Export certification in DER Format - i have only the "intended Purposes" name

PowerShell Help
1

Hello,
is it possible to export a certificate in DER Format - if i have only the “intended Purposes” name
… in my case - the “intended Purposes” name is 100% unique - it is “xxx_All_OS”

ThanX for help and nice greetings
erich

PS: my working import looks like this:

     MyText.Add( '$certPath = "' + cert_pem + '"' );
      MyText.Add( '$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($certPath)' );
      MyText.Add( '$cert.Import($certPath)' );
      MyText.Add( '$certStore = New-Object System.Security.Cryptography.X509Certificates.X509Store -ArgumentList "Root", "LocalMachine"' );
      MyText.Add( 'ArgumentList "Root", "LocalMachine"' );
      MyText.Add( '$certStore.Open("ReadWrite")' );
      MyText.Add( '$certStore.Add($cert)' );
      MyText.Add( '$certStore.Close()' );

my working openssl Config file looks like this:

      MyText.Add( '[req]' );
      MyText.Add( 'default_bits        = 2048  ' );
      MyText.Add( 'default_md          = sha256 ' );
      MyText.Add( 'default_days        = 825 ' );
      MyText.Add( 'encrypt_key         = no    ' );
      MyText.Add( 'distinguished_name  = subject ' );
      MyText.Add( 'req_extensions      = req_ext ' );
      MyText.Add( 'x509_extensions     = x509_ext ' );
      MyText.Add( 'string_mask         = utf8only  ' );
      MyText.Add( 'prompt              = no  ' );
      MyText.Add( ' ' );
      MyText.Add( '[subject] ' );
      MyText.Add( 'countryName                 = AT ' );
      MyText.Add( 'stateOrProvinceName         = Salzburg ' );
      MyText.Add( 'localityName                = xxx' );
      MyText.Add( 'organizationName            = xxx_All_OS' );
      MyText.Add( 'OU                          = xxx_All_OS' );
      MyText.Add( 'commonName                  = xxx_All_OS ' );
      MyText.Add( 'emailAddress                = xxx_All_OS ' );
      MyText.Add( '  ' );
      MyText.Add( '[x509_ext]' );
      MyText.Add( 'subjectKeyIdentifier      = hash ' );
      MyText.Add( 'authorityKeyIdentifier    = keyid:always,issuer' );
      MyText.Add( 'basicConstraints          = critical, CA:TRUE' );
      MyText.Add( 'keyUsage                  = critical, digitalSignature, keyEncipherment, cRLSign, keyCertSign' );
      MyText.Add( 'subjectAltName            = @alt_names ' );
      MyText.Add( 'extendedKeyUsage          = serverAuth' );
      MyText.Add( 'extendedKeyUsage          = TLS Web Server Authentication ' );
      MyText.Add( '  ' );
      MyText.Add( '[req_ext] ' );
      MyText.Add( 'subjectKeyIdentifier        = hash ' );
      MyText.Add( 'basicConstraints            = CA:FALSE ' );
      MyText.Add( 'keyUsage                    = digitalSignature, keyEncipherment ' );
      MyText.Add( 'subjectAltName              = @alt_names ' );
      MyText.Add( 'nsComment                   = "xxx_All_OS"  ' );
      MyText.Add( ' ' );
      MyText.Add( '[alt_names]' );
      MyText.Add( 'IP.1 =  ' + edIPAdress.Text );
      MyText.SaveToFile( Dossier + '\san.cnf' );
2

Hi, welcome to the forum :wave:

Firstly, when posting code in the forum, please can you use the preformatted text </> button. It really helps us with readability, and copying and pasting your code (we don’t have to faff about replacing curly quote marks to get things working). If you can’t see the </> in your toolbar, you will find it under the gear icon.

How to format code on PowerShell.org

Possibly a miscommunication, but I doubt you’re uniquely setting ‘intended purposes’ to a unique name. Your unique name is surely the Common Name or listed in the SAN?

Knowing the common name, you can use Get-ChildItem and recursively search the CERT:\ drive (assuming you don’t know where the certificate is, otherwise just specify the path).

Export-Certificate exports as DER encoded by default.

$CertificateName = 'TestCer1'
$Certificate = Get-ChildItem 'CERT:\' -Recurse | 
    Where-Object {$_.Subject -eq "CN=$CertificateName"}
Export-Certificate -Cert $Certificate -FilePath "E:\Temp\Files\$CertificateName.cer"
3

Hello and sorry for the missing </> … I have revised the illustration

Thank you for the Certificate exports as DER -code

Nice greetings
Erich

4

I can’t manage to export the certificate via Powershell.

The command

$Certificate = Get-ChildItem 'CERT:\' -Recurse | where-Object {$_.SubjectName -eq "UNIGUI_All_OS"}
Export-Certificate -Cert $Certificate -FilePath 'c:\exportiertes_zertifikat\test.cer'

results in error:: InvalidData: () [Export-Certificate], ParameterBindingValidationException

It looks like the variable $Certificate is always NULL - no matter what I try

I started the PoweerShell as admin (I also tried set-executionpolicy unrestricted)
I tried the binding with -eq and with - like …

I have created a screenshot
The certificate is located in “Trusted root certification authorities/certificates”
If I display all certificates in the Pwershell (Get-ChildItem Cert:\ -Recurse) - I can see it.

Does anyone have an idea why it does not work?
Many thanks for any hints
Erich

zertifikat_exportieren
zertifikat_exportieren984×722 120 KB

5

That’s looking for an exact match. If you look at the Subject property of your certificate, you can see that it’s completely different.

If the ‘UNIGUI_All_OS’ is unique, then use -like if you want to keep it short:

Where-Object {$_.SubjectName -like "E=UNIGUI_All_OS*"}

Or maybe use the FriendlyName instead.

Where-Object {$_.FriendlyName -eq "UNIGUI_All_OS"}
1 Like