Certificate Management
Managing certificates in Windows for Linux/WSL integration. Export corporate CA certs, fix SSL inspection issues, bridge trust stores.
Certificate Store Architecture
Windows uses a hierarchical certificate store system accessible via the Cert: PSDrive.
Store Contexts
| Context | Description |
|---|---|
LocalMachine |
System-wide certificates. Accessible to all users and services. Requires admin rights to modify. |
CurrentUser |
Per-user certificates. Only accessible to the logged-in user. |
Store Locations
| Store | Path | Purpose |
|---|---|---|
Root |
|
Trusted Root CAs (system-wide) |
CA |
|
Intermediate CAs |
My |
|
Machine certificates (computer identity) |
CurrentUser\Root |
|
User trusted roots |
CurrentUser\My |
|
User personal certificates |
PowerShell Certificate Operations
Navigate Certificate Store
# List all store locations
Get-ChildItem Cert:\ | Format-Table Name, Location
# Explore specific context
Get-ChildItem Cert:\LocalMachine | Format-Table Name
# Count certificates per store
Get-ChildItem Cert:\LocalMachine | ForEach-Object \{
[PSCustomObject]@\{
Store = $_.Name
Count = (Get-ChildItem $_.PSPath).Count
}
} | Format-TableList Certificates
# All root CAs with expiration
Get-ChildItem Cert:\LocalMachine\Root |
Sort-Object NotAfter |
Format-Table Subject, Thumbprint, NotAfter
# Only showing certs expiring within 90 days
Get-ChildItem Cert:\LocalMachine\Root |
Where-Object \{ $_.NotAfter -lt (Get-Date).AddDays(90) } |
Format-Table Subject, NotAfterFind Specific Certificate
# By subject pattern
Get-ChildItem Cert:\LocalMachine\Root | Where-Object \{ $_.Subject -match "Umbrella" }
# By thumbprint (exact match)
Get-ChildItem Cert:\LocalMachine\Root | Where-Object \{ $_.Thumbprint -eq "ABC123..." }
# By issuer
Get-ChildItem Cert:\LocalMachine\Root | Where-Object \{ $_.Issuer -match "DigiCert" }
# Corporate/proxy CAs (SSL inspection)
Get-ChildItem Cert:\LocalMachine\Root | Where-Object \{
$_.Subject -match "Umbrella|Zscaler|Palo Alto|Fortinet|BlueCoat|Corporate|Proxy"
}View Certificate Details
# Full details for specific cert
Get-ChildItem Cert:\LocalMachine\Root |
Where-Object \{ $_.Subject -match "Umbrella" } |
Format-List *
# Key properties only
Get-ChildItem Cert:\LocalMachine\Root |
Where-Object \{ $_.Subject -match "Umbrella" } |
Select-Object Subject, Issuer, NotBefore, NotAfter, Thumbprint,
SerialNumber, SignatureAlgorithm
# Check certificate chain
Get-ChildItem Cert:\LocalMachine\Root |
Where-Object \{ $_.Subject -match "Umbrella" } |
ForEach-Object \{ $_.Verify() }Export Certificate to File
# Export to DER format (.cer)
$cert = Get-ChildItem Cert:\LocalMachine\Root | Where-Object \{ $_.Subject -match "Umbrella" }
Export-Certificate -Cert $cert -FilePath "C:\temp\umbrella-ca.cer" -Type CERT
# Export to PEM format (for Linux)
$cert = Get-ChildItem Cert:\LocalMachine\Root | Where-Object \{ $_.Subject -match "Umbrella" }
$pem = "-----BEGIN CERTIFICATE-----`n" +
[Convert]::ToBase64String($cert.RawData, 'InsertLineBreaks') +
"`n-----END CERTIFICATE-----"
[System.IO.File]::WriteAllText("C:\temp\umbrella-ca.crt", $pem)
# Export with private key (requires exportable key)
$cert = Get-ChildItem Cert:\LocalMachine\My | Where-Object \{ $_.Subject -match "MyMachine" }
$password = ConvertTo-SecureString -String "ExportPassword123!" -Force -AsPlainText
Export-PfxCertificate -Cert $cert -FilePath "C:\temp\machine.pfx" -Password $passwordImport Certificate
# Import to Root store (requires admin)
Import-Certificate -FilePath "C:\temp\new-ca.cer" -CertStoreLocation Cert:\LocalMachine\Root
# Import PFX with private key
$password = ConvertTo-SecureString -String "ImportPassword123!" -Force -AsPlainText
Import-PfxCertificate -FilePath "C:\temp\machine.pfx" -CertStoreLocation Cert:\LocalMachine\My -Password $password
# Import to user store (no admin required)
Import-Certificate -FilePath "C:\temp\new-ca.cer" -CertStoreLocation Cert:\CurrentUser\RootDelete Certificate
# Remove by thumbprint (safest method)
$thumbprint = "ABC123..."
Get-ChildItem Cert:\LocalMachine\Root |
Where-Object \{ $_.Thumbprint -eq $thumbprint } |
Remove-Item
# Remove by pattern (DANGEROUS - verify first!)
Get-ChildItem Cert:\LocalMachine\Root |
Where-Object \{ $_.Subject -match "OldCA" } |
Remove-Item -WhatIf # Remove -WhatIf after verificationcertutil Operations
The certutil command-line tool provides additional certificate management capabilities.
View Certificate File
# Decode and display certificate
certutil -dump "C:\temp\certificate.cer"
# Verify certificate chain
certutil -verify "C:\temp\certificate.cer"
# Display only key information
certutil -dump "C:\temp\certificate.cer" | Select-String -Pattern "Subject:|Issuer:|NotBefore:|NotAfter:|Thumbprint"Quick Reference
Common Certificate Tasks
| Task | Command |
|---|---|
List all root CAs |
|
Find by name |
|
Export to PEM |
See Export to PEM |
Check expiration |
|
Verify chain |
|
Guides
-
WSL Trust Store Integration - Export Windows certs to WSL
-
Corporate Proxy SSL Fix - Cisco Umbrella, Zscaler, etc.
-
Certificate Store Deep Dive - Advanced Cert: provider usage