Export-Certificate Cmdlet
Parameters Output Objects Config Settings
The Export-Certificate component is used to export an X.509 certificate from a certificate store.
Syntax
Export-Certificate [parameters]
Remarks
This will save the certificate specified by CertStore, CertStoreType, CertStorePassword and
Subject to a PFX file. The certificate and its private key are saved to the file
specified by OutputFile in PKCS12 format. The file contents are protected by Password.
# export a certificate
export-certificate -CertStore Root -CertStoreType User -Subject $subject -OutputFile $file -Password $password
Parameter List
The following is the full list of the parameters of the cmdlet with short descriptions. Click on the links for further details.
LogFile | The location of a file to which debug information is written. |
CertStore | The name of the certificate store for the client certificate. |
CertStorePassword | The password for the certificate store (if any). |
CertStoreType | The type of certificate store for the client certificate. |
Config | Specifies one or more configuration settings. |
LogFile | The location of a file to which debug information is written. |
OutputFile | The output file. |
Password | The certificate's password. |
PublicKeyOnly | Whether to export public key only. |
Subject | Specifies the subject of the certificate to get. |
Output Objects
The following is the full list of the output objects returned by the cmdlet with short descriptions. Click on the links for further details.
ExportedCert | This object is returned for each certificate exported from a store. |
Config Settings
The following is a list of config settings for the cmdlet with short descriptions. Click on the links for further details.
CertificateOutputFormat | The format of the output certificate. |
CertComment | A comment to include in a saved certificate. |
CertCustomExtensionCount | The number of records in the CertCustomExtension arrays. |
CertCustomExtensionCritical[i] | Whether or not the extension is defined as critical. |
CertCustomExtensionOID[i] | The ASN of the extension at index 'i'. |
CertCustomExtensionValue[i] | The raw value of the extension at index 'i'. |
CertExtendedKeyUsage | The extended key usage of the certificate. |
CertKeyLength | The public key length for created certificates and keys. |
CertKeyType | The types of keys created for new certificates. |
CertPublicKeyAlgorithm | The public key algorithm used when a certificate is created. |
CertSignatureAlgorithm | The signature algorithm used when creating certificates. |
CertSubjectAltNames | Subject Alternative Names for creating or issuing certificates. |
CertThumbprint | The thumbprint of the certificate to be loaded. |
CertUsageFlags | Sets the flags indicating the usage of the created certificate. |
CertValidityOffset | The number of days until the certificate becomes valid. |
CertValidityTime | The validity period for the certificate. |
CheckCRL | Checks the Certificate Revocation List for the selected certificate. |
CheckOCSP | Uses OCSP to check the status of the selected certificate. |
CreatedKey | The PKCS8 formatted private and public key pair created after calling CreateKey. |
CSP | The Cryptographic Service Provider. |
CSRIgnoredExtensions | Extensions to be ignorned when signing a CSR. |
CSRKey | The PKCS8 formatted private key to use when generating a CSR. |
EncodeExportedCert | Whether the certificate being exported to a string is encoded. |
HasCRL | Whether the certificate supports the CRL extension. |
HasOCSP | Whether the certificate supports the OCSP extension. |
ImportCertAction | Specified the action to take if a matching certificate or a link to a matching certificate already exists. |
ImportCertStoreType | The type of certificate store being specified for import. |
JWKAlgorithm | The JWK algorithm. |
JWKExportX5C | Whether to export a certificate chain to the x5c parameter. |
JWKKeyId | The JWK key Id. |
JWKKeyOps | The JWK intended key operations list. |
JWKUse | The JWK use parameter value. |
KeyFormat | How the public and private key are formatted. |
LogLevel | The level of detail that is logged. |
ReplaceKey | Whether or not to replace an existing key when creating a new key. |
RequestSubjectAltNames | Subject Alternative Names for a Certificate Signing Request. |
X509Algorithm | Public Key Algorithm OID. |
X509SignatureAlgorithm | Signature Algorithm OID. |
BuildInfo | Information about the product's build. |
CodePage | The system code page used for Unicode to Multibyte translations. |
LicenseInfo | Information about the current license. |
MaskSensitive | Whether sensitive data is masked in log messages. |
UseInternalSecurityAPI | Tells the component whether or not to use the system security libraries or an internal implementation. |
LogFile Parameter (Export-Certificate Cmdlet)
The location of a file to which debug information is written.
