Get-Certificate Cmdlet
Parameters Output Objects Config Settings
The Get-Certificate component is used to list X.509 certificates in a certificate store.
Syntax
Get-Certificate [parameters]
Remarks
To list certificates in a store, the CertStore and CertStoreType parameters must be specified. You can also specify the CertStorePassword parameter if the store so requires it.
To get detailed information about a specific certificate in the store, do the same but also
specify the Subject parameter with the full subject of the certificate you want to examine.
# List all root certificates in the user store
get-certificate -CertStore Root -CertStoreType User
# Get details about a specific root certificate
get-certificate -CertStore Root -CertStoreType User -Subject 'C=US, O=MSFT, CN=Microsoft Authenticode(tm) Root Authority'
Parameter List
The following is the full list of the parameters of the cmdlet with short descriptions. Click on the links for further details.
LogFile | The location of a file to which debug information is written. |
CertStore | The name of the certificate store for the client certificate. |
CertStorePassword | The password for the certificate store (if any). |
CertStoreType | The type of certificate store for the client certificate. |
Config | Specifies one or more configuration settings. |
LogFile | The location of a file to which debug information is written. |
Subject | Specifies the subject of the certificate to get. |
Output Objects
The following is the full list of the output objects returned by the cmdlet with short descriptions. Click on the links for further details.
Certificate | This object contains all the information about a certificate. |
CertificateEntry | This object is returned for each certificate located in a store. |
Config Settings
The following is a list of config settings for the cmdlet with short descriptions. Click on the links for further details.
CertComment | A comment to include in a saved certificate. |
CertCustomExtensionCount | The number of records in the CertCustomExtension arrays. |
CertCustomExtensionCritical[i] | Whether or not the extension is defined as critical. |
CertCustomExtensionOID[i] | The ASN of the extension at index 'i'. |
CertCustomExtensionValue[i] | The raw value of the extension at index 'i'. |
CertExtendedKeyUsage | The extended key usage of the certificate. |
CertKeyLength | The public key length for created certificates and keys. |
CertKeyType | The types of keys created for new certificates. |
CertPublicKeyAlgorithm | The public key algorithm used when a certificate is created. |
CertSignatureAlgorithm | The signature algorithm used when creating certificates. |
CertSubjectAltNames | Subject Alternative Names for creating or issuing certificates. |
CertThumbprint | The thumbprint of the certificate to be loaded. |
CertUsageFlags | Sets the flags indicating the usage of the created certificate. |
CertValidityOffset | The number of days until the certificate becomes valid. |
CertValidityTime | The validity period for the certificate. |
CheckCRL | Checks the Certificate Revocation List for the selected certificate. |
CheckOCSP | Uses OCSP to check the status of the selected certificate. |
CreatedKey | The PKCS8 formatted private and public key pair created after calling CreateKey. |
CSP | The Cryptographic Service Provider. |
CSRIgnoredExtensions | Extensions to be ignorned when signing a CSR. |
CSRKey | The PKCS8 formatted private key to use when generating a CSR. |
EncodeExportedCert | Whether the certificate being exported to a string is encoded. |
HasCRL | Whether the certificate supports the CRL extension. |
HasOCSP | Whether the certificate supports the OCSP extension. |
ImportCertAction | Specified the action to take if a matching certificate or a link to a matching certificate already exists. |
ImportCertStoreType | The type of certificate store being specified for import. |
JWKAlgorithm | The JWK algorithm. |
JWKExportX5C | Whether to export a certificate chain to the x5c parameter. |
JWKKeyId | The JWK key Id. |
JWKKeyOps | The JWK intended key operations list. |
JWKUse | The JWK use parameter value. |
KeyFormat | How the public and private key are formatted. |
LogLevel | The level of detail that is logged. |
ReplaceKey | Whether or not to replace an existing key when creating a new key. |
RequestSubjectAltNames | Subject Alternative Names for a Certificate Signing Request. |
X509Algorithm | Public Key Algorithm OID. |
X509SignatureAlgorithm | Signature Algorithm OID. |
BuildInfo | Information about the product's build. |
CodePage | The system code page used for Unicode to Multibyte translations. |
LicenseInfo | Information about the current license. |
MaskSensitive | Whether sensitive data is masked in log messages. |
UseInternalSecurityAPI | Tells the component whether or not to use the system security libraries or an internal implementation. |
LogFile Parameter (Get-Certificate Cmdlet)
The location of a file to which debug information is written.
