Unprotect-Data Cmdlet

Parameters   Output Objects   Config Settings  

The Unprotect-Data cmdlet supports decrypting data with various symmetric algorithms including AES, 3DES, and more.

Syntax

Unprotect-Data [parameters]

Remarks

The Unprotect-Data cmdlet provides a simple way to decrypt data or files. The following algorithms are supported:

  • AES (default)
  • Blowfish
  • CAST
  • DES
  • IDEA
  • RC2
  • RC4
  • TEA
  • TripleDES
  • Twofish
  • Rijndael

To begin, specify the input data through either InputMessage or InputFile. If OutputFile is set the decrypted data will be written to the specified file, otherwise it will be returned in the OutputMessage object.

Next, set KeyPassword, and specify the Algorithm if required. Additional parameters that affect the algorithm include CipherMode and PaddingMode.

If the input is hex encoded set UseHex to hex decode the input before decrypting.

Additional options include specifying Key and InitializationVector instead of KeyPassword, decrypting block-by-block via InputBlockB, specifying KeySize, KeyPasswordAlgorithm, and more.

Encrypt Examples #Encrypt a string with AES and default options $encryptedData = Protect-Data -InputMessage test -KeyPassword password #Encrypt a string to file with 3DES Protect-Data -InputMessage test -KeyPassword password -OutputFile C:\encrypted.dat -Algorithm tripledes #Encrypt a file to string and hex encode it Protect-Data -InputFile C:\test.txt -KeyPassword password -UseHex

Decrypt Examples #Decrypt a string with AES Unprotect-Data -InputMessageB $encryptedData.DataB -KeyPassword password #Decrypt a file to string with 3DES Unprotect-Data -InputFile C:\encrypted.dat -KeyPassword password -Algorithm tripledes #Decrypt a string to file and hex decode it Unprotect-Data -InputMessage ADE51B29E36B2C1FCB4C9A1BEB8884AE -KeyPassword password -UseHex -OutputFile C:\test.decrypted.txt

Parameter List


The following is the full list of the parameters of the cmdlet with short descriptions. Click on the links for further details.

LogFileThe location of a file to which debug information is written.
AlgorithmThe encryption algorithm.
CharsetThe character set of the data.
CipherModeThe cipher mode of operation.
ConfigSpecifies one or more configuration settings.
InitializationVectorThe initialization vector (IV).
InputBlockBA block of data to decrypt.
InputFileThe file to process.
InputMessageThe message to process.
InputMessageBThe message to process.
IVBThe initialization vector (IV).
KeyThe secret key for the symmetric algorithm.
KeyBThe secret key for the symmetric algorithm.
KeyPasswordA password to generate the Key and InitializationVector .
LastBlockWhether the input block is the last block.
LogFileThe location of a file to which debug information is written.
OutputFileSpecifies the output file.
OverwriteWhether to overwrite the output file.
PaddingModeThe padding mode.
UseHexWhether input or output is hex encoded.

Output Objects


The following is the full list of the output objects returned by the cmdlet with short descriptions. Click on the links for further details.

OutputBlockThe decrypted block.
OutputMessageThe output message.

Config Settings


The following is a list of config settings for the cmdlet with short descriptions. Click on the links for further details.

BlockSizeThe block size, in bits, of the cryptographic operation.
IncludeIVWhether to prepend the IV to the output data and read the IV from the input data.
KeyPasswordAlgorithmThe hash algorithm used to derive the Key and IV from the KeyPassword property.
KeyPasswordSaltThe salt value used in conjunction with the KeyPassword to derive the Key and IV.
KeySizeThe size, in bits, of secret key for the symmetric algorithm.
BuildInfoInformation about the product's build.
CodePageThe system code page used for Unicode to Multibyte translations.
LicenseInfoInformation about the current license.
MaskSensitiveWhether sensitive data is masked in log messages.
UseInternalSecurityAPITells the component whether or not to use the system security libraries or an internal implementation.

LogFile Parameter (Unprotect-Data Cmdlet)

The location of a file to which debug information is written.

Syntax

Unprotect-Data -LogFile string

Remarks

When specified, the cmdlet will log debug information to the file. If the file exists, the information will be appended.

Default Value

null

Algorithm Property (Unprotect-Data Cmdlet)

The encryption algorithm.

Syntax

Unprotect-Data -Algorithm string

Remarks

This parameter specifies the encryption algorithm. Possible values are:

  • AES (default)
  • Blowfish
  • CAST
  • DES
  • IDEA
  • RC2
  • RC4
  • TEA
  • TripleDES
  • Twofish
  • Rijndael

Default Value

0

Charset Property (Unprotect-Data Cmdlet)

The character set of the data.

Syntax

Unprotect-Data -Charset string

Remarks

Allows you to specify the character set of the data. By default, the parameter is an empty string ("") and will use the platform's current character set.

Default Value

""

CipherMode Property (Unprotect-Data Cmdlet)

The cipher mode of operation.

