShell, as shown here:

     Certmgr.msc

17. But it is more fun to use the Invoke-Item cmdlet to launch the Certificates MMC. To do this, supply the PSDrive name of cert:\ to the Invoke-Item cmdlet. This is shown here:

     Invoke-Item cert:\

18. Compare the information obtained from Windows PowerShell with the information displayed in the Certificates MMC. They are the same. The certificate is shown in Figure 3-4.

    
    Figure 3-4: Certmgr.msc can be used to examine certificate properties

19. This concludes this procedure.