Syntax
Get-Certificate -LogFile string
Remarks
When specified, the cmdlet will log debug information to the file. If the file exists, the information will be appended.Default Value
null
CertStore Property (Get-Certificate Cmdlet)
The name of the certificate store for the client certificate.
Syntax
Get-Certificate -CertStore string
Remarks
The CertStoreType parameter specifies the type of the certificate store specified by CertStore. If the store is password protected, specify the password in CertStorePassword.
CertStore is used in conjunction with the Subject parameter in order to specify client certificates. If CertStore has a value, and Subject has been set, a search for a certificate is initiated during logon. Please refer to the Subject parameter for details.
Designations of certificate stores are platform-dependent.
The following are designations of the most common User and Machine certificate stores in Windows:
MY | A certificate store holding personal certificates with their associated private keys. |
CA | Certifying authority certificates. |
ROOT | Root certificates. |
SPC | Software publisher certificates. |
When the certificate store type is PFXFile, this parameter must be set to the name of the file.
Default Value
"MY"
Parameter Alias
CertificateStore
CertStorePassword Property (Get-Certificate Cmdlet)
The password for the certificate store (if any).
Syntax
Get-Certificate -CertStorePassword string
Remarks
The value of this property is used to open the certificate store if the certificate store is of a type that requires a password.
Default Value
""
CertStoreType Property (Get-Certificate Cmdlet)
The type of certificate store for the client certificate.
Syntax
Get-Certificate -CertStoreType string
Remarks
This parameter can take one of the following values:
User (default) | This specifies that the certificate store is owned by the current user (these are the user's registry certificate stores such as MY, CA, etc.). |
Machine | The certificate store is a machine store. |
PFXFile | The certificate store is the name of a PFX (PKCS12) file containing certificates. |
PFXBlob | The certificate store is a string (base64 encoded) representing a certificate store in PFX (PKCS12) format. You should use this option if storing a pfx file's content in a shell variable. |
PEMKeyFile | The certificate store is the name of a file that contains a PEM encoded certificate and private key. |
PEMKeyBlob | The certificate store is a string that contains a PEM encoded certificate and private key. |
P7BFile | The certificate store is the name of a file that contains P7B encoded certificates. |
SSHPublicKeyFile | The certificate store is the name of a file that contains an SSH-style public key. |
PPKFile | The certificate store is the name of a file that contains a PPK (PuTTY Private Key). |
PPKBlob | The certificate store is a string (binary) that contains a PPK (PuTTY Private Key). |
Default Value
0
Config Property (Get-Certificate Cmdlet)
Specifies one or more configuration settings.
Syntax
Get-Certificate -Config string[]
Remarks
The Config parameter takes one or more name-value pairs that represent the name of the configuration setting and value, i.e.: -config "Name=Value"
Default Value
null
LogFile Property (Get-Certificate Cmdlet)
The location of a file to which debug information is written.
Syntax
Get-Certificate -LogFile string
Remarks
When specified, the cmdlet will log debug information to the file. If the file exists, the information will be appended.
Default Value
""
Subject Property (Get-Certificate Cmdlet)
Specifies the subject of the certificate to get.
Syntax
Get-Certificate -Subject string
Remarks
If not specified, the cmdlet will return a list of certificates found in the CertStore. Otherwise, the full details for the specified certificate will be returned.
When this parameter is set, a search is performed in the current certificate store certificate with matching subject.
If an exact match is not found, the store is searched for subjects containing the value of the parameter.
When setting the parameter to a partial subject, CN= should be omitted. For example, the following code would find the certificate with subject CN=Test Certificate, OU=People, C=US
Example (Searching with partial subject)
-certsubject "Test"
If a match is not found, the parameter is set to an empty string, and no certificate is selected.
The special value "*" picks a random certificate in the certificate store.
Default Value
"*"
Certificate Output Object (Get-Certificate Cmdlet)
This object contains all the information about a certificate.
