1

I have a p7b file, which contains 4 certificates. But I need them in several stores. So I first import the certificates in Cert:\LocalMachine\My store and then I need to move some of them elsewhere. So far I have this code:

Import-Certificate -FilePath "C:\SCOM\cert\cert_{dns name}.p7b" -CertStoreLocation Cert:\LocalMachine\My
$certIntermediate = Get-Item -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -Contains "ABB Intermediate CA"}
$certRootCA = Get-Item -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -Contains "ABB Root CA"}
$certIssuing = Get-Item -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -Contains "ABB Issuing CA"}
$store = Get-Item -Path Cert:\LocalMachine\My
$store.Open("ReadWrite")
$store.Remove($certIntermediate)
$store.Remove($certRootCA)
$store.Remove($certIssuing)
$store.Close()
$storeIntermediate = Get-Item -Path Cert:\LocalMachine\CA
$storeIntermediate.Open("ReadWrite")
$storeIntermediate.add($certIntermediate)
$storeIntermediate.close()
$storeAuthRoot = Get-Item -Path Cert:\LocalMachine\AuthRoot
$storeAuthRoot.Open("ReadWrite")
$storeAuthRoot.add($certRootCA)
$storeAuthRoot.add($certIssuing)
$storeAuthRoot.close()

Ignore the {dns name} part in first row, that's just a general replacement. Problem is in rows 2-4. If I put the certificate path directly (like Cert:\LocalMachine\My\8B4027E6B32E4E45C1DDB6A211) the rest of the script works.

Obviously I don't know the thumbprints before importing the certificates, so I can't use that. And the Where-Object doesn't seem to work. I tried Get-ChildItem instead of Get-Item, I tried Where instead of Where-Object, I tried -ccontains (accidentally) and -like instead of -contains, but the certificates are not "loaded" to the variables. When I try to delete them later in the code, I get the error value can not be null. How can I select the correct certificates to move them?

Robert Dyjas
  • 4,979
  • 3
  • 19
  • 34
Petr Synek
  • 123
  • 6
  • 18

1 Answers1

0

I have noticed three things which have to be clarified for your script.

  1. First of all, the issue is that the cmdlet Get-Item gives you the store, not the certificate(s):
PS> Get-Item -Path Cert:\LocalMachine\My

Name : My

What you wanted to use is Get-ChildItem:

PS> Get-ChildItem -Path Cert:\LocalMachine\My


   PSParentPath: Microsoft.PowerShell.Security\Certificate::CurrentUser\My

Thumbprint                                Subject
----------                                -------
34BF9D3F534C2501977557CC9A48C9F5AAAAAAAA  CN=localhost

By the way, that explains why it works when you provide the thumbprint. This is because you provide cert's path to Get-Item instead of store path.

PS> $cert = Get-Item -Path Cert:\CurrentUser\My\34BF9D3F534C2501977557CC9A48C9F5AAAAAAAA
PS> $cert


   PSParentPath: Microsoft.PowerShell.Security\Certificate::CurrentUser\My

Thumbprint                                Subject
----------                                -------
34BF9D3F534C2501977557CC9A48C9F5AAAAAAAA  CN=localhost
  1. Another thing is the usage of -contains. Please see this answer for more explanation. In general, it's not designed for substring comparison. Use something else (for example -like) instead:
Get-ChildItem -Path Cert:\CurrentUser\My\  | Where-Object {$_.Subject -like "*google*"}
  1. ? and Where are aliases to Where-Object, you can check it here:
PS>  get-alias | ? resolvedcommandname -eq "Where-Object"

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Alias           ? -> Where-Object
Alias           where -> Where-Object
Robert Dyjas
  • 4,979
  • 3
  • 19
  • 34
  • 1
    It didn't work with `-like`, so I used `-match` and it's working. I tried `Get-ChildItem` before, as I mentioned, but not with `-match`. – Petr Synek Jul 03 '19 at 07:07
  • You haven't posted your code with `-like` so I didn't have a chance to test it. Anyway, glad that it helped! – Robert Dyjas Jul 03 '19 at 07:11