Get-Certificate Cmdlet
Parameters Output Objects Config Settings
The Get-Certificate component is used to list X.509 certificates in a certificate store.
Syntax
Get-Certificate [parameters]
Remarks
To list certificates in a store, the CertStore and CertStoreType parameters must be specified. You can also specify the CertStorePassword parameter if the store so requires it.
To get detailed information about a specific certificate in the store, do the same but also
specify the Subject parameter with the full subject of the certificate you want to examine.
# List all root certificates in the user store
get-certificate -CertStore Root -CertStoreType User
# Get details about a specific root certificate
get-certificate -CertStore Root -CertStoreType User -Subject 'C=US, O=MSFT, CN=Microsoft Authenticode(tm) Root Authority'
Parameter List
The following is the full list of the parameters of the cmdlet with short descriptions. Click on the links for further details.
| LogFile | The location of a file to which debug information is written. |
| CertStore | The name of the certificate store for the client certificate. |
| CertStorePassword | The password for the certificate store (if any). |
| CertStoreType | The type of certificate store for the client certificate. |
| Config | Specifies one or more configuration settings. |
| LogFile | The location of a file to which debug information is written. |
| Subject | Specifies the subject of the certificate to get. |
Output Objects
The following is the full list of the output objects returned by the cmdlet with short descriptions. Click on the links for further details.
| Certificate | This object contains all the information about a certificate. |
| CertificateEntry | This object is returned for each certificate located in a store. |
Config Settings
The following is a list of config settings for the cmdlet with short descriptions. Click on the links for further details.
| CertComment | A comment to include in a saved certificate. |
| CertCustomExtensionCount | The number of records in the CertCustomExtension arrays. |
| CertCustomExtensionCritical[i] | Whether or not the extension is defined as critical. |
| CertCustomExtensionOID[i] | The ASN of the extension at index 'i'. |
| CertCustomExtensionValue[i] | The raw value of the extension at index 'i'. |
| CertExtendedKeyUsage | The extended key usage of the certificate. |
| CertKeyLength | The public key length for created certificates and keys. |
| CertKeyType | The types of keys created for new certificates. |
| CertPublicKeyAlgorithm | The public key algorithm used when a certificate is created. |
| CertSignatureAlgorithm | The signature algorithm used when creating certificates. |
| CertSubjectAltNames | Subject Alternative Names for creating or issuing certificates. |
| CertUsageFlags | Sets the flags indicating the usage of the created certificate. |
| CertValidityOffset | The number of days until the certificate becomes valid. |
| CertValidityTime | The validity period for the certificate. |
| CheckCRL | Checks the Certificate Revocation List for the selected certificate. |
| CheckOCSP | Uses OCSP to check the status of the selected certificate. |
| CreatedKey | The PKCS8 formatted private and public key pair created after calling CreateKey. |
| CSP | The Cryptographic Service Provider. |
| CSRIgnoredExtensions | Extensions to be ignorned when signing a CSR. |
| CSRKey | The PKCS8 formatted private key to use when generating a CSR. |
| EncodeExportedCert | Whether the certificate being exported to a string is encoded. |
| HasCRL | Whether the certificate supports the CRL extension. |
| HasOCSP | Whether the certificate supports the OCSP extension. |
| ImportCertAction | Specified the action to take if a matching certificate or a link to a matching certificate already exists. |
| ImportCertStoreType | The type of certificate store being specified for import. |
| JWKAlgorithm | The JWK algorithm. |
| JWKExportX5C | Whether to export a certificate chain to the x5c parameter. |
| JWKKeyId | The JWK key Id. |
| JWKKeyOps | The JWK intended key operations list. |
| JWKUse | The JWK use parameter value. |
| KeyFormat | How the public and private key are formatted. |
| LogLevel | The level of detail that is logged. |
| ReplaceKey | Whether or not to replace an existing key when creating a new key. |
| RequestSubjectAltNames | Subject Alternative Names for a Certificate Signing Request. |
| X509Algorithm | Public Key Algorithm OID. |
| X509SignatureAlgorithm | Signature Algorithm OID. |
| BuildInfo | Information about the product's build. |
| CodePage | The system code page used for Unicode to Multibyte translations. |
| LicenseInfo | Information about the current license. |
| MaskSensitive | Whether sensitive data is masked in log messages. |
| UseInternalSecurityAPI | Tells the component whether or not to use the system security libraries or an internal implementation. |
LogFile Parameter (Get-Certificate Cmdlet)
The location of a file to which debug information is written.
Syntax
Get-Certificate -LogFile string
Remarks
When specified, the cmdlet will log debug information to the file. If the file exists, the information will be appended.Default Value
null
CertStore Property (Get-Certificate Cmdlet)
The name of the certificate store for the client certificate.
Syntax
Get-Certificate -CertStore string
Remarks
The CertStoreType parameter specifies the type of the certificate store specified by CertStore. If the store is password protected, specify the password in CertStorePassword.
CertStore is used in conjunction with the Subject parameter in order to specify client certificates. If CertStore has a value, and Subject has been set, a search for a certificate is initiated during logon. Please refer to the Subject parameter for details.
Designations of certificate stores are platform-dependent.
The following are designations of the most common User and Machine certificate stores in Windows:
| MY | A certificate store holding personal certificates with their associated private keys. |
| CA | Certifying authority certificates. |
| ROOT | Root certificates. |
| SPC | Software publisher certificates. |
When the certificate store type is PFXFile, this parameter must be set to the name of the file.
Default Value
"MY"
Parameter Alias
CertificateStore
CertStorePassword Property (Get-Certificate Cmdlet)
The password for the certificate store (if any).
Syntax
Get-Certificate -CertStorePassword string
Remarks
The value of this property is used to open the certificate store if the certificate store is of a type that requires a password.
Default Value
""
CertStoreType Property (Get-Certificate Cmdlet)
The type of certificate store for the client certificate.
Syntax
Get-Certificate -CertStoreType string
Remarks
This parameter can take one of the following values:
| User (default) | This specifies that the certificate store is owned by the current user (these are the user's registry certificate stores such as MY, CA, etc.). |
| Machine | The certificate store is a machine store. |
| PFXFile | The certificate store is the name of a PFX (PKCS12) file containing certificates. |
| PFXBlob | The certificate store is a string (base64 encoded) representing a certificate store in PFX (PKCS12) format. You should use this option if storing a pfx file's content in a shell variable. |
| PEMKeyFile | The certificate store is the name of a file that contains a PEM encoded certificate and private key. |
| PEMKeyBlob | The certificate store is a string that contains a PEM encoded certificate and private key. |
| P7BFile | The certificate store is the name of a file that contains P7B encoded certificates. |
| SSHPublicKeyFile | The certificate store is the name of a file that contains an SSH-style public key. |
| PPKFile | The certificate store is the name of a file that contains a PPK (PuTTY Private Key). |
| PPKBlob | The certificate store is a string (binary) that contains a PPK (PuTTY Private Key). |
Default Value
0
Config Property (Get-Certificate Cmdlet)
Specifies one or more configuration settings.
Syntax
Get-Certificate -Config string[]
Remarks
The Config parameter takes one or more name-value pairs that represent the name of the configuration setting and value, i.e.: -config "Name=Value"
Default Value
null
LogFile Property (Get-Certificate Cmdlet)
The location of a file to which debug information is written.
Syntax
Get-Certificate -LogFile string
Remarks
When specified, the cmdlet will log debug information to the file. If the file exists, the information will be appended.
Default Value
""
Subject Property (Get-Certificate Cmdlet)
Specifies the subject of the certificate to get.
Syntax
Get-Certificate -Subject string
Remarks
If not specified, the cmdlet will return a list of certificates found in the CertStore. Otherwise, the full details for the specified certificate will be returned.
When this parameter is set, a search is performed in the current certificate store certificate with matching subject.
If an exact match is not found, the store is searched for subjects containing the value of the parameter.
When setting the parameter to a partial subject, CN= should be omitted. For example, the following code would find the certificate with subject CN=Test Certificate, OU=People, C=US
Example (Searching with partial subject)
-certsubject "Test"
If a match is not found, the parameter is set to an empty string, and no certificate is selected.
The special value "*" picks a random certificate in the certificate store.
Default Value
"*"
Certificate Output Object (Get-Certificate Cmdlet)
This object contains all the information about a certificate.