Syntax
Export-Certificate -LogFile string
Remarks
When specified, the cmdlet will log debug information to the file. If the file exists, the information will be appended.Default Value
null
CertStore Property (Export-Certificate Cmdlet)
The name of the certificate store for the client certificate.
Syntax
Export-Certificate -CertStore string
Remarks
The CertStoreType parameter specifies the type of the certificate store specified by CertStore. If the store is password protected, specify the password in CertStorePassword.
CertStore is used in conjunction with the Subject parameter in order to specify client certificates. If CertStore has a value, and Subject has been set, a search for a certificate is initiated during logon. Please refer to the Subject parameter for details.
Designations of certificate stores are platform-dependent.
The following are designations of the most common User and Machine certificate stores in Windows:
MY | A certificate store holding personal certificates with their associated private keys. |
CA | Certifying authority certificates. |
ROOT | Root certificates. |
SPC | Software publisher certificates. |
When the certificate store type is PFXFile, this parameter must be set to the name of the file.
Default Value
"MY"
Parameter Alias
CertificateStore
CertStorePassword Property (Export-Certificate Cmdlet)
The password for the certificate store (if any).
Syntax
Export-Certificate -CertStorePassword string
Remarks
The value of this property is used to open the certificate store if the certificate store is of a type that requires a password.
Default Value
""
CertStoreType Property (Export-Certificate Cmdlet)
The type of certificate store for the client certificate.
Syntax
Export-Certificate -CertStoreType string
Remarks
This parameter can take one of the following values:
User (default) | This specifies that the certificate store is owned by the current user (these are the user's registry certificate stores such as MY, CA, etc.). |
Machine | The certificate store is a machine store. |
PFXFile | The certificate store is the name of a PFX (PKCS12) file containing certificates. |
PFXBlob | The certificate store is a string (base64 encoded) representing a certificate store in PFX (PKCS12) format. You should use this option if storing a pfx file's content in a shell variable. |
PEMKeyFile | The certificate store is the name of a file that contains a PEM encoded certificate and private key. |
PEMKeyBlob | The certificate store is a string that contains a PEM encoded certificate and private key. |
P7BFile | The certificate store is the name of a file that contains P7B encoded certificates. |
SSHPublicKeyFile | The certificate store is the name of a file that contains an SSH-style public key. |
PPKFile | The certificate store is the name of a file that contains a PPK (PuTTY Private Key). |
PPKBlob | The certificate store is a string (binary) that contains a PPK (PuTTY Private Key). |
Default Value
0
Config Property (Export-Certificate Cmdlet)
Specifies one or more configuration settings.
Syntax
Export-Certificate -Config string[]
Remarks
The Config parameter takes one or more name-value pairs that represent the name of the configuration setting and value, i.e.: -config "Name=Value"
Default Value
null
LogFile Property (Export-Certificate Cmdlet)
The location of a file to which debug information is written.
Syntax
Export-Certificate -LogFile string
Remarks
When specified, the cmdlet will log debug information to the file. If the file exists, the information will be appended.
Default Value
""
OutputFile Property (Export-Certificate Cmdlet)
The output file.
Syntax
Export-Certificate -OutputFile string
Remarks
OutputFile contains the full path and filename on your machine that the certificate will be exported to.
Default Value
""
This is a required parameter.
Password Property (Export-Certificate Cmdlet)
The certificate's password.
Syntax
Export-Certificate -Password string
Remarks
Specifies the password associated with the certificate. If the certificate does not require a password do not specify this parameter.
Default Value
""
PublicKeyOnly Property (Export-Certificate Cmdlet)
Whether to export public key only.
Syntax
Export-Certificate -PublicKeyOnly SwitchParameter
Remarks
By default, when this cmdlet is called, the public, and private key will be written into a PFX file. To override this behavior, and export only the public key, specify this switch. To export the certificate into a different file format, use the CertificateOutputFormat configuration setting.
Default Value
false
Subject Property (Export-Certificate Cmdlet)
Specifies the subject of the certificate to get.
