Loading Certificates from PFX Files

by Nov 1, 2017

In the previous tip we illustrated how you can use New-SelfSignedCertificate to create new code signing certificates, and store them as a PFX file. Let’s check out today how you can load a PFX file.

Let’s assume your PFX file is located in $env:temp\codeSignCert.pfx. Then this is the code you need to read the file:

$cert = Get-PfxCertificate -FilePath "$env:temp\codeSignCert.pfx"

When you do this, you will be prompted to enter a password. This is the password you defined when you created the certificate, and it protects the file from abuse.

After the command succeeded, the certificate details can be found in $cert:

PS C:\> $cert

Thumbprint                                Subject                                                                                                               
----------                                -------                                                                                                               
5D8A325641CC583F882B439833961AE9BCDEC946  CN=SecurityDepartment                                                                                                 

PS C:\> $cert | Select-Object -Property *

EnhancedKeyUsageList     : {Code Signing (}
DnsNameList              : {SecurityDepartment}
SendAsTrustedIssuer      : False
EnrollmentPolicyEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
EnrollmentServerEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
PolicyId                 : 
Archived                 : False
Extensions               : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid}
FriendlyName             : IT Sec Department
IssuerName               : System.Security.Cryptography.X509Certificates.X500DistinguishedName
NotAfter                 : 9/29/2022 12:57:28 AM
NotBefore                : 9/29/2017 12:47:28 AM
HasPrivateKey            : True
PrivateKey               : System.Security.Cryptography.RSACryptoServiceProvider
PublicKey                : System.Security.Cryptography.X509Certificates.PublicKey
RawData                  : {48, 130, 3, 10...}
SerialNumber             : 45C8C7871DC392A44AD1ADD28FFDFAC7
SubjectName              : System.Security.Cryptography.X509Certificates.X500DistinguishedName
SignatureAlgorithm       : System.Security.Cryptography.Oid
Thumbprint               : 5D8A325641CC583F882B439833961AE9BCDEC946
Version                  : 3
Handle                   : 2832940980736
Issuer                   : CN=SecurityDepartment
Subject                  : CN=SecurityDepartment

There are also a number of methods supported by the certificate object:

PS C:\> $cert | Get-Member -MemberType *Method

   TypeName: System.Security.Cryptography.X509Certificates.X509Certificate2

Name                            MemberType Definition                                                                                                           
----                            ---------- ----------                                                                                                           
Dispose                         Method     void Dispose(), void IDisposable.Dispose()                                                                           
Equals                          Method     bool Equals(System.Object obj), bool Equals(X509Certificate other)                                                   
Export                          Method     byte[] Export(System.Security.Cryptography.X509Certificates.X509ContentType contentType), byte[] Export(System.Sec...
GetCertHash                     Method     byte[] GetCertHash()                                                                                                 
GetCertHashString               Method     string GetCertHashString()                                                                                           
GetEffectiveDateString          Method     string GetEffectiveDateString()                                                                                      
GetExpirationDateString         Method     string GetExpirationDateString()                                                                                     
GetFormat                       Method     string GetFormat()                                                                                                   
GetHashCode                     Method     int GetHashCode()                                                                                                    
GetIssuerName                   Method     string GetIssuerName()                                                                                               
GetKeyAlgorithm                 Method     string GetKeyAlgorithm()                                                                                             
GetKeyAlgorithmParameters       Method     byte[] GetKeyAlgorithmParameters()                                                                                   
GetKeyAlgorithmParametersString Method     string GetKeyAlgorithmParametersString()                                                                             
GetName                         Method     string GetName()                                                                                                     
GetNameInfo                     Method     string GetNameInfo(System.Security.Cryptography.X509Certificates.X509NameType nameType, bool forIssuer)              
GetObjectData                   Method     void ISerializable.GetObjectData(System.Runtime.Serialization.SerializationInfo info, System.Runtime.Serialization...
GetPublicKey                    Method     byte[] GetPublicKey()                                                                                                
GetPublicKeyString              Method     string GetPublicKeyString()                                                                                          
GetRawCertData                  Method     byte[] GetRawCertData()                                                                                              
GetRawCertDataString            Method     string GetRawCertDataString()                                                                                        
GetSerialNumber                 Method     byte[] GetSerialNumber()                                                                                             
GetSerialNumberString           Method     string GetSerialNumberString()                                                                                       
GetType                         Method     type GetType()                                                                                                       
Import                          Method     void Import(byte[] rawData), void Import(byte[] rawData, string password, System.Security.Cryptography.X509Certifi...
OnDeserialization               Method     void IDeserializationCallback.OnDeserialization(System.Object sender)                                                
Reset                           Method     void Reset()                                                                                                         
ToString                        Method     string ToString(), string ToString(bool verbose)                                                                     
Verify                          Method     bool Verify()

For example, if you’d like to verify that the certificate is valid, just call Verify(). The result is a Boolean value, and $false would indicate that the certificate is not trusted by Windows.

Tomorrow, we’ll use the certificate to digitally sign PowerShell scripts.

Twitter This Tip! ReTweet this Tip!