Certificate Provider

Applies To: Windows PowerShell 2.0

PROVIDER NAME

Certificate

DRIVES

Cert:

SHORT DESCRIPTION

Provides access to X.509 certificate stores and certificates from within Windows PowerShell.

DETAILED DESCRIPTION

The Windows PowerShell security strategy supports the use of Authenticode signatures to sign scripts using X.509-encoded digital public key certificates. The signing features of Windows PowerShell are not intended to be complete, but they enable users to sign scripts and enable Windows PowerShell to recognize signed and unsigned scripts and to determine whether the scripts originate on the Internet.

The Windows PowerShell Certificate provider lets you navigate the certificate namespace and view the certificate stores and certificates. It also lets you copy, move, and delete certificates, and it lets you open the Certificates snap-in for the Microsoft Management Console (MMC).

The Certificate provider exposes the certificate namespace as the Cert: drive in Windows PowerShell. The Cert: drive has the following three levels:

-- Store locations (Microsoft.PowerShell.Commands.X509StoreLocation), which are high-level containers that group the certificates for the current user and for all users. Each system has a CurrentUser and LocalMachine (all users) store location.

-- Certificates stores (System.Security.Cryptography.X509Certificates.X509Store), which are physical stores in which certificates are saved and managed.

-- X.509 certificates (System.Security.Cryptography.X509Certificates.X509Certificate2), each of which represent an X.509 certificate on the computer. Certificates are identified by their thumbprints.

The Windows PowerShell Certificate provider supports the Set-Location, Get-Location, Get-Item, Get-ChildItem, and Invoke-Item cmdlets.

In addition, the Windows PowerShell Security snap-in (Microsoft.PowerShell.Security), which includes the Certificate provider, also includes cmdlets to get and set Authenticode signatures and to get certificates. For a list of cmdlets in the Security snap-in, type "Get-Command -module *security".

CAPABILITIES

ShouldProcess

EXAMPLES

-------------------------- EXAMPLE 1 --------------------------

This command uses the Set-Location cmdlet to change the current location to the Cert: drive.

set-location cert:

-------------------------- EXAMPLE 2 --------------------------

This command uses the Set-Location command to change the current location to the Root certificate store in the LocalMachine store location. Use a backslash (\) or a forward slash (/) to indicate a level of the Cert: drive.

set-location -path LocalMachine\Root

If you are not in the Cert: drive, begin the path with the drive name.

Displaying the Contents of the Cert: Drive

-------------------------- EXAMPLE 1 --------------------------

This command uses the Get-ChildItem cmdlet to display the certificate stores in the CurrentUser certificate store location.

get-childitem -path cert:\CurrentUser

If you are in the Cert: drive, you can omit the drive name.

-------------------------- EXAMPLE 2 --------------------------

This command uses the Get-ChildItem cmdlet to display the certificates in the My certificate store.

get-childitem -path cert:\CurrentUser\My

If you are in the Cert: drive, you can omit the drive name.

-------------------------- EXAMPLE 3 --------------------------

This command uses the Get-Item cmdlet to get the "My" certificate store and the Property parameter of Format-List with a wildcard character (*) to display all of the properties of the store.

get-item -path cert:\CurrentUser\My | format-list *

-------------------------- EXAMPLE 4 --------------------------

This command gets a certificate and displays all of its properties. It uses the Get-ChildItem cmdlet to get the certificate and the Property parameter of Format-List with a wildcard character (*) to display all of the properties of the certificate.

The certificate is identified by its thumbprint.

get-childitem -path cert:\CurrentUser\my\6B8223358119BB08840DEE50FD8AF9EA776CE66B | format-list -property *

-------------------------- EXAMPLE 5 --------------------------

This command uses the Get-ChildItem cmdlet to get all of the certificates on the computer and its CodeSigningCert dynamic parameter to get only the certificates that have code-signing authority.

get-childitem -path * -codesigningcert -recurse

Opening the Certificates MMC Snap-in

-------------------------- EXAMPLE 1 --------------------------

This command opens the Certificates MMC snap-in to manage the specified certificate.

invoke-item cert:\CurrentUser\my\6B8223358119BB08840DEE50FD8AF9EA776CE66B

DYNAMIC PARAMETERS

Dynamic parameters are cmdlet parameters that are added by a Windows PowerShell provider and are available only when the cmdlet is being used in the provider-enabled drive.

CodeSigningCert <System.Management.Automation.SwitchParameter>

Gets only those certificates with code-signing authority.

Cmdlets supported:

See Also

Concepts

about_Providers
about_Signing
Get-AuthenticodeSignature
Set-AuthenticodeSignature
Get-PfxCertificate