Syntax
Export-Certificate -Subject string
Remarks
Should match the subject of the certificate you want to export.
When this parameter is set, a search is performed in the current certificate store certificate with matching subject.
If an exact match is not found, the store is searched for subjects containing the value of the parameter.
When setting the parameter to a partial subject, CN= should be omitted. For example, the following code would find the certificate with subject CN=Test Certificate, OU=People, C=US
Example (Searching with partial subject)
-certsubject "Test"
If a match is not found, the parameter is set to an empty string, and no certificate is selected.
The special value "*" picks a random certificate in the certificate store.
Default Value
"*"
This is a required parameter.
ExportedCert Output Object (Export-Certificate Cmdlet)
This object is returned for each certificate exported from a store.
Syntax
Object ExportedCert {string Subject;
string Path;
}
Remarks
Subject contains the subject of the exported certificate. Path contains the path of the file the certificate was written to.
Config Settings (Export-Certificate Cmdlet)
The cmdlet accepts one or more of the following configuration settings. Configuration settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the cmdlet, access to these internal properties is provided through the Config method.ExportCertificate Config Settings
CertMgr Config Settings
- OpenSSHKey (ExportPrivateKey must be False)
- SSH2PublicKey
- PPK
The array indices start at 0 and end at CertExtensionCount-1.
Valid array indices are from 0 to CertCustomExtensionCount - 1.
Valid array indices are from 0 to CertCustomExtensionCount - 1.
Valid array indices are from 0 to CertCustomExtensionCount - 1.
1.3.6.1.5.5.7.3.1 | Server Authentication |
1.3.6.1.5.5.7.3.2 | Client Authentication |
1.3.6.1.5.5.7.3.3 | Code Signing |
1.3.6.1.5.5.7.3.4 | Secure Email |
1.3.6.1.5.5.7.3.8 | Time Stamping |
1.3.6.1.5.5.7.3.9 | OCSP Signing |
For instance, the following value specified the extended key usage for Server Authentication, Client Authentication, and Code Signing: 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2, and 1.3.6.1.5.5.7.3.3
- RSA (default)
- DSA
- ECDSA_P256
- ECDSA_P384
- ECDSA_P521
- ECDSA_Secp256k1
- ECDSA_Secp224k1
- ECDSA_Secp192k1
- ECDSA_Secp160k1
- ECDSA_BRAINPOOLP160R1
- ECDSA_BRAINPOOLP192R1
- ECDSA_BRAINPOOLP224R1
- ECDSA_BRAINPOOLP256R1
- ECDSA_BRAINPOOLP320R1
- ECDSA_BRAINPOOLP384R1
- ECDSA_BRAINPOOLP512R1
- ECDSA_BRAINPOOLP160T1
- ECDSA_BRAINPOOLP192T1
- ECDSA_BRAINPOOLP224T1
- ECDSA_BRAINPOOLP256T1
- ECDSA_BRAINPOOLP320T1
- ECDSA_BRAINPOOLP384T1
- ECDSA_BRAINPOOLP512T1
- Ed25519
- Ed448
- MD2
- MD5
- SHA1
- SHA256 (default)
- SHA384
- SHA512
string altNames = "email:copy,dns:domain.com,dns.1:other.domain.com,uri:http://www.domain.com,ip:192.168.1.102"
This configuration setting is not supported in the C# and Java editions, which already support loading by thumbprint via the Certificate type constructors. This setting is only supported on Windows operating systems.
CertMgr cert;
cert.Config("CertThumbprint=967adafd7add8f72ee4894ede866d6745970f82f");
cert.SetCertStore("MY", 2);
cert.SetCertStoreType(CST_USER);
cert.SetCertStorePassword("");
cert.SetCertSubject("TestCert");
0x80 | Digital Signatures |
0x40 | Key Authentication |
0x20 | Key Encryption |
0x10 | Data Encryption |
0x08 | Key Agreement |
0x04 | Certificate Signing |
0x02 | Key Signing |
This configuration setting is only supported in the Java, C#, and C++ editions. In the C++ edition, it is only supported on Windows operating systems.
This configuration setting is only supported in the Java, C#, and C++ editions. In the C++ edition, it is only supported on Windows operating systems.