Syntax
Object Certificate {string Subject;
string SubjectAltNames;
string Issuer;
string SerialNumber;
string ThumbprintMD5;
string EffectiveDate;
string ExpirationDate;
string Usage;
string SignatureAlgorithm;
int PublicKeyLength;
string PublicKeyAlgorithm;
string PublicKey;
string ExtendedKeyUsage;
string Encoded;
}
Remarks
This object contains all the certificate properties.
CertificateEntry Output Object (Get-Certificate Cmdlet)
This object is returned for each certificate located in a store.
Syntax
Object CertificateEntry {string Subject;
string Issuer;
string SerialNumber;
string Encoded;
bool HasPrivateKey;
}
Remarks
This object contains basic certificate properties.
Config Settings (Get-Certificate Cmdlet)
The cmdlet accepts one or more of the following configuration settings. Configuration settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the cmdlet, access to these internal properties is provided through the Config method.CertMgr Config Settings
- OpenSSHKey (ExportPrivateKey must be False)
- SSH2PublicKey
- PPK
The array indices start at 0 and end at CertExtensionCount-1.
Valid array indices are from 0 to CertCustomExtensionCount - 1.
Valid array indices are from 0 to CertCustomExtensionCount - 1.
Valid array indices are from 0 to CertCustomExtensionCount - 1.
1.3.6.1.5.5.7.3.1 | Server Authentication |
1.3.6.1.5.5.7.3.2 | Client Authentication |
1.3.6.1.5.5.7.3.3 | Code Signing |
1.3.6.1.5.5.7.3.4 | Secure Email |
1.3.6.1.5.5.7.3.8 | Time Stamping |
1.3.6.1.5.5.7.3.9 | OCSP Signing |
For instance, the following value specified the extended key usage for Server Authentication, Client Authentication, and Code Signing: 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2, and 1.3.6.1.5.5.7.3.3
- RSA (default)
- DSA
- ECDSA_P256
- ECDSA_P384
- ECDSA_P521
- ECDSA_Secp256k1
- ECDSA_Secp224k1
- ECDSA_Secp192k1
- ECDSA_Secp160k1
- ECDSA_BRAINPOOLP160R1
- ECDSA_BRAINPOOLP192R1
- ECDSA_BRAINPOOLP224R1
- ECDSA_BRAINPOOLP256R1
- ECDSA_BRAINPOOLP320R1
- ECDSA_BRAINPOOLP384R1
- ECDSA_BRAINPOOLP512R1
- ECDSA_BRAINPOOLP160T1
- ECDSA_BRAINPOOLP192T1
- ECDSA_BRAINPOOLP224T1
- ECDSA_BRAINPOOLP256T1
- ECDSA_BRAINPOOLP320T1
- ECDSA_BRAINPOOLP384T1
- ECDSA_BRAINPOOLP512T1
- Ed25519
- Ed448
- MD2
- MD5
- SHA1
- SHA256 (default)
- SHA384
- SHA512
string altNames = "email:copy,dns:domain.com,dns.1:other.domain.com,uri:http://www.domain.com,ip:192.168.1.102"
This configuration setting is not supported in the C# and Java editions, which already support loading by thumbprint via the Certificate type constructors. This setting is only supported on Windows operating systems.
CertMgr cert;
cert.Config("CertThumbprint=967adafd7add8f72ee4894ede866d6745970f82f");
cert.SetCertStore("MY", 2);
cert.SetCertStoreType(CST_USER);
cert.SetCertStorePassword("");
cert.SetCertSubject("TestCert");
0x80 | Digital Signatures |
0x40 | Key Authentication |
0x20 | Key Encryption |
0x10 | Data Encryption |
0x08 | Key Agreement |
0x04 | Certificate Signing |
0x02 | Key Signing |
This configuration setting is only supported in the Java, C#, and C++ editions. In the C++ edition, it is only supported on Windows operating systems.
This configuration setting is only supported in the Java, C#, and C++ editions. In the C++ edition, it is only supported on Windows operating systems.
For example if the SAN's in a CSR should be ignored the below code would work:
CertMgr1->Config("CSRIgnoredExtensions=2.5.29.17");
The default value is False.