Syntax
Object Certificate {string Subject;
string SubjectAltNames;
string Issuer;
string SerialNumber;
string ThumbprintMD5;
string EffectiveDate;
string ExpirationDate;
string Usage;
string SignatureAlgorithm;
int PublicKeyLength;
string PublicKeyAlgorithm;
string PublicKey;
string ExtendedKeyUsage;
string Encoded;
}
Remarks
This object contains all the certificate properties.
CertificateEntry Output Object (Get-Certificate Cmdlet)
This object is returned for each certificate located in a store.
Syntax
Object CertificateEntry {string Subject;
string Issuer;
string SerialNumber;
string Encoded;
bool HasPrivateKey;
}
Remarks
This object contains basic certificate properties.
Config Settings (Get-Certificate Cmdlet)
The cmdlet accepts one or more of the following configuration settings. Configuration settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the cmdlet, access to these internal properties is provided through the Config method.CertMgr Config Settings
CertComment:
A comment to include in a saved certificate.This settings specifies the certificate comment when calling ExportCertificate.
This setting is applicable only when ExportFormat is set to one of the following values:
|
|||||||||||||||||||
| CertCustomExtensionCount:
The number of records in the CertCustomExtension arrays.This property controls the size of the following arrays:
The array indices start at 0 and end at CertExtensionCount-1. |
|||||||||||||||||||
| CertCustomExtensionCritical[i]:
Whether or not the extension is defined as critical.Whether or not the certificate extension at index "i" is defined as critical.
Valid array indices are from 0 to CertCustomExtensionCount - 1. |
|||||||||||||||||||
| CertCustomExtensionOID[i]:
The ASN of the extension at index 'i'.The ASN.1 object identifier (OID) that defines the certificate extension at index 'i'.
Valid array indices are from 0 to CertCustomExtensionCount - 1. |
|||||||||||||||||||
| CertCustomExtensionValue[i]:
The raw value of the extension at index 'i'.The raw value of this certificate extension (as a byte string). This value is encoded
according to the extension's ASN.1 specification.
Valid array indices are from 0 to CertCustomExtensionCount - 1. |
|||||||||||||||||||
CertExtendedKeyUsage:
The extended key usage of the certificate.This setting specifies the extended key usage flags of the certificate created by calling CreateCertificate or IssueCertificate.
If specified, the value is a comma-separated list of OIDs. Common OIDs are as follows:
For instance, the following value specified the extended key usage for Server Authentication, Client Authentication, and Code Signing: 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2, and 1.3.6.1.5.5.7.3.3 |
|||||||||||||||||||
| CertKeyLength: The public key length for created certificates and keys.When CreateCertificate creates a new certificate and associated key, or when CreateKey creates a key, this setting determines the length of the new public key (in bits). The default value is 2048. | |||||||||||||||||||
| CertKeyType: The types of keys created for new certificates.When CreateCertificate creates a new certificate and associated key, or when CreateKey creates a key, this setting determines the type of key generated: 1 for key exchange (encryption) keys, and 2 for digital signature keys. The default value is 1. | |||||||||||||||||||
CertPublicKeyAlgorithm:
The public key algorithm used when a certificate is created.When CreateCertificate creates a new certificate and associated key,
this setting determines the public key algorithm of the generated keys.
Following are the valid values:
|
|||||||||||||||||||
CertSignatureAlgorithm:
The signature algorithm used when creating certificates.When CreateCertificate or IssueCertificate creates a new certificate,
the signature algorithm used is specified by this setting. Following are the possible values:
|
|||||||||||||||||||
| CertSubjectAltNames:
Subject Alternative Names for creating or issuing certificates.This allows the Subject Alternative Names extension to be specified when creating or issuing a certificate via CreateCertificate or IssueCertificate. This setting only supports email, DNS, URI, and IPv4 addresses. Separate alternative names should be separated by commas. For example:
|
|||||||||||||||||||
CertUsageFlags:
Sets the flags indicating the usage of the created certificate.This setting specifies the usage flags of the certificate created by calling CreateCertificate or IssueCertificate. If specified, the value is the binary or one or more of the supported values. For instance a value of
12 or 0xC is the binary or is one of the Certificate Signing and Key Signing usage flags. Following are the supported flags:
|
|||||||||||||||||||
| CertValidityOffset: The number of days until the certificate becomes valid.This configuration setting can be used to change when a newly created certificate becomes valid. By default, the certificate is valid as soon as it is created. Set CertValidityOffset to the number of days that this starting period should be offset from the current day. This setting also accepts negative values for back-dating the validity of a certificate. The default value is 0. | |||||||||||||||||||
| CertValidityTime:
The validity period for the certificate.This configuration setting determines the duration in days that a newly
created certificate remains valid. The certificate becomes valid
as soon as it is created, unless CertValidityOffset is set.
