Export certificate using Base 64 .CER format with PowerShell ?

All replies

• 

  

  3

  Sign in to vote

  1) Change to the store where the certificate exists

  CD cert:\localmachine\my    (computer cert)   or cd cert:\currentuser\my    (user cert)

  2) Do a dir and copy the thumbprint of the certificate to the clipboard

  3) Run export-Certificate -filepath D:\Backups\Cert.cer -cert ThumbPrint -type CERT  -NoClobber 

  But, this is a DER encoded certificate (export-certificate does not go directly to base64

  4) Run  certutil -encode cert.cer base64cert.cer in the d:\Backups folder 

  Brian
  

  
  

  • Edited by Brian Komar [MVP] Tuesday, September 20, 2016 4:37 AM missed a step
  • Marked as answer by Mario Alvares Thursday, September 22, 2016 3:36 AM

  Tuesday, September 20, 2016 4:34 AM
• 

  

  1

  Sign in to vote

  Set-Content -Path $path -Value [convert]::tobase64string((get-item cert:\currentuser\my\$CertThumbprint).RawData) -Encoding Ascii

  
  

  ---

  Vadims Podāns, aka PowerShell CryptoGuy
  My weblog: www.sysadmins.lv
  PowerShell PKI Module: PSPKI
  Check out new: SSL Certificate Verifier
  Check out new: PowerShell File Checksum Integrity Verifier tool.

  
  

  • Edited by Vadims PodansMVP Tuesday, September 20, 2016 4:50 PM
  • Marked as answer by Mario Alvares Thursday, September 22, 2016 3:36 AM

  Tuesday, September 20, 2016 4:50 PM
• 

  

  1

  Sign in to vote

  Thanks Brian and Vadims.

  Vadims - I also came across the following code snippet, very similar to what you posted:

  ---------------------------------------------------------------------------

  $cert = Get-Item -Path Cert:\LocalMachine\CA\D559A586669B08F46A30A133F8A9ED3D038E2EA8
  $certFile = 'C:\My\exported.cer'
  
  $content = @(
      '-----BEGIN CERTIFICATE-----'
      [System.Convert]::ToBase64String($cert.RawData, 'InsertLineBreaks')
      '-----END CERTIFICATE-----'
  )
  
  $content | Out-File -FilePath $certFile -Encoding ascii

  ---------------------------------------------------------------------------

  Do you know if the BEGIN / END CERTIFICATE, and InsertLineBreaks are strictly necessary ?

  Thanks,

  Mario

  Thursday, September 22, 2016 3:39 AM
• 

  

  0

  Sign in to vote

  Hi Mario,

  Per my understanding, the cmdlet provided by Vadims and the code you posted is essentially the same, as within the cmdlet “-Value [convert]::tobase64string” achieves the same goal as the section [System.Convert]::ToBase64String in the code, which converts an array of 8-bit unsigned integers to its equivalent string representation that is encoded with base-64 digits.

  In addition, InsertLineBreaks part specifies whether to insert line breaks in the return value.

  More information for you:

  Convert.ToBase64String Method (Byte[], Base64FormattingOptions

  https://msdn.microsoft.com/en-us/library/8f9a8s97(v=vs.110).aspx

  If further assistance is required regarding PowerShell, here is a dedicated PowerShell forum below for you:

  https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverpowershell

  Best Regards,

  Amy

  ---

  Please remember to mark the replies as answers if they help and unmark them if they provide no help.
  If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

  Thursday, September 22, 2016 9:34 AM
• 

  

  0

  Sign in to vote

  Hi Amy,
  
  The specific question I had was  - Do you know if the BEGIN / END CERTIFICATE, and InsertLineBreaks are strictly necessary for the certificate that is output to be considered a valid cert in Base 64 format ?
  
  Thanks,
  
  Mario

  Friday, September 23, 2016 10:16 PM
• 

  

  0

  Sign in to vote

  Do you know if the BEGIN / END CERTIFICATE, and InsertLineBreaks are strictly necessary ?

  They are not required, but generally are recommended. They are just informative headers and are not part of the encoded object.
  

  ---

  Vadims Podāns, aka PowerShell CryptoGuy
  My weblog: www.sysadmins.lv
  PowerShell PKI Module: PSPKI
  Check out new: SSL Certificate Verifier
  Check out new: PowerShell File Checksum Integrity Verifier tool.

  • Proposed as answer by Amy Wang_ Monday, September 26, 2016 2:14 AM
  • Marked as answer by Amy Wang_ Tuesday, October 11, 2016 4:08 PM

  Saturday, September 24, 2016 5:02 PM
• 

  

  1

  Sign in to vote

  Thanks Vadims.

  I noticed that exporting to Base64 format using both 'certutil -encode' and the MMC Certificate GUI adds the 'BEGIN/END CERTIFICATE' tags, and adds line breaks after 65 characters. And the ToBase64String InsertLineBreaks parameter adds line breaks after 76 characters, and the 'BEGIN/END CERTIFICATE' tags need to be hand-coded, if you want them.

  I know the line breaks shouldn't matter, but just to retain compatibility with the native Windows way in which Base64 certificates are exported, I ended up using the following:

  $cert = Get-ChildItem Cert:\LocalMachine\My | where { $_.Subject -imatch 'mydomain\.com' }
  $DERCert    = 'C:\Cert_DER_Encoded.cer'
  $Base64Cert = 'C:\Cert_Base64_Encoded.cer' 
  Export-Certificate -Cert $cert -FilePath $DERCert
  Start-Process -FilePath 'certutil.exe' -ArgumentList "-encode $DERCert $Base64Cert" -WindowStyle Hidden

  Thanks to Brian K and you for your help.

  Regards,

  Mario

  
  

  Sunday, September 25, 2016 6:29 PM