This configuration setting is only supported in the Java, C#, and C++ editions. In the C++ edition, it is only supported on Windows operating systems.
This configuration setting is only supported in the Java, C#, and C++ editions. In the C++ edition, it is only supported on Windows operating systems.
1 | CERT_STORE_ADD_NEW - Imports a certificate only if no existing certificate is present. |
2 | CERT_STORE_ADD_USE_EXISTING - If an existing certificate is found, it is not replaced. |
3 (default) | CERT_STORE_ADD_REPLACE_EXISTING - If an existing certificate is found it is replaced. |
4 | CERT_STORE_ADD_ALWAYS - No checks are performed and a new certificate is always added to the store. This can result in duplicates. |
5 | CERT_STORE_ADD_REPLACE_EXISTING_INHERIT_PROPERTIES - If an existing certificate is found it is replaced, and the new certificate inherits properties from the certificate it replaces. |
6 | CERT_STORE_ADD_NEWER - Imports a certificate only if the certificate is newer than an existing matching certificate. |
7 | CERT_STORE_ADD_NEWER_INHERIT_PROPERTIES - Imports a certificate only if the certificate is newer than an existing matching certificate, and inherits the properties of old certificate it replaces. |
This config can take one of the following values:
2 (cstPFXFile) | The certificate store is the name of a PFX (PKCS12) file containing certificates. |
3 (cstPFXBlob) | The certificate store is a string (binary or base64-encoded) representing a certificate store in PFX (PKCS12) format. |
6 (cstPEMKeyFile) | The certificate store is the name of a PEM-encoded file that contains a private key and an optional certificate. |
7 (cstPEMKeyBlob) | The certificate store is a string (binary or base64-encoded) that contains a private key and an optional certificate. |
8 (cstPublicKeyFile) | The certificate store is the name of a file that contains a PEM- or DER-encoded public key certificate. |
9 (cstPublicKeyBlob) | The certificate store is a string (binary or base64-encoded) that contains a PEM- or DER-encoded public key certificate. |
10 (cstSSHPublicKeyBlob) | The certificate store is a string (binary or base64-encoded) that contains an SSH-style public key. |
13 (cstSSHPublicKeyFile) | The certificate store is the name of a file that contains an SSH-style public key. |
99 (cstAuto - default) | The certificate type is automatically determined from the input. |
Valid values are:
- (empty string)
- HS256
- HS384
- HS512
- RS256
- RS384
- RS512
- EC256
- EC384
- EC512
- EC256K
The default value is False.
This setting format is a JSON array. Examples: ["sign","verify"] or ["encrypt"].
Valid values are enc and sig.
- 0 (PEM - default)
- 1 (XML)
0 (None) | No events are logged. |
1 (Info - default) | Informational events are logged. |
2 (Verbose) | Detailed data are logged. |
3 (Debug) | Debug data are logged. |
string altNames = "email:copy,dns:domain.com,dns.1:other.domain.com,uri:http://www.domain.com,ip:192.168.1.102"
Base Config Settings
The following is a list of valid code page identifiers:
Identifier | Name |
037 | IBM EBCDIC - U.S./Canada |
437 | OEM - United States |
500 | IBM EBCDIC - International |
708 | Arabic - ASMO 708 |
709 | Arabic - ASMO 449+, BCON V4 |
710 | Arabic - Transparent Arabic |
720 | Arabic - Transparent ASMO |