The duration is not changed if CertValidityOffset is set;
the certificate will still expire CertValidityTime days after the
validity period begins. The default value is 365 days.
|
|||||||||||||||||||
| CheckCRL:
Checks the Certificate Revocation List for the selected certificate.When queried, this setting will check the Certificate Revocation List specified by the currently loaded Cert. The cmdlet will first obtain the list of CRL URLs from the certificate's CRL distribution points extension. The cmdlet will then make HTTP requests to each CRL endpoint to check the validity of the certificate. If the certificate has been revoked or any other issues are found during validation the cmdlet throws an exception.
This configuration setting is only supported in the Java, C#, and C++ editions. In the C++ edition, it is only supported on Windows operating systems. |
|||||||||||||||||||
| CheckOCSP:
Uses OCSP to check the status of the selected certificate.When queried, the cmdlet will use OCSP to check the validity of the currently loaded Cert. The cmdlet will first obtain the OCSP URL from the certificate's OCSP extension. The cmdlet will then locate the issuing certificate and make an HTTP request to the OCSP endpoint to check the validity of the certificate. If the certificate has been revoked or any other issues are found during validation the cmdlet throws an exception.
This configuration setting is only supported in the Java, C#, and C++ editions. In the C++ edition, it is only supported on Windows operating systems. |
|||||||||||||||||||
| CreatedKey: The PKCS8 formatted private and public key pair created after calling CreateKey.This setting returns the PKCS8 formatted private and public key pair of the key created when CreateKey is called. This is useful in scenarios where exporting the key for use in another environment is required. | |||||||||||||||||||
| CSP: The Cryptographic Service Provider.The name of the Cryptographic Service Provider used to provide access to certificate signing operations. | |||||||||||||||||||
| CSRIgnoredExtensions:
Extensions to be ignorned when signing a CSR.Set this configuration setting to a comma separated list of OID's of any extensions already present in the CSR that should be ignored when the CSR is signed.
For example if the SAN's in a CSR should be ignored the below code would work:
|
|||||||||||||||||||
| CSRKey: The PKCS8 formatted private key to use when generating a CSR.This setting optionally specifies a PKCS8 formatted private key to use when calling GenerateCSR. When set, the keyName parameter of GenerateCSR is ignored and the key specified by this setting is used instead. | |||||||||||||||||||
| EncodeExportedCert:
Whether the certificate being exported to a string is encoded.This setting controls whether the certificate exported as a string when ExportCertificate is called
is encoded. If ExportFormat is set to PFX or P7B before calling ExportCertificate the exported certificate may be binary (EncodeExportedCert is False), or base64 encoded (EncodeExportedCert is True) to allow easier handling of the certificate data.
The default value is False. |
|||||||||||||||||||
| HasCRL:
Whether the certificate supports the CRL extension.This setting returns true if the currently loaded Cert supports the CRL extension.
This configuration setting is only supported in the Java, C#, and C++ editions. In the C++ edition, it is only supported on Windows operating systems. |
|||||||||||||||||||
| HasOCSP:
Whether the certificate supports the OCSP extension.This setting returns true if the currently loaded Cert supports the OCSP extension.
This configuration setting is only supported in the Java, C#, and C++ editions. In the C++ edition, it is only supported on Windows operating systems. |
|||||||||||||||||||
ImportCertAction:
Specified the action to take if a matching certificate or a link to a matching certificate already exists.When calling ImportCertificate if a matching certificate or a link to a matching certificate already exists
in the Windows certificate store this setting governs what action will be taken. Possible values are:
|
|||||||||||||||||||
| ImportCertStoreType:
The type of certificate store being specified for import.When calling ImportCertificate, this setting controls the type of the certificate being specified in the first parameter.
This config can take one of the following values:
|
|||||||||||||||||||
| JWKAlgorithm:
The JWK algorithm.This setting specifies the JWK algorithm. It can be set before calling ExportCertificate (if ExportFormat is set to JWK) to control the key algorithm used to create the JWK. This setting will also be populated after loading a JWK file.
Valid values are:
|
|||||||||||||||||||
| JWKExportX5C:
Whether to export a certificate chain to the x5c parameter.When set to true, the component will attempt to build the X.509 certificate chain for the certificate currently selected by Cert. If successful, the x5c parameter will be added to the JWK. It can be set before calling ExportCertificate (if ExportFormat is set to JWK).
The default value is False. |
|||||||||||||||||||
| JWKKeyId: The JWK key Id.This setting specifies the JWK key Id. It can be set before calling ExportCertificate (if ExportFormat is set to JWK). This setting will also be populated after loading a JWK file. | |||||||||||||||||||
| JWKKeyOps:
The JWK intended key operations list.This setting specifies the intended key operations for the JWK. It can be set before calling ExportCertificate (if ExportFormat is set to JWK). This setting will also be populated after loading a JWK file.
This setting format is a JSON array. Examples: ["sign","verify"] or ["encrypt"]. |
|||||||||||||||||||
| JWKUse:
The JWK use parameter value.This setting specifies the intended usage of the key. It can be set before calling ExportCertificate (if ExportFormat is set to JWK). This setting will also be populated after loading a JWK file.
Valid values are enc and sig. |
|||||||||||||||||||
KeyFormat:
How the public and private key are formatted.This setting controls the format of CertPublicKey and CertPrivateKey. By default
these properties hold PEM formatted public and private key data. When set to 1 (XML) the keys
are stored in a XML format. This only affects the values returned by the cmdlet; the actual keys remain
the same regardless of this setting. Possible values are:
|
|||||||||||||||||||
LogLevel:
The level of detail that is logged.This setting controls the level of detail that is logged through the Log event. Possible values are:
|
|||||||||||||||||||
| ReplaceKey: Whether or not to replace an existing key when creating a new key.If this is false (default), the component will throw an error if a duplicate key exists while generating a new keyset using CreateKey. If set to true, the component will replace a key if it already exists when generating new keys. | |||||||||||||||||||
| RequestSubjectAltNames:
Subject Alternative Names for a Certificate Signing Request.
This allows Subject Alternative Names to be added to a Certificate Signing request. The setting only supports
email, DNS, URI, and IPv4 addresses. Separate alternative names should be separated by commas. For example:
|
|||||||||||||||||||
| X509Algorithm: Public Key Algorithm OID.This setting exposes the Public Key Algorithm object identifier (OID) value for the currently loaded Cert. | |||||||||||||||||||
| X509SignatureAlgorithm: Signature Algorithm OID.This setting exposes the Signature Algorithm object identifier (OID) value for the currently loaded Cert. |
Base Config Settings
| BuildInfo: Information about the product's build.When queried, this setting will return a string containing information about the product's build. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| CodePage:
The system code page used for Unicode to Multibyte translations.The default code page is Unicode UTF-8 (65001).
The following is a list of valid code page identifiers:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
LicenseInfo:
Information about the current license.When queried, this setting will return a string containing information about the license this instance of a cmdlet is using. It will return the following information:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| MaskSensitive:
Whether sensitive data is masked in log messages.In certain circumstances it may be beneficial to mask sensitive data, like passwords, in log messages. Set this to true to mask sensitive data. The default is false.
This setting only works on these cmdlets: AS3Receiver, AS3Sender, Atom, Client(3DS), FTP, FTPServer, IMAP, OFTPClient, SSHClient, SCP, Server(3DS), Sexec, SFTP, SFTPServer, SSHServer, TCPClient, TCPServer. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| UseInternalSecurityAPI:
Tells the cmdlet whether or not to use the system security libraries or an internal implementation.
When set to false, the cmdlet will use the system security libraries by default to perform cryptographic functions where applicable.
In this case, calls to unmanaged code will be made. In certain environments this is not desirable.
To use a completely managed security implementation set this setting to true.
Setting this setting to true tells the cmdlet to use the internal implementation instead of using the system security libraries. On Windows, this setting is set to false by default. On Linux/macOS, this setting is set to true by default. If using the .NET Standard Library, this setting will be true on all platforms. The .NET Standard library does not support using the system security libraries. Note: This setting is static. The value set is applicable to all cmdlets used in the application. When this value is set the product's system DLL is no longer required as a reference, as all unmanaged code is stored in that file. |