For example if the SAN's in a CSR should be ignored the below code would work:
CertMgr1->Config("CSRIgnoredExtensions=2.5.29.17");
The default value is False.
This configuration setting is only supported in the Java, C#, and C++ editions. In the C++ edition, it is only supported on Windows operating systems.
This configuration setting is only supported in the Java, C#, and C++ editions. In the C++ edition, it is only supported on Windows operating systems.
1 | CERT_STORE_ADD_NEW - Imports a certificate only if no existing certificate is present. |
2 | CERT_STORE_ADD_USE_EXISTING - If an existing certificate is found, it is not replaced. |
3 (default) | CERT_STORE_ADD_REPLACE_EXISTING - If an existing certificate is found it is replaced. |
4 | CERT_STORE_ADD_ALWAYS - No checks are performed and a new certificate is always added to the store. This can result in duplicates. |
5 | CERT_STORE_ADD_REPLACE_EXISTING_INHERIT_PROPERTIES - If an existing certificate is found it is replaced, and the new certificate inherits properties from the certificate it replaces. |
6 | CERT_STORE_ADD_NEWER - Imports a certificate only if the certificate is newer than an existing matching certificate. |
7 | CERT_STORE_ADD_NEWER_INHERIT_PROPERTIES - Imports a certificate only if the certificate is newer than an existing matching certificate, and inherits the properties of old certificate it replaces. |
This config can take one of the following values:
2 (cstPFXFile) | The certificate store is the name of a PFX (PKCS12) file containing certificates. |
3 (cstPFXBlob) | The certificate store is a string (binary or base64-encoded) representing a certificate store in PFX (PKCS12) format. |
6 (cstPEMKeyFile) | The certificate store is the name of a PEM-encoded file that contains a private key and an optional certificate. |
7 (cstPEMKeyBlob) | The certificate store is a string (binary or base64-encoded) that contains a private key and an optional certificate. |
8 (cstPublicKeyFile) | The certificate store is the name of a file that contains a PEM- or DER-encoded public key certificate. |
9 (cstPublicKeyBlob) | The certificate store is a string (binary or base64-encoded) that contains a PEM- or DER-encoded public key certificate. |
10 (cstSSHPublicKeyBlob) | The certificate store is a string (binary or base64-encoded) that contains an SSH-style public key. |
13 (cstSSHPublicKeyFile) | The certificate store is the name of a file that contains an SSH-style public key. |
99 (cstAuto - default) | The certificate type is automatically determined from the input. |
Valid values are:
- (empty string)
- HS256
- HS384
- HS512
- RS256
- RS384
- RS512
- EC256
- EC384
- EC512
- EC256K
The default value is False.
This setting format is a JSON array. Examples: ["sign","verify"] or ["encrypt"].
Valid values are enc and sig.
- 0 (PEM - default)
- 1 (XML)
0 (None) | No events are logged. |
1 (Info - default) | Informational events are logged. |
2 (Verbose) | Detailed data are logged. |
3 (Debug) | Debug data are logged. |
string altNames = "email:copy,dns:domain.com,dns.1:other.domain.com,uri:http://www.domain.com,ip:192.168.1.102"
Base Config Settings
The following is a list of valid code page identifiers:
Identifier | Name |
037 | IBM EBCDIC - U.S./Canada |
437 | OEM - United States |
500 | IBM EBCDIC - International |
708 | Arabic - ASMO 708 |
