get AD User Object cert in remote session

by davetechsearch at 2013-04-02 11:37:06

Is there a way to ‘see’ the Certificate(s) in the AD User Object container in a remote session (for the user that initiated the session)?

(gci cert]

This errors out when running the cmd:
The system cannot open the device or file specified.
+ CategoryInfo :
+ FullyQualifiedErrorId : System.Security.Cryptography.CryptographicExc
eption,Microsoft.PowerShell.Commands.GetChildItemCommand
by coderaven at 2013-04-02 11:51:15
There are a few different ways to get that information noted here

If you have remoting enabled, it is pretty easy, if not, I liked this solution:

function Get-Cert( $computer=$env:computername ){

$ro=[System.Security.Cryptography.X509Certificates.OpenFlags]"ReadOnly"

$lm=[System.Security.Cryptography.X509Certificates.StoreLocation]"LocalMachine"

$store=new-object System.Security.Cryptography.X509Certificates.X509Store("\$computer\root",$lm)

$store.Open($ro)

$store.Certificates

}

Get-Cert "REMOTECOMPUTER"| ?{$_.NotAfter -lt (Get-Date)} | format-list -property PSPath,FriendlyName,NotAfter


The code needs a little cleanup and I have not tested it. Let me know how it goes.
by davetechsearch at 2013-04-02 12:05:28
I’ll give that a try with what I’m trying to do… I should probably provide more detail:

1. I remote to a machine
2. I attempt to get list the certificiates in UserDS (for the remoting user) while in the remote session
3. Getting a listing of the contents of this container errors out. Listing other containers under \CurrentUser\ works just fine.
by davetechsearch at 2013-04-02 12:14:29
This is what I am running… runs fine locally, but still errors out at — "$store.oppen($ro)" — when in the remote session.


$ro = [system.security.cryptography.x509certificates.openflags]"ReadOnly"
$cu = [system.security.cryptography.x509certificates.storelocation]"CurrentUser"
$store = new-object system.security.cryptography.x509certificates.x509store("userds","$cu")
$store.open($ro)
$store.certificates


Exception calling "Open" with "1" argument(s): "The system cannot open the d
evice or file specified.
"
At line:1 char:12
+ $store.open <<<< ($ro)
+ CategoryInfo : NotSpecified: (:slight_smile: , MethodInvocationExcepti
on
+ FullyQualifiedErrorId : DotNetMethodException

As for my original intention… I was hoping to encrypt some data locally (encryption and decryption work fine locally), send it over the wire to its destination and decrypt it at the other end for use. I was hoping to use the thumbprint from the UserDS container to perform the encryption/decryption.