Certificate

Cert:

Provides read-only access to X509 certificate stores and certificates from within Windows PowerShell.

The Windows PowerShell security strategy supports the use of Authenticode signatures to sign scripts using x509-encoded digital public key certificates. The signing features of Windows PowerShell are not intended to be complete, but they enable users to sign scripts and enable Windows PowerShell to recognize signed and unsigned scripts, and determine whether the scripts originate on the Internet.

The Windows PowerShell Certificate provider lets you navigate through the certificate namespace and view the certificate stores and certificates and open the Certificates snap-in to the Microsoft Management Console (MMC). However, because the Certificate drive is read-only, you cannot edit, copy, move, or delete certificates and certificate stores,

The Certificate provider exposes the certificate name space as the Cert: drive in Windows PowerShell. The Cert: drive has the following three levels:

• Store locations (Microsoft.PowerShell.Commands.X509StoreLocation), which are high-level containers to group the certificates for the current user and all users. Each system as a CurrentUser and LocalMachine (all users) store location.
  
• Certificates stores (System.Security.Cryptography.X509Certificates.X509Store), which are physical stores in which certificates are saved and managed.
  
• x509 Certificates (System.Security.Cryptography.X509Certificates.X509Certificate2), each of which represent an x509 certificate on the computer. Certificates are identified by their thumbprints.
  

The Windows PowerShell Certificate provider supports the Set-Location, Get-Location, Get-Item, Get-ChildItem, and Invoke-Item cmdlets.

In addition, the Windows PowerShell Security snap-in (Microsoft.PowerShell.Security), which includes the Certificate provider, also includes snap-ins to get and set Authenticode signatures and to get certificates. For a list of cmdlets in the Security snapin, type:

get-command -pssnapin *security

Dynamic parameters are cmdlet parameters that are added by a Windows PowerShell provider and are available only when the cmdlet is being used in the provider-enabled drive. The parameters described in this section are available in the specified cmdlets only when they are used in the Cert: drive.

-CodeSigningCert

This section provides examples that show you how to use the Item cmdlets to manage items in the Cert: drive.

The following command uses the Set-Location cmdlet to changes the current directory location to the Cert: drive. Set-Location works like the CD and ChDir (change directory) commands in Cmd.exe. You can use The following command from any drive in Windows PowerShell. To return to a file system drive, type the file system drive name, such as "set-location c:"

As a result of The following command, your current location is in the Cert: drive.

PS C:\> set-location Cert:
PS Cert:\> 

The following command uses the Set-Location cmdlet to change the current location to the Root certificate store in the LocalMachine store location. Use a backslash (\) or forward slash (/) to indicate a level of the Cert: drive.

set-location -path LocalMachine\Root

If you are not in the Cert: drive, begin the path with the drive name.

set-location -path Cert:\LocalMachine\Root

The following command uses the Get-ChildItem cmdlet to get the certificate stores in the CurrentUser certificate store location.

get-childitem -path cert:\CurrentUser

If you are in the cert: drive, you can omit the drive name.

get-childitem -path CurrentUser

The following command uses the Get-ChildItem cmdlet to display the certificates in the "My" certificate store.

get-childitem -path cert:\CurrentUser\My

If you are in the cert: drive, you can omit the drive name.

get-childitem -path CurrentUser\My

The following command uses the Get-Item cmdlet to get the "My" certificate store. It uses the Property parameter of the Format-List cmdlet with a value of all (*) to display all of the properties of the store.

get-item -path cert:\CurrentUser\My | format-list *

The following command uses the Get-ChildItem cmdlet to get the certificate. It uses the Property parameter of the Format-List cmdlet with a value of all (*) to display all of the properties of the certificate. The certificate is identified by its thumbprint.

get-childitem -path cert:\CurrentUser\my\6B8223358119BB08840DEE50FD8AF9EA776CE66B | format-list -property *

The following command uses the Get-ChildItem cmdlet to get all of the certificates on the computer. The command uses the CodeSigningCert dynamic parameter of Get-Childitem to get only the certificates that have code-signing authority.

get-childitem -path * -codesigningcert -recurse

The following command uses the Invoke-Item cmdlet to open the Certificates snap-in to the Microsoft Management Console (MMC). You can use the snap-in tools to manage the specified certificate.

invoke item cert:\CurrentUser\my\6B8223358119BB08840DEE50FD8AF9EA776CE66B

Concepts