将x509证书重新分发到不同的商店

Question

I have a p7b file, which contains 4 certificates. But I need them in several stores. So I first import the certificates in Cert:\\LocalMachine\\My store and then I need to move some of them elsewhere. So far I have this code:

Import-Certificate -FilePath "C:\SCOM\cert\cert_{dns name}.p7b" -CertStoreLocation Cert:\LocalMachine\My
$certIntermediate = Get-Item -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -Contains "ABB Intermediate CA"}
$certRootCA = Get-Item -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -Contains "ABB Root CA"}
$certIssuing = Get-Item -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -Contains "ABB Issuing CA"}
$store = Get-Item -Path Cert:\LocalMachine\My
$store.Open("ReadWrite")
$store.Remove($certIntermediate)
$store.Remove($certRootCA)
$store.Remove($certIssuing)
$store.Close()
$storeIntermediate = Get-Item -Path Cert:\LocalMachine\CA
$storeIntermediate.Open("ReadWrite")
$storeIntermediate.add($certIntermediate)
$storeIntermediate.close()
$storeAuthRoot = Get-Item -Path Cert:\LocalMachine\AuthRoot
$storeAuthRoot.Open("ReadWrite")
$storeAuthRoot.add($certRootCA)
$storeAuthRoot.add($certIssuing)
$storeAuthRoot.close()

Ignore the {dns name} part in first row, that's just a general replacement. Problem is in rows 2-4. If I put the certificate path directly (like Cert:\\LocalMachine\\My\\8B4027E6B32E4E45C1DDB6A211 ) the rest of the script works.

Obviously I don't know the thumbprints before importing the certificates, so I can't use that. And the Where-Object doesn't seem to work. I tried Get-ChildItem instead of Get-Item , I tried Where instead of Where-Object , I tried -ccontains (accidentally) and -like instead of -contains , but the certificates are not "loaded" to the variables. When I try to delete them later in the code, I get the error value can not be null . How can I select the correct certificates to move them?

Answer 1

I have noticed three things which have to be clarified for your script.

1. First of all, the issue is that the cmdlet Get-Item gives you the store, not the certificate(s):

PS> Get-Item -Path Cert:\LocalMachine\My

Name : My

What you wanted to use is Get-ChildItem :

PS> Get-ChildItem -Path Cert:\LocalMachine\My


   PSParentPath: Microsoft.PowerShell.Security\Certificate::CurrentUser\My

Thumbprint                                Subject
----------                                -------
34BF9D3F534C2501977557CC9A48C9F5AAAAAAAA  CN=localhost

By the way, that explains why it works when you provide the thumbprint. This is because you provide cert's path to Get-Item instead of store path.

PS> $cert = Get-Item -Path Cert:\CurrentUser\My\34BF9D3F534C2501977557CC9A48C9F5AAAAAAAA
PS> $cert


   PSParentPath: Microsoft.PowerShell.Security\Certificate::CurrentUser\My

Thumbprint                                Subject
----------                                -------
34BF9D3F534C2501977557CC9A48C9F5AAAAAAAA  CN=localhost

2. Another thing is the usage of -contains . Please see this answer for more explanation. In general, it's not designed for substring comparison. Use something else (for example -like ) instead:

Get-ChildItem -Path Cert:\CurrentUser\My\  | Where-Object {$_.Subject -like "*google*"}

3. ? and Where are aliases to Where-Object , you can check it here:

PS>  get-alias | ? resolvedcommandname -eq "Where-Object"

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Alias           ? -> Where-Object
Alias           where -> Where-Object