737 | OEM - Greek (formerly 437G) |
775 | OEM - Baltic |
850 | OEM - Multilingual Latin I |
852 | OEM - Latin II |
855 | OEM - Cyrillic (primarily Russian) |
857 | OEM - Turkish |
858 | OEM - Multilingual Latin I + Euro symbol |
860 | OEM - Portuguese |
861 | OEM - Icelandic |
862 | OEM - Hebrew |
863 | OEM - Canadian-French |
864 | OEM - Arabic |
865 | OEM - Nordic |
866 | OEM - Russian |
869 | OEM - Modern Greek |
870 | IBM EBCDIC - Multilingual/ROECE (Latin-2) |
874 | ANSI/OEM - Thai (same as 28605, ISO 8859-15) |
875 | IBM EBCDIC - Modern Greek |
932 | ANSI/OEM - Japanese, Shift-JIS |
936 | ANSI/OEM - Simplified Chinese (PRC, Singapore) |
949 | ANSI/OEM - Korean (Unified Hangul Code) |
950 | ANSI/OEM - Traditional Chinese (Taiwan; Hong Kong SAR, PRC) |
1026 | IBM EBCDIC - Turkish (Latin-5) |
1047 | IBM EBCDIC - Latin 1/Open System |
1140 | IBM EBCDIC - U.S./Canada (037 + Euro symbol) |
1141 | IBM EBCDIC - Germany (20273 + Euro symbol) |
1142 | IBM EBCDIC - Denmark/Norway (20277 + Euro symbol) |
1143 | IBM EBCDIC - Finland/Sweden (20278 + Euro symbol) |
1144 | IBM EBCDIC - Italy (20280 + Euro symbol) |
1145 | IBM EBCDIC - Latin America/Spain (20284 + Euro symbol) |
1146 | IBM EBCDIC - United Kingdom (20285 + Euro symbol) |
1147 | IBM EBCDIC - France (20297 + Euro symbol) |
1148 | IBM EBCDIC - International (500 + Euro symbol) |
1149 | IBM EBCDIC - Icelandic (20871 + Euro symbol) |
1200 | Unicode UCS-2 Little-Endian (BMP of ISO 10646) |
1201 | Unicode UCS-2 Big-Endian |
1250 | ANSI - Central European |
1251 | ANSI - Cyrillic |
1252 | ANSI - Latin I |
1253 | ANSI - Greek |
1254 | ANSI - Turkish |
1255 | ANSI - Hebrew |
1256 | ANSI - Arabic |
1257 | ANSI - Baltic |
1258 | ANSI/OEM - Vietnamese |
1361 | Korean (Johab) |
10000 | MAC - Roman |
10001 | MAC - Japanese |
10002 | MAC - Traditional Chinese (Big5) |
10003 | MAC - Korean |
10004 | MAC - Arabic |
10005 | MAC - Hebrew |
10006 | MAC - Greek I |
10007 | MAC - Cyrillic |
10008 | MAC - Simplified Chinese (GB 2312) |
10010 | MAC - Romania |
10017 | MAC - Ukraine |
10021 | MAC - Thai |
10029 | MAC - Latin II |
10079 | MAC - Icelandic |
10081 | MAC - Turkish |
10082 | MAC - Croatia |
12000 | Unicode UCS-4 Little-Endian |
12001 | Unicode UCS-4 Big-Endian |
20000 | CNS - Taiwan |
20001 | TCA - Taiwan |
20002 | Eten - Taiwan |
20003 | IBM5550 - Taiwan |
20004 | TeleText - Taiwan |
20005 | Wang - Taiwan |
20105 | IA5 IRV International Alphabet No. 5 (7-bit) |
20106 | IA5 German (7-bit) |
20107 | IA5 Swedish (7-bit) |
20108 | IA5 Norwegian (7-bit) |
20127 | US-ASCII (7-bit) |
20261 | T.61 |
20269 | ISO 6937 Non-Spacing Accent |
20273 | IBM EBCDIC - Germany |
20277 | IBM EBCDIC - Denmark/Norway |
20278 | IBM EBCDIC - Finland/Sweden |
20280 | IBM EBCDIC - Italy |
20284 | IBM EBCDIC - Latin America/Spain |
20285 | IBM EBCDIC - United Kingdom |
20290 | IBM EBCDIC - Japanese Katakana Extended |
20297 | IBM EBCDIC - France |
20420 | IBM EBCDIC - Arabic |
20423 | IBM EBCDIC - Greek |
20424 | IBM EBCDIC - Hebrew |
20833 | IBM EBCDIC - Korean Extended |
20838 | IBM EBCDIC - Thai |
20866 | Russian - KOI8-R |
20871 | IBM EBCDIC - Icelandic |
20880 | IBM EBCDIC - Cyrillic (Russian) |
20905 | IBM EBCDIC - Turkish |
20924 | IBM EBCDIC - Latin-1/Open System (1047 + Euro symbol) |
20932 | JIS X 0208-1990 & 0121-1990 |
20936 | Simplified Chinese (GB2312) |
21025 | IBM EBCDIC - Cyrillic (Serbian, Bulgarian) |
21027 | Extended Alpha Lowercase |
21866 | Ukrainian (KOI8-U) |
28591 | ISO 8859-1 Latin I |
28592 | ISO 8859-2 Central Europe |
28593 | ISO 8859-3 Latin 3 |
28594 | ISO 8859-4 Baltic |
28595 | ISO 8859-5 Cyrillic |
28596 | ISO 8859-6 Arabic |
28597 | ISO 8859-7 Greek |
28598 | ISO 8859-8 Hebrew |
28599 | ISO 8859-9 Latin 5 |
28605 | ISO 8859-15 Latin 9 |
29001 | Europa 3 |
38598 | ISO 8859-8 Hebrew |
50220 | ISO 2022 Japanese with no halfwidth Katakana |
50221 | ISO 2022 Japanese with halfwidth Katakana |
50222 | ISO 2022 Japanese JIS X 0201-1989 |
50225 | ISO 2022 Korean |
50227 | ISO 2022 Simplified Chinese |
50229 | ISO 2022 Traditional Chinese |
50930 | Japanese (Katakana) Extended |
50931 | US/Canada and Japanese |
50933 | Korean Extended and Korean |
50935 | Simplified Chinese Extended and Simplified Chinese |
50936 | Simplified Chinese |
50937 | US/Canada and Traditional Chinese |
50939 | Japanese (Latin) Extended and Japanese |
51932 | EUC - Japanese |
51936 | EUC - Simplified Chinese |
51949 | EUC - Korean |
51950 | EUC - Traditional Chinese |
52936 | HZ-GB2312 Simplified Chinese |
54936 | Windows XP: GB18030 Simplified Chinese (4 Byte) |
57002 | ISCII Devanagari |
57003 | ISCII Bengali |
57004 | ISCII Tamil |
57005 | ISCII Telugu |
57006 | ISCII Assamese |
57007 | ISCII Oriya |
57008 | ISCII Kannada |
57009 | ISCII Malayalam |
57010 | ISCII Gujarati |
57011 | ISCII Punjabi |
65000 | Unicode UTF-7 |
65001 | Unicode UTF-8 |
Identifier | Name |
1 | ASCII |
2 | NEXTSTEP |
3 | JapaneseEUC |
4 | UTF8 |
5 | ISOLatin1 |
6 | Symbol |
7 | NonLossyASCII |
8 | ShiftJIS |
9 | ISOLatin2 |
10 | Unicode |
11 | WindowsCP1251 |
12 | WindowsCP1252 |
13 | WindowsCP1253 |
14 | WindowsCP1254 |
15 | WindowsCP1250 |
21 | ISO2022JP |
30 | MacOSRoman |
10 | UTF16String |
0x90000100 | UTF16BigEndian |
0x94000100 | UTF16LittleEndian |
0x8c000100 | UTF32String |
0x98000100 | UTF32BigEndian |
0x9c000100 | UTF32LittleEndian |
65536 | Proprietary |
- Product: The product the license is for.
- Product Key: The key the license was generated from.
- License Source: Where the license was found (e.g., RuntimeLicense, License File).
- License Type: The type of license installed (e.g., Royalty Free, Single Server).
- Last Valid Build: The last valid build number for which the license will work.
This setting only works on these cmdlets: AS3Receiver, AS3Sender, Atom, Client(3DS), FTP, FTPServer, IMAP, OFTPClient, SSHClient, SCP, Server(3DS), Sexec, SFTP, SFTPServer, SSHServer, TCPClient, TCPServer.
Setting this configuration setting to true tells the cmdlet to use the internal implementation instead of using the system security libraries.
On Windows, this setting is set to false by default. On Linux/macOS, this setting is set to true by default.
If using the .NET Standard Library, this setting will be true on all platforms. The .NET Standard library does not support using the system security libraries.
Note: This setting is static. The value set is applicable to all cmdlets used in the application.
When this value is set, the product's system dynamic link library (DLL) is no longer required as a reference, as all unmanaged code is stored in that file.