Syntax

Unprotect-Data -CipherMode string

Remarks

The cipher mode of operation. Possible values are:

CBC (default) The Cipher Block Chaining (CBC) is a mode of operation for a block cipher, one in which a sequence of bits is encrypted as a single unit or block with a cipher key applied to the entire block.
ECBThe Electronic Codebook (ECB) mode encrypts each block separately. Important: It is not recommend to use this model when encrypting more than one block because it may introduce security risks.
OFBThe Output Feedback (n-bit, NOFB) mode makes a block cipher into a synchronous stream cipher. It has some similarities to CFB mode in that it permits encryption of differing block sizes, but has the key difference that the output of the encryption block function is the feedback (instead of the ciphertext).
CFBThe Cipher Feedback (CFB) mode processes a small amount of incremental text into ciphertext, rather than processing a whole block at one time.
CTSThe Cipher Text Stealing (CTS) mode handles any length of plain text and produces cipher text whose length matches the plain text length. This mode behaves like the CBC mode for all but the last two blocks of the plain text.
8OFB8-bit Output Feedback (OFB) cipher mode.

Default Value

0

Config Property (Unprotect-Data Cmdlet)

Specifies one or more configuration settings.

Syntax

Unprotect-Data -Config string[]

Remarks

The Config parameter takes one or more name-value pairs that represent the name of the configuration setting and value, i.e.: -config "Name=Value"

Default Value

null

InitializationVector Property (Unprotect-Data Cmdlet)

The initialization vector (IV).

Syntax

Unprotect-Data -InitializationVector string

Remarks

This parameter specifies the initialization vector (IV). By default this parameter is empty and the cmdlet will automatically generate a new IV value if KeyPassword is set. The size of the IV parameter must be equal to the BlockSize divided by 8.

Default Value

""

InputBlockB Property (Unprotect-Data Cmdlet)

A block of data to decrypt.

Syntax

Unprotect-Data -InputBlockB byte[]

Remarks

This setting specifies a block of encrypted data to decrypt. This may be used as an alternative to InputMessage or InputFile and allows decrypting block by block. This parameter accepts a byte array. The decrypted block is provided in the OutputBlock object.

Input and Output Parameters

The cmdlet will determine the source and destination of the input and output based on which parameters are set.

The order in which the input parameters are checked is as follows:

When a valid source is found the search stops. The output is written to OutputFile is specified, otherwise it is returned in the OutputMessage object.

Default Value

null

InputFile Property (Unprotect-Data Cmdlet)

The file to process.

Syntax

Unprotect-Data -InputFile string

Remarks

This parameter specifies the file to be processed. Set this parameter to the full or relative path to the file which will be processed.

Input and Output Parameters

The cmdlet will determine the source and destination of the input and output based on which parameters are set.

The order in which the input parameters are checked is as follows:

When a valid source is found the search stops. The output is written to OutputFile is specified, otherwise it is returned in the OutputMessage object.

Default Value

""

InputMessage Property (Unprotect-Data Cmdlet)

The message to process.

Syntax

Unprotect-Data -InputMessage string

Remarks

This parameter specifies the message to be processed.

Input and Output Parameters

The cmdlet will determine the source and destination of the input and output based on which parameters are set.

The order in which the input parameters are checked is as follows:

When a valid source is found the search stops. The output is written to OutputFile is specified, otherwise it is returned in the OutputMessage object.

Default Value

""

InputMessageB Property (Unprotect-Data Cmdlet)

The message to process.

Syntax

Unprotect-Data -InputMessageB byte[]

Remarks

This parameter specifies the message to be processed. This parameter accepts a byte array.

Input and Output Parameters

The cmdlet will determine the source and destination of the input and output based on which parameters are set.

The order in which the input parameters are checked is as follows:

When a valid source is found the search stops. The output is written to OutputFile is specified, otherwise it is returned in the OutputMessage object.

Default Value

null

IVB Property (Unprotect-Data Cmdlet)

The initialization vector (IV).

Syntax

Unprotect-Data -IVB byte[]

Remarks

This parameter specifies the initialization vector (IV). By default this parameter is empty and the cmdlet will automatically generate a new IV value if KeyPassword is set. The size of the IV parameter must be equal to the BlockSize divided by 8. This parameter accept a byte array.

Default Value

null

Key Property (Unprotect-Data Cmdlet)

The secret key for the symmetric algorithm.

Syntax

Unprotect-Data -Key string

Remarks

This secret key is used both for encryption and decryption. The secret key should be known only to the sender and the receiver. The legal key size varies depending on the algorithm.

If this parameter is left empty and KeyPassword is specified, a Key value will be generated by the cmdlet as necessary.

Legal Key and Block Sizes (in bits)

AES Rijndael CAST DES IDEA RC2 RC4 TripleDES Blowfish Twofish TEA
Minimum Key Size 128 128 112 64 128 112 112 128 112 128 128
Maximum Key Size 256 256 128 64 128 128 2048 192 448 256 128
Key Size Step 64 64 8 0 0 8 8 64 1 8 0
Block Size 128 128/192/256 64 64 64 64 N/A 64 64 128 64*

Note: When using TEA if Algorithm is set to XXTEA valid block sizes are 64 + n * 32. Where n is any positive integer.

The default KeySize is the Maximum Key Size.