709 | Arabic - ASMO 449+, BCON V4 |
710 | Arabic - Transparent Arabic |
720 | Arabic - Transparent ASMO |
737 | OEM - Greek (formerly 437G) |
775 | OEM - Baltic |
850 | OEM - Multilingual Latin I |
852 | OEM - Latin II |
855 | OEM - Cyrillic (primarily Russian) |
857 | OEM - Turkish |
858 | OEM - Multilingual Latin I + Euro symbol |
860 | OEM - Portuguese |
861 | OEM - Icelandic |
862 | OEM - Hebrew |
863 | OEM - Canadian-French |
864 | OEM - Arabic |
865 | OEM - Nordic |
866 | OEM - Russian |
869 | OEM - Modern Greek |
870 | IBM EBCDIC - Multilingual/ROECE (Latin-2) |
874 | ANSI/OEM - Thai (same as 28605, ISO 8859-15) |
875 | IBM EBCDIC - Modern Greek |
932 | ANSI/OEM - Japanese, Shift-JIS |
936 | ANSI/OEM - Simplified Chinese (PRC, Singapore) |
949 | ANSI/OEM - Korean (Unified Hangul Code) |
950 | ANSI/OEM - Traditional Chinese (Taiwan; Hong Kong SAR, PRC) |
1026 | IBM EBCDIC - Turkish (Latin-5) |
1047 | IBM EBCDIC - Latin 1/Open System |
1140 | IBM EBCDIC - U.S./Canada (037 + Euro symbol) |
1141 | IBM EBCDIC - Germany (20273 + Euro symbol) |
1142 | IBM EBCDIC - Denmark/Norway (20277 + Euro symbol) |
1143 | IBM EBCDIC - Finland/Sweden (20278 + Euro symbol) |
1144 | IBM EBCDIC - Italy (20280 + Euro symbol) |
1145 | IBM EBCDIC - Latin America/Spain (20284 + Euro symbol) |
1146 | IBM EBCDIC - United Kingdom (20285 + Euro symbol) |
1147 | IBM EBCDIC - France (20297 + Euro symbol) |
1148 | IBM EBCDIC - International (500 + Euro symbol) |
1149 | IBM EBCDIC - Icelandic (20871 + Euro symbol) |
1200 | Unicode UCS-2 Little-Endian (BMP of ISO 10646) |
1201 | Unicode UCS-2 Big-Endian |
1250 | ANSI - Central European |
1251 | ANSI - Cyrillic |
1252 | ANSI - Latin I |
1253 | ANSI - Greek |
1254 | ANSI - Turkish |
1255 | ANSI - Hebrew |
1256 | ANSI - Arabic |
1257 | ANSI - Baltic |
1258 | ANSI/OEM - Vietnamese |
1361 | Korean (Johab) |
10000 | MAC - Roman |
10001 | MAC - Japanese |
10002 | MAC - Traditional Chinese (Big5) |
10003 | MAC - Korean |
10004 | MAC - Arabic |
10005 | MAC - Hebrew |
10006 | MAC - Greek I |
10007 | MAC - Cyrillic |
10008 | MAC - Simplified Chinese (GB 2312) |
10010 | MAC - Romania |
10017 | MAC - Ukraine |
10021 | MAC - Thai |
10029 | MAC - Latin II |
10079 | MAC - Icelandic |
10081 | MAC - Turkish |
10082 | MAC - Croatia |
12000 | Unicode UCS-4 Little-Endian |
12001 | Unicode UCS-4 Big-Endian |
20000 | CNS - Taiwan |
20001 | TCA - Taiwan |
20002 | Eten - Taiwan |
20003 | IBM5550 - Taiwan |
20004 | TeleText - Taiwan |
20005 | Wang - Taiwan |
20105 | IA5 IRV International Alphabet No. 5 (7-bit) |
20106 | IA5 German (7-bit) |
20107 | IA5 Swedish (7-bit) |
20108 | IA5 Norwegian (7-bit) |
20127 | US-ASCII (7-bit) |
20261 | T.61 |
20269 | ISO 6937 Non-Spacing Accent |
20273 | IBM EBCDIC - Germany |
20277 | IBM EBCDIC - Denmark/Norway |
20278 | IBM EBCDIC - Finland/Sweden |
20280 | IBM EBCDIC - Italy |
20284 | IBM EBCDIC - Latin America/Spain |
20285 | IBM EBCDIC - United Kingdom |
20290 | IBM EBCDIC - Japanese Katakana Extended |
20297 | IBM EBCDIC - France |
20420 | IBM EBCDIC - Arabic |
20423 | IBM EBCDIC - Greek |
20424 | IBM EBCDIC - Hebrew |
20833 | IBM EBCDIC - Korean Extended |
20838 | IBM EBCDIC - Thai |
20866 | Russian - KOI8-R |
20871 | IBM EBCDIC - Icelandic |
20880 | IBM EBCDIC - Cyrillic (Russian) |
20905 | IBM EBCDIC - Turkish |
20924 | IBM EBCDIC - Latin-1/Open System (1047 + Euro symbol) |
20932 | JIS X 0208-1990 & 0121-1990 |
20936 | Simplified Chinese (GB2312) |
21025 | IBM EBCDIC - Cyrillic (Serbian, Bulgarian) |
21027 | Extended Alpha Lowercase |
21866 | Ukrainian (KOI8-U) |
28591 | ISO 8859-1 Latin I |
28592 | ISO 8859-2 Central Europe |
28593 | ISO 8859-3 Latin 3 |
28594 | ISO 8859-4 Baltic |
28595 | ISO 8859-5 Cyrillic |
28596 | ISO 8859-6 Arabic |
28597 | ISO 8859-7 Greek |
28598 | ISO 8859-8 Hebrew |
28599 | ISO 8859-9 Latin 5 |
28605 | ISO 8859-15 Latin 9 |
29001 | Europa 3 |
38598 | ISO 8859-8 Hebrew |
50220 | ISO 2022 Japanese with no halfwidth Katakana |
50221 | ISO 2022 Japanese with halfwidth Katakana |
50222 | ISO 2022 Japanese JIS X 0201-1989 |
50225 | ISO 2022 Korean |
50227 | ISO 2022 Simplified Chinese |
50229 | ISO 2022 Traditional Chinese |
50930 | Japanese (Katakana) Extended |
50931 | US/Canada and Japanese |
50933 | Korean Extended and Korean |
50935 | Simplified Chinese Extended and Simplified Chinese |
50936 | Simplified Chinese |
50937 | US/Canada and Traditional Chinese |
50939 | Japanese (Latin) Extended and Japanese |
51932 | EUC - Japanese |
51936 | EUC - Simplified Chinese |
51949 | EUC - Korean |
51950 | EUC - Traditional Chinese |
52936 | HZ-GB2312 Simplified Chinese |
54936 | Windows XP: GB18030 Simplified Chinese (4 Byte) |
57002 | ISCII Devanagari |
57003 | ISCII Bengali |
57004 | ISCII Tamil |
57005 | ISCII Telugu |
57006 | ISCII Assamese |
57007 | ISCII Oriya |
57008 | ISCII Kannada |
57009 | ISCII Malayalam |
57010 | ISCII Gujarati |
57011 | ISCII Punjabi |
65000 | Unicode UTF-7 |
65001 | Unicode UTF-8 |
Identifier | Name |
1 | ASCII |
2 | NEXTSTEP |
3 | JapaneseEUC |
4 | UTF8 |
5 | ISOLatin1 |
6 | Symbol |
7 | NonLossyASCII |
8 | ShiftJIS |
9 | ISOLatin2 |
10 | Unicode |
11 | WindowsCP1251 |
12 | WindowsCP1252 |
13 | WindowsCP1253 |
14 | WindowsCP1254 |
15 | WindowsCP1250 |
21 | ISO2022JP |
30 | MacOSRoman |
10 | UTF16String |
0x90000100 | UTF16BigEndian |
0x94000100 | UTF16LittleEndian |
0x8c000100 | UTF32String |
0x98000100 | UTF32BigEndian |
0x9c000100 | UTF32LittleEndian |
65536 | Proprietary |
- Product: The product the license is for.
- Product Key: The key the license was generated from.
- License Source: Where the license was found (e.g., RuntimeLicense, License File).
- License Type: The type of license installed (e.g., Royalty Free, Single Server).
- Last Valid Build: The last valid build number for which the license will work.
This setting only works on these cmdlets: AS3Receiver, AS3Sender, Atom, Client(3DS), FTP, FTPServer, IMAP, OFTPClient, SSHClient, SCP, Server(3DS), Sexec, SFTP, SFTPServer, SSHServer, TCPClient, TCPServer.
Setting this configuration setting to true tells the cmdlet to use the internal implementation instead of using the system security libraries.
On Windows, this setting is set to false by default. On Linux/macOS, this setting is set to true by default.
If using the .NET Standard Library, this setting will be true on all platforms. The .NET Standard library does not support using the system security libraries.
Note: This setting is static. The value set is applicable to all cmdlets used in the application.
When this value is set, the product's system dynamic link library (DLL) is no longer required as a reference, as all unmanaged code is stored in that file.