How to copy the certificate with PowerShell Core

Source code

Introduction

In this post I’d like to describe the PowerShell script which copies the certificate from the one certificate store to the another. I created this script to duplicate a result of dotnet dev-certs https --trust command but in unattended mode. In addition it could be used for other automation tasks.

Background

Solution uses PowerShell 7.1.4.

Solution

There is a listing of the script copy-certificate.ps1:

param (
    # certificate name
    [Parameter(Mandatory = $true, Position = 0)]
    [string]$CertificateName,

    # source store location, could be local or remote computer
    [Parameter(Mandatory = $false)]
    [string]$SourceStoreLocation = 'CurrentUser',

    # source store name
    [Parameter(Mandatory = $false)]
    [string]$SourceStoreName = 'My',

    # target store location, could be local or remote computer
    [Parameter(Mandatory = $false)]
    [string]$TargetStoreLocation = 'LocalMachine',

    # target store name
    [Parameter(Mandatory = $false)]
    [string]$TargetStoreName = 'Root'
)

# get the certificate from the source store
$Path = "cert:\$($SourceStoreLocation)\$($SourceStoreName)";
$Certificate = `
    Get-ChildItem -Path $Path -Recurse | `
    Where-Object { $_.FriendlyName -like $CertificateName };
if ((-not $?) -or ($null -eq $Certificate)) {
    Write-Error "Certificate is not found '$CertificateName'";
    exit;
}
else {
    Write-Verbose "Get certificate, thumbrint=$($Certificate.Thumbprint)";
}

# open the target certificate store
$CertStore = New-Object System.Security.Cryptography.X509Certificates.X509Store `
    -ArgumentList $TargetStoreName, $TargetStoreLocation;
$CertStore.Open('ReadWrite');
# another way to get the same certificate store
# $StoreName = "cert:\$($TargetStoreLocation)\$($TargetStoreName)";
# $CertStore = Get-Item $StoreName
# $CertStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
if ((-not $?) -or ($null -eq $CertStore)) {
    Write-Error 'Certificate store is not opened';
    exit;
}
else {
    Write-Verbose 'Certificate store is opened';
}
$CertStore.Add($Certificate);
$CertStore.Close();
if (-not $?) {
    Write-Error 'Certificate was not added';
    exit;
}
else {    
    Write-Host "Certificate '$CertificateName' is added to the store 'cert:\$($TargetStoreLocation)\$($TargetStoreName)'" -ForegroundColor Blue;
}

The script gets the certificate by its name from the store, opens the target certificate store and puts obtained certificate.

According to the mentioned steps, the certificate is obtained from the certificate store at lines 24-27, where the certificate name, the store location and the store name are set by parameters. These parameters could be wrong or a certificate could not be found, so result is checked for nullity.

The script tries open the target certificate store at lines 37-39. Let’s note that this operation requires Administrative privileges when TargetStoreLocation parameter equals LocalMachine or remote computer’s name. If TargetStoreLocation parameter equals CurrentUser, the script could be run under user’s privilegies. Another way to get the same certificate store is written but commented at lines 40-43.

If the certificate is found and the target certificate store is opened successfully the certificate is put to the the store at lines 51-52.

Also, as was mentioned at excerpt, this script could be used to implement dotnet dev-certs https --trust command. Based on the discussion the script copy-certificate.example.ps1 calls the script copy-certificate.ps1 to copy the certificate with the name ASP.NET Core HTTPS development certificate from the personal user’s store to local machine’s Trusted root certification authorities store.

$CertificateName = 'ASP.NET Core HTTPS development certificate';

.\copy-certificate.ps1 `
    $CertificateName `
    -SourceStoreLocation 'CurrentUser' `
    -SourceStoreName 'My' `
    -TargetStoreLocation 'LocalMachine' `
    -TargetStoreName 'Root' `
    -Verbose;

1. All used IP-addresses, names of servers, workstations, domains, are fictional and are used exclusively as a demonstration only.
2. Information is provided «AS IS».

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.