Default Value

""

KeyB Property (Unprotect-Data Cmdlet)

The secret key for the symmetric algorithm.

Syntax

Unprotect-Data -KeyB byte[]

Remarks

This secret key is used both for encryption and decryption. The secret key should be known only to the sender and the receiver. The legal key size varies depending on the algorithm.

If this parameter is left empty and KeyPassword is specified, a Key value will be generated by the cmdlet as necessary.

Legal Key and Block Sizes (in bits)

AES Rijndael CAST DES IDEA RC2 RC4 TripleDES Blowfish Twofish TEA
Minimum Key Size 128 128 112 64 128 112 112 128 112 128 128
Maximum Key Size 256 256 128 64 128 128 2048 192 448 256 128
Key Size Step 64 64 8 0 0 8 8 64 1 8 0
Block Size 128 128/192/256 64 64 64 64 N/A 64 64 128 64*

Note: When using TEA if Algorithm is set to XXTEA valid block sizes are 64 + n * 32. Where n is any positive integer.

The default KeySize is the Maximum Key Size. This parameter accept a byte array.

Default Value

null

KeyPassword Property (Unprotect-Data Cmdlet)

A password to generate the Key and InitializationVector .

Syntax

Unprotect-Data -KeyPassword string

Remarks

When this parameter is set the cmdlet will calculate values for Key and InitializationVector using the PKCS5 password digest algorithm. This provides a simpler alternative to creating and managing Key and InitializationVector values directly.

The size of the Key generated is dependent on the value of KeySize.

Default Value

""

LastBlock Property (Unprotect-Data Cmdlet)

Whether the input block is the last block.

Syntax

Unprotect-Data -LastBlock SwitchParameter

Remarks

This parameter is used in conjunction with InputBlockB to specify whether the current block is the last block.

Default Value

false

LogFile Property (Unprotect-Data Cmdlet)

The location of a file to which debug information is written.

Syntax

Unprotect-Data -LogFile string

Remarks

When specified, the cmdlet will log debug information to the file. If the file exists, the information will be appended.

Default Value

""

OutputFile Property (Unprotect-Data Cmdlet)

Specifies the output file.

Syntax

Unprotect-Data -OutputFile string

Remarks

This parameter specifies the output file where data will be written. If this is not specified the data is returned as a OutputMessage object.

Default Value

""

Overwrite Property (Unprotect-Data Cmdlet)

Whether to overwrite the output file.

Syntax

Unprotect-Data -Overwrite SwitchParameter

Remarks

This parameter indicates whether the cmdlet will overwrite the output file. If Overwrite is False (default), an error will be thrown when OutputFile exists. The default value is False.

Default Value

false

PaddingMode Property (Unprotect-Data Cmdlet)

The padding mode.

Syntax

Unprotect-Data -PaddingMode string

Remarks

PaddingMode is used to pad the final input block to guarantee that it is the correct size required for the selected CipherMode. Each mode pads the data differently. Possible values are:

PKCS7 (default) The data is padded with a series of bytes that are each equal to the number of bytes used. For instance, in the example below the data must be padded with 3 additional bytes, so each byte value will be 3.

Raw Data: AA AA AA AA AA PKCS7 Padded Data: AA AA AA AA AA 03 03 03
Zeros The data is padded with null bytes.
None No padding will be performed.
ANSIX923 The ANSIX923 padding string consists of a sequence of bytes filled with zeros before the length. For instance, in the example below the data must be padded with 3 additional bytes, so last byte value will be 3.

Raw Data: AA AA AA AA AA ANSIX923 padding Data: AA AA AA AA AA 00 00 03
ISO10126 The ISO10126 padding string consists of random data before the length. For instance, in the example below the data must be padded with 3 additional bytes, so last byte value will be 3.

Raw Data: AA AA AA AA AA ISO10126 padding Data: AA AA AA AA AA F8 EF 03

When calling Decrypt the PaddingMode must match the value used when the data was encrypted.

Note: When using a value of 2 (pmNone), unless the length of input is an exact multiple of the cipher's input BlockSize, the final block of plaintext may be lost.

Default Value

0

UseHex Property (Unprotect-Data Cmdlet)

Whether input or output is hex encoded.

Syntax

Unprotect-Data -UseHex SwitchParameter

Remarks

This parameter specifies whether data is hex encoded.

When encrypting if this is True the output is hex encoded. When decrypting if this is True the input is first hex decoded before processing.

Default Value

false

OutputBlock Output Object (Unprotect-Data Cmdlet)

The decrypted block.

Syntax

Object OutputBlock {
   string Data;
   byte[] DataB;
}

Remarks

This object is returned when InputBlockB is set. This holds the decrypted block. The Data property holds the string representation of the block. The DataB property holds the block as a byte array.

OutputMessage Output Object (Unprotect-Data Cmdlet)

The output message.

Syntax

Object OutputMessage {
   string Data;
   byte[] DataB;
}

Remarks

This holds the output data. The Data property holds the string representation. The DataB property holds the block as a byte array.

Config Settings (Unprotect-Data Cmdlet)

The cmdlet accepts one or more of the following configuration settings. Configuration settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the cmdlet, access to these internal properties is provided through the Config method.

