Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Script to generate ca-cert.crt file based on the Windows Certificate store
# This script can be used to generate a ca-cert.crt file that can be used by
# Unix-based utilities like curl, git, ...
#
# It allows you to synchronize the root certificates (CA) based on the
# certificates installed in your Windows certification stores. You can also
# get a list from Mozilla, but I think it's convenient to have the same CA
# certificates in all tools.
#
# Some examples on how to use this script:
#
# CreateCaCert.ps1 -StoreLocation CurrentUser
# CreateCaCert.ps1 -StoreLocation LocalMachine | Out-File -Encoding utf8 ca-cert.crt
#
# Written by Ramon de Klein <mail@ramondeklein.nl>
[CmdletBinding()]
Param(
[ValidateSet(
[System.Security.Cryptography.X509Certificates.StoreLocation]::CurrentUser,
[System.Security.Cryptography.X509Certificates.StoreLocation]::LocalMachine)]
[string]
$StoreLocation = [System.Security.Cryptography.X509Certificates.StoreLocation]::CurrentUser
)
$maxLineLength = 77
# Open the store
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store ([System.Security.Cryptography.X509Certificates.StoreName]::AuthRoot, $StoreLocation)
$store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadOnly);
# Write header
Write-Output "# Root certificates ($StoreLocation) generated at $(Get-Date)"
# Write all certificates
Foreach ($certificate in $store.Certificates)
{
# Start with an empty line
Write-Output ""
# Convert the certificate to a BASE64 encoded string
$certString = [Convert]::ToBase64String($certificate.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert));
# Write the actual certificate
Write-Output "# Friendly name: $($certificate.FriendlyName)"
Write-Output "# Issuer: $($certificate.Issuer)"
Write-Output "# Expiration: $($certificate.GetExpirationDateString())"
Write-Output "# Serial: $($certificate.SerialNumber)"
Write-Output "# Thumbprint: $($certificate.Thumbprint)"
Write-Output "-----BEGIN CERTIFICATE-----"
For ($i = 0; $i -lt $certString.Length; $i += $maxLineLength)
{
Write-Output $certString.Substring($i, [Math]::Min($maxLineLength, $certString.Length - $i))
}
Write-Output "-----END CERTIFICATE-----"
}
@malcolmsearle

This comment has been minimized.

Copy link

@malcolmsearle malcolmsearle commented Jan 25, 2021

Thanks for this, very helpful,

I had a need to query different store names so I added a parameter called StoreName:

[System.Security.Cryptography.X509Certificates.StoreName]
$StoreName = "AuthRoot"

and then I changed line 28 to:

$store = New-Object System.Security.Cryptography.X509Certificates.X509Store ([System.Security.Cryptography.X509Certificates.StoreName]::$StoreName, $StoreLocation)

Then I could find certificates in CertificateAuthority which is where my organization stores its own certs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment