Solved

Accessing attributes/properties/fields in a Certificate

Posted on 2010-09-01
6
1,075 Views
Last Modified: 2012-05-10
Is there a way to access the properties of an installed certificate?  We are trying to read the certificate hash and set the SSL bindings using PowerShell. Need a way to access the certificates hash. Netsh is retuning null values.
0
Comment
Question by:CAKNV
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
6 Comments
 
LVL 13

Accepted Solution

by:
soostibi earned 250 total points
ID: 33580163
You can access certificates through the cert: PSDrive:

get-item  cert:\CurrentUser\root\F84622A890DA9112399CDA25A4797FBF7C0DA37C | fl *

With a 'get-childitem' starting from cert:\ you can enumerate containers and certificates.

Some properties are also complex objects, so you have to examine the properties of properties to get the information you want:

For example:
PS cert:\CurrentUser\root> (Get-Item F84622A890DA9112399CDA25A4797FBF7C0DA37C ).publickey.key.cspkeycontainerinfo | fl *
0
 

Author Comment

by:CAKNV
ID: 33580786
We cannot use PSDrive because need to have no user intervention.  We are trying to automate the installation and will only have the information we used to automate the creation of the certificate.  
0
 
LVL 13

Expert Comment

by:soostibi
ID: 33581064
Why would you have to have user intervention when using a PSDrive? PSDrives are there...
0
 
LVL 1

Assisted Solution

by:ldap389
ldap389 earned 250 total points
ID: 33582024
For exemple when use the command line "certutil -store my",  certificate information about your local machine  certificate store is displayed, the certificate's hash is part of the output. But you cannot retrieve certificate's hash without parsing output of the command line result. Not very good for automation...

Hopefully, you can use Quest AD CmdLets 1.4, there is a PowerShell package for certificates and PKI management:

http://wiki.powergui.org/index.php/QAD_cmdlets_reference#Certificate_and_Public_Key_Infrastructure_.28PKI.29_management

With Quest AD CmdLets if you want the certificate's hash, you just have retrieve it with the "thumbprint" value of the Get-QADCertificate cmdlet. (http://wiki.powergui.org/index.php/Get-QADCertificate)

So to display your local computer store certificates hash just run:

Get-QADLocalCertificateStore My  -StoreLocation LocalMachine | Get-QADCertificate | format-table thumbprint

0
 
LVL 13

Expert Comment

by:soostibi
ID: 33584178
I still do not understand you. If I collect the certs by certutil -store and make a little conversion on the hashes, I'll get the same result as parsing the cert: PSdrive. PowerShell calls "thumbprint" the hashes. (I do not really know certutil, but I think it parses the currentuser/my and the localmachine/my cert stores, through the cert: PSDrive you can get all the certs.)



$h = certutil -store | Select-String ([regex]::escape("Cert Hash(sha1):")) -AllMatches | %{$_ -replace "\s",""} | %{$_ -replace "CertHash\(sha1\):",""} # hashes from certutil

Get-ChildItem cert:\ -Recurse | ?{!$_.psiscontainer} | ?{$h -contains $_.thumbprint} # finding the same hashes in the cert PSDrive.

Open in new window

0

Featured Post

SharePoint Admin?

Enable Your Employees To Focus On The Core With Intuitive Onscreen Guidance That is With You At The Moment of Need.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Recently we ran in to an issue while running some SQL jobs where we were trying to process the cubes.  We got an error saying failure stating 'NT SERVICE\SQLSERVERAGENT does not have access to Analysis Services. So this is a way to automate that wit…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question