Unprotect-Data Config Settings

BlockSize:   The block size, in bits, of the cryptographic operation.

The block size is a basic data unit in the operation of encrypt or decrypt. Messages longer than the block size are seen as successive blocks. If the message is shorter than the block size, the message will be padded with extra bits to reach the block size according to PaddingMode. Different symmetric algorithm has different valid block sizes.

The following algorithms have a fixed block size: AES, CAST, DES, IDEA, RC2, TripleDES, Blowfish, and Twofish.

IncludeIV:   Whether to prepend the IV to the output data and read the IV from the input data.

If this config is true, the IV will be automatically prepended to the output data when calling Encrypt. When calling Decrypt and this setting is True, the IV is automatically extracted form the ciphertext. The default value is False.

KeyPasswordAlgorithm:   The hash algorithm used to derive the Key and IV from the KeyPassword property.

This configuration setting specifies which hash algorithm will be used when deriving the Key and InitializationVector from KeyPassword. The default value is "MD5". Possible values are:

  • "SHA1"
  • "MD2"
  • "MD5" (default)
  • "HMAC-SHA1"
  • "HMAC-SHA224"
  • "HMAC-SHA256"
  • "HMAC-SHA384"
  • "HMAC-SHA512"
  • "HMAC-MD5"
  • "HMAC-RIPEMD160"
KeyPasswordSalt:   The salt value used in conjunction with the KeyPassword to derive the Key and IV.

This configuration setting specifies the hex encoded salt value to be used along with the KeyPassword when calculating values for Key and InitializationVector.

KeySize:   The size, in bits, of secret key for the symmetric algorithm.

The legal key sizes vary depending on the algorithm. The KeySize and BlockSize configuration settings may be set to specify the key and block size (in bits).

This setting is only applicable when KeyPassword is specified.

Note that when using the EzCrypt cmdlet, KeySize should be set after setting the Algorithm property.

Base Config Settings

BuildInfo:   Information about the product's build.

When queried, this setting will return a string containing information about the product's build.

CodePage:   The system code page used for Unicode to Multibyte translations.

The default code page is Unicode UTF-8 (65001).

The following is a list of valid code page identifiers:

IdentifierName
037IBM EBCDIC - U.S./Canada
437OEM - United States
500IBM EBCDIC - International
708Arabic - ASMO 708
709Arabic - ASMO 449+, BCON V4
710Arabic - Transparent Arabic
720Arabic - Transparent ASMO
737OEM - Greek (formerly 437G)
775OEM - Baltic
850OEM - Multilingual Latin I
852OEM - Latin II
855OEM - Cyrillic (primarily Russian)
857OEM - Turkish
858OEM - Multilingual Latin I + Euro symbol
860OEM - Portuguese
861OEM - Icelandic
862OEM - Hebrew
863OEM - Canadian-French
864OEM - Arabic
865OEM - Nordic
866OEM - Russian
869OEM - Modern Greek
870IBM EBCDIC - Multilingual/ROECE (Latin-2)
874ANSI/OEM - Thai (same as 28605, ISO 8859-15)
875IBM EBCDIC - Modern Greek
932ANSI/OEM - Japanese, Shift-JIS
936ANSI/OEM - Simplified Chinese (PRC, Singapore)
949ANSI/OEM - Korean (Unified Hangul Code)
950ANSI/OEM - Traditional Chinese (Taiwan; Hong Kong SAR, PRC)
1026IBM EBCDIC - Turkish (Latin-5)
1047IBM EBCDIC - Latin 1/Open System
1140IBM EBCDIC - U.S./Canada (037 + Euro symbol)
1141IBM EBCDIC - Germany (20273 + Euro symbol)
1142IBM EBCDIC - Denmark/Norway (20277 + Euro symbol)
1143IBM EBCDIC - Finland/Sweden (20278 + Euro symbol)
1144IBM EBCDIC - Italy (20280 + Euro symbol)
1145IBM EBCDIC - Latin America/Spain (20284 + Euro symbol)
1146IBM EBCDIC - United Kingdom (20285 + Euro symbol)
1147IBM EBCDIC - France (20297 + Euro symbol)
1148IBM EBCDIC - International (500 + Euro symbol)
1149IBM EBCDIC - Icelandic (20871 + Euro symbol)
1200Unicode UCS-2 Little-Endian (BMP of ISO 10646)
1201Unicode UCS-2 Big-Endian
1250ANSI - Central European
1251ANSI - Cyrillic
1252ANSI - Latin I
1253ANSI - Greek
1254ANSI - Turkish
1255ANSI - Hebrew
1256ANSI - Arabic
1257ANSI - Baltic
1258ANSI/OEM - Vietnamese
1361Korean (Johab)
10000MAC - Roman
10001MAC - Japanese
10002MAC - Traditional Chinese (Big5)
10003MAC - Korean
10004MAC - Arabic
10005MAC - Hebrew
10006MAC - Greek I
10007MAC - Cyrillic
10008MAC - Simplified Chinese (GB 2312)
10010MAC - Romania
10017MAC - Ukraine
10021MAC - Thai
10029MAC - Latin II
10079MAC - Icelandic
10081MAC - Turkish
10082MAC - Croatia
12000Unicode UCS-4 Little-Endian
12001Unicode UCS-4 Big-Endian
20000CNS - Taiwan
20001TCA - Taiwan
20002Eten - Taiwan
20003IBM5550 - Taiwan
20004TeleText - Taiwan
20005Wang - Taiwan
20105IA5 IRV International Alphabet No. 5 (7-bit)
20106IA5 German (7-bit)
20107IA5 Swedish (7-bit)
20108IA5 Norwegian (7-bit)
20127US-ASCII (7-bit)
20261T.61
20269ISO 6937 Non-Spacing Accent
20273IBM EBCDIC - Germany
20277IBM EBCDIC - Denmark/Norway
20278IBM EBCDIC - Finland/Sweden
20280IBM EBCDIC - Italy
20284IBM EBCDIC - Latin America/Spain
20285IBM EBCDIC - United Kingdom
20290IBM EBCDIC - Japanese Katakana Extended
20297IBM EBCDIC - France
20420IBM EBCDIC - Arabic
20423IBM EBCDIC - Greek
20424IBM EBCDIC - Hebrew
20833IBM EBCDIC - Korean Extended
20838IBM EBCDIC - Thai
20866Russian - KOI8-R
20871IBM EBCDIC - Icelandic
20880IBM EBCDIC - Cyrillic (Russian)
20905IBM EBCDIC - Turkish
20924IBM EBCDIC - Latin-1/Open System (1047 + Euro symbol)
20932JIS X 0208-1990 & 0121-1990
20936Simplified Chinese (GB2312)
21025IBM EBCDIC - Cyrillic (Serbian, Bulgarian)
21027Extended Alpha Lowercase
21866Ukrainian (KOI8-U)
28591ISO 8859-1 Latin I
28592ISO 8859-2 Central Europe
28593ISO 8859-3 Latin 3
28594ISO 8859-4 Baltic
28595ISO 8859-5 Cyrillic
28596ISO 8859-6 Arabic
28597ISO 8859-7 Greek
28598ISO 8859-8 Hebrew
28599ISO 8859-9 Latin 5
28605ISO 8859-15 Latin 9
29001Europa 3
38598ISO 8859-8 Hebrew
50220ISO 2022 Japanese with no halfwidth Katakana
50221ISO 2022 Japanese with halfwidth Katakana
50222ISO 2022 Japanese JIS X 0201-1989
50225ISO 2022 Korean
50227ISO 2022 Simplified Chinese
50229ISO 2022 Traditional Chinese
50930Japanese (Katakana) Extended
50931US/Canada and Japanese
50933Korean Extended and Korean
50935Simplified Chinese Extended and Simplified Chinese
50936Simplified Chinese
50937US/Canada and Traditional Chinese
50939Japanese (Latin) Extended and Japanese
51932EUC - Japanese
51936EUC - Simplified Chinese
51949EUC - Korean
51950EUC - Traditional Chinese
52936HZ-GB2312 Simplified Chinese
54936Windows XP: GB18030 Simplified Chinese (4 Byte)
57002ISCII Devanagari
57003ISCII Bengali
57004ISCII Tamil
57005ISCII Telugu
57006ISCII Assamese
57007ISCII Oriya
57008ISCII Kannada
57009ISCII Malayalam
57010ISCII Gujarati
57011ISCII Punjabi
65000Unicode UTF-7
65001Unicode UTF-8
The following is a list of valid code page identifiers for Mac OS only:
IdentifierName
1ASCII
2NEXTSTEP
3JapaneseEUC
4UTF8
5ISOLatin1
6Symbol
7NonLossyASCII
8ShiftJIS
9ISOLatin2
10Unicode
11WindowsCP1251
12WindowsCP1252
13WindowsCP1253
14WindowsCP1254
15WindowsCP1250
21ISO2022JP
30MacOSRoman
10UTF16String
0x90000100UTF16BigEndian
0x94000100UTF16LittleEndian
0x8c000100UTF32String
0x98000100UTF32BigEndian
0x9c000100UTF32LittleEndian
65536Proprietary

LicenseInfo:   Information about the current license.

When queried, this setting will return a string containing information about the license this instance of a cmdlet is using. It will return the following information:

  • Product: The product the license is for.
  • Product Key: The key the license was generated from.
  • License Source: Where the license was found (e.g., RuntimeLicense, License File).
  • License Type: The type of license installed (e.g., Royalty Free, Single Server).
  • Last Valid Build: The last valid build number for which the license will work.
MaskSensitive:   Whether sensitive data is masked in log messages.

In certain circumstances it may be beneficial to mask sensitive data, like passwords, in log messages. Set this to true to mask sensitive data. The default is true.

This setting only works on these cmdlets: AS3Receiver, AS3Sender, Atom, Client(3DS), FTP, FTPServer, IMAP, OFTPClient, SSHClient, SCP, Server(3DS), Sexec, SFTP, SFTPServer, SSHServer, TCPClient, TCPServer.

UseInternalSecurityAPI:   Whether or not to use the system security libraries or an internal implementation.

