Powershell Core 6.2 Cookbook
上QQ阅读APP看书,第一时间看更新

How to do it...

Install and start PowerShell Core on a Windows host and execute the following steps:

  1. Use the provider cmdlet to list certificate stores and certificates inside a store:
# Another Windows-only provider, allowing access to local cert stores
Get-PSProvider -PSProvider Certificate

# Again, the default cmdlets apply
# List all certificate stores
Get-ChildItem -Path Cert:\CurrentUser

# List all certificates of the user's personal store
Get-ChildItem -Path Cert:\CurrentUser\my
  1. The extended parameters of the Get-ChildItem cmdlet help to apply additional filters:
# The parameters offered by the Certificate provider are very interesting
# on Windows PowerShell, additional parameters like -EKU and -SslServerAuthentication will be available
Get-ChildItem -Path Cert:\CurrentUser\my -CodeSigningCert
  1. With PowerShell Core, not all additional parameters of Get-ChildItem that you might know from Windows PowerShell can be used. Where-Object is still your friend:
$certificate = Get-ChildItem -Path Cert:\CurrentUser\my | Select-Object -First 1

# Filter on the OIDs. If OID can't be resolved, use the numeric object ID instead of the friendly name!
# The OID is more reliable and not subject to localization
$certificate.EnhancedKeyUsageList

# for example searching for all client authentication certificates
Get-ChildItem -Path cert:\currentuser\my | Where-Object -FilterScript {$_.EnhancedKeyUsageList.ObjectId -eq '1.3.6.1.5.5.7.3.2'}

# Not unimportant; Filter on certificates where the private key is accessible, i.e. to digitally sign documents
Get-ChildItem -path Cert:\CurrentUser\my |
Where-Object -Property HasPrivateKey |
Format-table -Property Subject,Thumbprint,@{Label='EKU'; Expression = {$_.EnhancedKeyUsageList.FriendlyName -join ','}}

$certificate.HasPrivateKey
  1. Not all Item cmdlets are implemented for the certificate provider:
# While New and Set cmdlets aren't implemented for certificates, Remove can be used for some spring cleaning
Get-ChildItem -Path Cert:\CurrentUser\my |
Where-Object -Property NotAfter -lt $([datetime]::Today) |
Remove-Item -WhatIf

  1. But you can still create new certificate stores:
# New-item can be used for new stores - but this is rarely done
New-Item -Path Cert:\LocalMachine\NewStore
Remove-Item -Path Cert:\LocalMachine\NewStore