In the previous tip we illustrated how you can use New-SelfSignedCertificate to create new code signing certificates, and store them as a PFX file. Let’s check out today how you can load a PFX file.
Let’s assume your PFX file is located in $env:temp\codeSignCert.pfx. Then this is the code you need to read the file:
$cert = Get-PfxCertificate -FilePath "$env:temp\codeSignCert.pfx"
When you do this, you will be prompted to enter a password. This is the password you defined when you created the certificate, and it protects the file from abuse.
After the command succeeded, the certificate details can be found in $cert:
PS C:\> $cert
Thumbprint Subject
---------- -------
5D8A325641CC583F882B439833961AE9BCDEC946 CN=SecurityDepartment
PS C:\> $cert | Select-Object -Property *
EnhancedKeyUsageList : {Code Signing (1.3.6.1.5.5.7.3.3)}
DnsNameList : {SecurityDepartment}
SendAsTrustedIssuer : False
EnrollmentPolicyEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
EnrollmentServerEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
PolicyId :
Archived : False
Extensions : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid}
FriendlyName : IT Sec Department
IssuerName : System.Security.Cryptography.X509Certificates.X500DistinguishedName
NotAfter : 9/29/2022 12:57:28 AM
NotBefore : 9/29/2017 12:47:28 AM
HasPrivateKey : True
PrivateKey : System.Security.Cryptography.RSACryptoServiceProvider
PublicKey : System.Security.Cryptography.X509Certificates.PublicKey
RawData : {48, 130, 3, 10...}
SerialNumber : 45C8C7871DC392A44AD1ADD28FFDFAC7
SubjectName : System.Security.Cryptography.X509Certificates.X500DistinguishedName
SignatureAlgorithm : System.Security.Cryptography.Oid
Thumbprint : 5D8A325641CC583F882B439833961AE9BCDEC946
Version : 3
Handle : 2832940980736
Issuer : CN=SecurityDepartment
Subject : CN=SecurityDepartment
There are also a number of methods supported by the certificate object:
PS C:\> $cert | Get-Member -MemberType *Method TypeName: System.Security.Cryptography.X509Certificates.X509Certificate2 Name MemberType Definition ---- ---------- ---------- Dispose Method void Dispose(), void IDisposable.Dispose() Equals Method bool Equals(System.Object obj), bool Equals(X509Certificate other) Export Method byte[] Export(System.Security.Cryptography.X509Certificates.X509ContentType contentType), byte[] Export(System.Sec... GetCertHash Method byte[] GetCertHash() GetCertHashString Method string GetCertHashString() GetEffectiveDateString Method string GetEffectiveDateString() GetExpirationDateString Method string GetExpirationDateString() GetFormat Method string GetFormat() GetHashCode Method int GetHashCode() GetIssuerName Method string GetIssuerName() GetKeyAlgorithm Method string GetKeyAlgorithm() GetKeyAlgorithmParameters Method byte[] GetKeyAlgorithmParameters() GetKeyAlgorithmParametersString Method string GetKeyAlgorithmParametersString() GetName Method string GetName() GetNameInfo Method string GetNameInfo(System.Security.Cryptography.X509Certificates.X509NameType nameType, bool forIssuer) GetObjectData Method void ISerializable.GetObjectData(System.Runtime.Serialization.SerializationInfo info, System.Runtime.Serialization... GetPublicKey Method byte[] GetPublicKey() GetPublicKeyString Method string GetPublicKeyString() GetRawCertData Method byte[] GetRawCertData() GetRawCertDataString Method string GetRawCertDataString() GetSerialNumber Method byte[] GetSerialNumber() GetSerialNumberString Method string GetSerialNumberString() GetType Method type GetType() Import Method void Import(byte[] rawData), void Import(byte[] rawData, string password, System.Security.Cryptography.X509Certifi... OnDeserialization Method void IDeserializationCallback.OnDeserialization(System.Object sender) Reset Method void Reset() ToString Method string ToString(), string ToString(bool verbose) Verify Method bool Verify()
For example, if you’d like to verify that the certificate is valid, just call Verify(). The result is a Boolean value, and $false would indicate that the certificate is not trusted by Windows.
Tomorrow, we’ll use the certificate to digitally sign PowerShell scripts.