When set to false, the cmdlet will use the system security libraries by default to perform cryptographic functions where applicable. In this case, calls to unmanaged code will be made. In certain environments, this is not desirable. To use a completely managed security implementation, set this setting to true.

Setting this configuration setting to true tells the cmdlet to use the internal implementation instead of using the system security libraries.

On Windows, this setting is set to false by default. On Linux/macOS, this setting is set to true by default.

If using the .NET Standard Library, this setting will be true on all platforms. The .NET Standard library does not support using the system security libraries.

Note: This setting is static. The value set is applicable to all cmdlets used in the application.

When this value is set, the product's system dynamic link library (DLL) is no longer required as a reference, as all unmanaged code is stored in that file.

Certificate Type

This is the digital certificate being used.

Remarks

This type describes the current digital certificate. The certificate may be a public or private key. The fields are used to identify or select certificates.

Fields

EffectiveDate
string (read-only)

This is the date on which this certificate becomes valid. Before this date, it is not valid. The following example illustrates the format of an encoded date:

23-Jan-2000 15:00:00.

Encoded
string

This is the certificate (PEM/Base64 encoded). This property is used to assign a specific certificate. The and properties also may be used to specify a certificate.

When is set, a search is initiated in the current for the private key of the certificate. If the key is found, is updated to reflect the full subject of the selected certificate; otherwise, is set to an empty string.

ExpirationDate
string (read-only)

This is the date the certificate expires. After this date, the certificate will no longer be valid. The following example illustrates the format of an encoded date:

23-Jan-2001 15:00:00.

ExtendedKeyUsage
string

This is a comma-delimited list of extended key usage identifiers. These are the same as ASN.1 object identifiers (OIDs).

Fingerprint
string (read-only)

This is the hex-encoded, 16-byte MD5 fingerprint of the certificate. This property is primarily used for keys which do not have a corresponding X.509 public certificate, such as PEM keys that only contain a private key. It is commonly used for SSH keys.

The following example illustrates the format: bc:2a:72:af:fe:58:17:43:7a:5f:ba:5a:7c:90:f7:02

FingerprintSHA1
string (read-only)

This is the hex-encoded, 20-byte SHA-1 fingerprint of the certificate. This property is primarily used for keys which do not have a corresponding X.509 public certificate, such as PEM keys that only contain a private key. It is commonly used for SSH keys.

The following example illustrates the format: 30:7b:fa:38:65:83:ff:da:b4:4e:07:3f:17:b8:a4:ed:80:be:ff:84

FingerprintSHA256
string (read-only)

This is the hex-encoded, 32-byte SHA-256 fingerprint of the certificate. This property is primarily used for keys which do not have a corresponding X.509 public certificate, such as PEM keys that only contain a private key. It is commonly used for SSH keys.

The following example illustrates the format: 6a:80:5c:33:a9:43:ea:b0:96:12:8a:64:96:30:ef:4a:8a:96:86:ce:f4:c7:be:10:24:8e:2b:60:9e:f3:59:53

Issuer
string (read-only)

This is the issuer of the certificate. This property contains a string representation of the name of the issuing authority for the certificate.

KeyPassword
string

This is the password for the certificate's private key (if any).

Some certificate stores may individually protect certificates' private keys, separate from the standard protection offered by the . . This field can be used to read such password-protected private keys.

Note: this property defaults to the value of . To clear it, you must set the property to the empty string (""). It can be set at any time, but when the private key's password is different from the store's password, then it must be set before calling .

PrivateKey
string (read-only)

This is the private key of the certificate (if available). The key is provided as PEM/Base64-encoded data.

Note: The may be available but not exportable. In this case, returns an empty string.

PrivateKeyAvailable
bool (read-only)

This property shows whether a is available for the selected certificate. If is True, the certificate may be used for authentication purposes (e.g., server authentication).

PrivateKeyContainer
string (read-only)

This is the name of the container for the certificate (if available). This functionality is available only on Windows platforms.

PublicKey
string (read-only)

This is the public key of the certificate. The key is provided as PEM/Base64-encoded data.

PublicKeyAlgorithm
string

This property contains the textual description of the certificate's public key algorithm. The property contains either the name of the algorithm (e.g., "RSA" or "RSA_DH") or an object identifier (OID) string representing the algorithm.

PublicKeyLength
int (read-only)

This is the length of the certificate's public key (in bits). Common values are 512, 1024, and 2048.

SerialNumber
string (read-only)

This is the serial number of the certificate encoded as a string. The number is encoded as a series of hexadecimal digits, with each pair representing a byte of the serial number.

SignatureAlgorithm
string (read-only)

The property contains the text description of the certificate's signature algorithm. The property contains either the name of the algorithm (e.g., "RSA" or "RSA_MD5RSA") or an object identifier (OID) string representing the algorithm.

Store
string

This is the name of the certificate store for the client certificate.

The property denotes the type of the certificate store specified by . If the store is password protected, specify the password in .

is used in conjunction with the property to specify client certificates. If has a value, and or is set, a search for a certificate is initiated. Please see the property for details.

Designations of certificate stores are platform dependent.

The following designations are the most common User and Machine certificate stores in Windows:

MYA certificate store holding personal certificates with their associated private keys.
CACertifying authority certificates.
ROOTRoot certificates.

When the certificate store type is PFXFile, this property must be set to the name of the file. When the type is PFXBlob, the property must be set to the binary contents of a PFX file (i.e., PKCS#12 certificate store).

StorePassword
string

If the type of certificate store requires a password, this property is used to specify the password needed to open the certificate store.

StoreType
int

This is the type of certificate store for this certificate.

The cmdlet supports both public and private keys in a variety of formats. When the cstAuto value is used, the cmdlet will automatically determine the type. This property can take one of the following values:

0 (cstUser - default)For Windows, this specifies that the certificate store is a certificate store owned by the current user.

Note: This store type is not available in Java.

1 (cstMachine)For Windows, this specifies that the certificate store is a machine store.

Note: This store type is not available in Java.

2 (cstPFXFile)The certificate store is the name of a PFX (PKCS#12) file containing certificates.
3 (cstPFXBlob)The certificate store is a string (binary or Base64-encoded) representing a certificate store in PFX (PKCS#12) format.
4 (cstJKSFile)The certificate store is the name of a Java Key Store (JKS) file containing certificates.

Note: This store type is only available in Java.

5 (cstJKSBlob)The certificate store is a string (binary or Base64-encoded) representing a certificate store in Java Key Store (JKS) format.

Note: this store type is only available in Java.

6 (cstPEMKeyFile)The certificate store is the name of a PEM-encoded file that contains a private key and an optional certificate.
7 (cstPEMKeyBlob)The certificate store is a string (binary or Base64-encoded) that contains a private key and an optional certificate.
8 (cstPublicKeyFile)The certificate store is the name of a file that contains a PEM- or DER-encoded public key certificate.
9 (cstPublicKeyBlob)The certificate store is a string (binary or Base64-encoded) that contains a PEM- or DER-encoded public key certificate.
10 (cstSSHPublicKeyBlob)The certificate store is a string (binary or Base64-encoded) that contains an SSH-style public key.
11 (cstP7BFile)The certificate store is the name of a PKCS#7 file containing certificates.
12 (cstP7BBlob)The certificate store is a string (binary) representing a certificate store in PKCS#7 format.
13 (cstSSHPublicKeyFile)The certificate store is the name of a file that contains an SSH-style public key.
14 (cstPPKFile)The certificate store is the name of a file that contains a PPK (PuTTY Private Key).
15 (cstPPKBlob)The certificate store is a string (binary) that contains a PPK (PuTTY Private Key).
16 (cstXMLFile)The certificate store is the name of a file that contains a certificate in XML format.
17 (cstXMLBlob)The certificate store is a string that contains a certificate in XML format.
18 (cstJWKFile)The certificate store is the name of a file that contains a JWK (JSON Web Key).
19 (cstJWKBlob)The certificate store is a string that contains a JWK (JSON Web Key).
21 (cstBCFKSFile)The certificate store is the name of a file that contains a BCFKS (Bouncy Castle FIPS Key Store).

Note: This store type is only available in Java and .NET.

22 (cstBCFKSBlob)The certificate store is a string (binary or Base64-encoded) representing a certificate store in BCFKS (Bouncy Castle FIPS Key Store) format.

Note: This store type is only available in Java and .NET.

23 (cstPKCS11)The certificate is present on a physical security key accessible via a PKCS#11 interface.

To use a security key, the necessary data must first be collected using the CERTMGR cmdlet. The ListStoreCertificates method may be called after setting CertStoreType to cstPKCS11, CertStorePassword to the PIN, and CertStore to the full path of the PKCS#11 DLL. The certificate information returned in the CertList event's CertEncoded parameter may be saved for later use.

When using a certificate, pass the previously saved security key information as the and set to the PIN.

Code Example. SSH Authentication with Security Key: certmgr.CertStoreType = CertStoreTypes.cstPKCS11; certmgr.OnCertList += (s, e) => { secKeyBlob = e.CertEncoded; }; certmgr.CertStore = @"C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll"; certmgr.CertStorePassword = "123456"; //PIN certmgr.ListStoreCertificates(); sftp.SSHCert = new Certificate(CertStoreTypes.cstPKCS11, secKeyBlob, "123456", "*"); sftp.SSHUser = "test"; sftp.SSHLogon("myhost", 22);

99 (cstAuto)The store type is automatically detected from the input data. This setting may be used with both public and private keys and can detect any of the supported formats automatically.

Subject
string

This is the subject of the certificate used for client authentication.

This property will be populated with the full subject of the loaded certificate. When loading a certificate the subject is used to locate the certificate in the store.

If an exact match is not found, the store is searched for subjects containing the value of the property.

If a match is still not found, the property is set to an empty string, and no certificate is selected.

The special value "*" picks a random certificate in the certificate store.

The certificate subject is a comma-separated list of distinguished name fields and values. For instance, "CN=www.server.com, OU=test, C=US, E=support@nsoftware.com". Common fields and their meanings are as follows:

FieldMeaning
CNCommon Name. This is commonly a hostname like www.server.com.
OOrganization
OUOrganizational Unit
LLocality
SState
CCountry
EEmail Address

If a field value contains a comma, it must be quoted.

