Infrastructure

Managing Windows Certificates with PowerShell

8 July 2013
2 min read
Paul Stack author image
Paul Stack
infrastructure hero image

Managing certificates on Windows is really painful. There is no easy way to do it. The general way to install a certificate to a Windows Server 2008 machine is as follows:

  • Open the Certificates snap-in for a user, computer, or service.
  • In the console tree, click the logical store where you want to import the certificate.
  • On the Action menu, point to All Tasks, and then click Import to start the Certificate Import Wizard.
  • Type the file name containing the certificate to be imported.
  • If you want to specify where the certificate is stored, select Place all certificates in the following store, click Browse, and choose the certificate store to use. OR
  • If the certificate should be automatically placed in a certificate store based on the type of certificate, click Automatically select the certificate store based on the type of certificate.

The first time I ran this process, I felt as though this was just wrong to not be able to automate. The goal of our team is to automate everything we are currently doing manually. PowerShell is a better option for this import process as it allows you to write code to do it. As we all know, code is better for a number of reasons, I won't go into the infrastructure as code argument in this post (but it is coming soon….). Using PowerShell, I can write a simple function as follows:

function Import-PfxCertificate($certName, $CertLocaton, $certRootStore, $certStore) {
     $pfx = new-object System.Security.Cryptography.X509Certificates.X509Certificate2

     $pfxPass = convertto-securestring $CertPassword -asplaintext -force

     $certPath = $CertLocaton + "\" + $certName
     $pfx.import($certPath,$pfxPass,"Exportable,PersistKeySet")

     $store = new-object System.Security.Cryptography.X509Certificates.X509Store($certStore,$certRootStore)
     $store.open("MaxAllowed")
     $store.add($pfx)
     $store.close()
}

This makes certificate management easier. To manage certificates in this way, I just need to invoke a script similar to this:

.\import-certificate.ps1 -CertificateName "mycert.pfx" -CertLocation "c:\ssl\mycerts"

Much simpler! You can download a gist of this script should you wish to use it. Please note that the license that this script is available under can be read from our github repository.