SubjectAltNames
string (read-only)

This property contains comma-separated lists of alternative subject names for the certificate.

ThumbprintMD5
string (read-only)

This property contains the MD5 hash of the certificate. It is primarily used for X.509 certificates. If the hash does not already exist, it is automatically computed.

ThumbprintSHA1
string (read-only)

This property contains the SHA-1 hash of the certificate. It is primarily used for X.509 certificates. If the hash does not already exist, it is automatically computed.

ThumbprintSHA256
string (read-only)

This property contains the SHA-256 hash of the certificate. It is primarily used for X.509 certificates. If the hash does not already exist, it is automatically computed.

Usage
string

This property contains the text description of .

This value will be of one or more of the following strings and will be separated by commas:

If the provider is OpenSSL, the value is a comma-separated list of X.509 certificate extension names.

UsageFlags
int

This property contains the flags that show intended use for the certificate. The value of is a combination of the following flags:

0x80Digital Signatures
0x40Key Authentication (Non-Repudiation)
0x20Key Encryption
0x10Data Encryption
0x08Key Agreement
0x04Certificate Signing
0x02Key Signing

Please see the property for a text representation of .

This functionality currently is not available when the provider is OpenSSL.

Version
string (read-only)

This property contains the certificate's version number. The possible values are the strings "V1", "V2", and "V3". 

Constructors


[C#]
public Certificate();

Creates a Certificate instance whose properties can be set. This is useful for use with CERTMGR when generating new certificates.


[C#]
public Certificate(string certificateFile);

Opens CertificateFile and reads out the contents as an X509 public key.


[C#]
public Certificate(byte[] certificateData);

Parses CertificateData as an X509 public key.


[C#]
public Certificate(CertStoreTypes certStoreType, string store, string storePassword, string subject);

CertStoreType identifies the type of certificate store to use. See StoreType for descriptions of the different certificate stores. Store is a file containing the certificate store. StorePassword is the password used to protect the store. After the store has been successfully opened, the component will attempt to find the certificate identified by Subject . This can be either a complete or a substring match of the X509 certificate's subject Distinguished Name (DN).


[C#]
public Certificate(CertStoreTypes certStoreType, string store, string storePassword, string subject, string configurationString);

CertStoreType identifies the type of certificate store to use. See StoreType for descriptions of the different certificate stores. Store is a file containing the certificate store. StorePassword is the password used to protect the store. ConfigurationString is a newline separated list of name-value pairs that may be used to modify the default behavior. Possible values include "PersistPFXKey", which shows whether or not the PFX key is persisted after performing operations with the private key. This correlates to the PKCS12_NO_PERSIST_KEY CyrptoAPI option. The default value is True (the key is persisted). "Thumbprint" - a MD5, SHA1, or SHA256 thumbprint of the certificate to load. When specified, this value is used to select the certificate in the store. This is applicable to cstUser, cstMachine, cstPublicKeyFile, and cstPFXFile store types. "UseInternalSecurityAPI" shows whether the platform (default) or the internal security API is used when performing certificate-related operations. After the store has been successfully opened, the component will attempt to find the certificate identified by Subject . This can be either a complete or a substring match of the X509 certificate's subject Distinguished Name (DN).


[C#]
public Certificate(CertStoreTypes certStoreType, string store, string storePassword, byte[] encoded);

CertStoreType identifies the type of certificate store to use. See StoreType for descriptions of the different certificate stores. Store is a file containing the certificate store. StorePassword is the password used to protect the store. After the store has been successfully opened, the component will load Encoded as an X509 certificate and search the opened store for a corresponding private key.


[C#]
public Certificate(CertStoreTypes certStoreType, byte[] storeBlob, string storePassword, string subject);

CertStoreType identifies the type of certificate store to use. See StoreType for descriptions of the different certificate stores. StoreBlob is a string (binary- or base64-encoded) containing the certificate data. StorePassword is the password used to protect the store. After the store has been successfully opened, the component will attempt to find the certificate identified by Subject . This can be either a complete or a substring match of the X509 certificate's subject Distinguished Name (DN).


[C#]
public Certificate(CertStoreTypes certStoreType, byte[] storeBlob, string storePassword, string subject, string configurationString);

CertStoreType identifies the type of certificate store to use. See StoreType for descriptions of the different certificate stores. StoreBlob is a string (binary- or base64-encoded) containing the certificate data. StorePassword is the password used to protect the store. After the store has been successfully opened, the component will attempt to find the certificate identified by Subject . This can be either a complete or a substring match of the X509 certificate's subject Distinguished Name (DN).


[C#]
public Certificate(CertStoreTypes certStoreType, byte[] storeBlob, string storePassword, byte[] encoded);

CertStoreType identifies the type of certificate store to use. See StoreType for descriptions of the different certificate stores. Store is a string (binary- or base64-encoded) containing the certificate store. StorePassword is the password used to protect the store. After the store has been successfully opened, the component will load Encoded as an X509 certificate and search the opened store for a corresponding private key.