Persisting a Pure1 Certificate created by PowerShell

In a previous post I talk about how to easily create the private/public key needed for Pure1:

So when I create a certificate in PowerShell I store the reference in an object, in the below case the object is called $cert:

But if I close that PowerShell window the object is removed. What happens to that certificate? What if I want to re-use it? Good question.

There are a couple of options.

Default Location

The default behavior of this cmdlet is to store the certificate in your personal certificate store. You can open the Windows Certificate Manager UI by running certmgr in PowerShell

The certificate that gets created is issued to and by PureOneCert.

So if you want to pull it up in a subsequent PowerShell session, just run:

$certs = Get-ChildItem -Path cert:\CurrentUser\My 
$cert =  $certs | Where-Object {$_.Subject -eq "CN=PureOneCert"}

Exporting the Certificate

Alternatively, you might want to use the certificate on another server (or simply back it up). This is most easily achieved by exporting it. Enter in a password to enable exporting the private key as well:

$certLocation = "C:\Users\Cody Hosterman\Certificates\PureOneCert.cer"

Export-PfxCertificate -FilePath $certLocation -Cert $cert -password (read-host "Enter a password for the private key" -AsSecureString)

You will see it now in the supplied directory:

Then next time you want to use it on a different machine (or the original was deleted), you can import it back into the certificate manager and store it.

$certStore = "cert:\currentuser\my"
$certLocation = "C:\Users\Cody Hosterman\Certificates\PureOneCert.cer"

$cert = Import-PfxCertificate -FilePath $certLocation -CertStoreLocation $certStore -password (read-host "Enter the private key password" -AsSecureString)

Using a Non-Default Certificate Store

As mentioned before, the default behavior of the cmdlet is to create the certificate and put it in the local certificate store. You can use an alternative one when creating or importing the certificate. When creating the certificate simply provide a different store:

$cert = New-PureOneCertificate -certificateStore cert:\LocalMachine\My

Note that when you use a non-default certificate store you need to run the PowerShell session as admin (when creating the cert) and also you likely will want to follow the below post that will allow you to not require running sessions as admin from that point on for authentication. It walks you through providing read only access to the private key.

https://www.codyhosterman.com/2019/06/assigning-read-access-to-windows-private-key/

2 Replies to “Persisting a Pure1 Certificate created by PowerShell”

    1. This is a wrapper cmdlet for New-SelfSignedCertificate. It does not wrap all of the parameters though. You could create your own cert on Windows with that directly and pass in -NotAfter (Get-Date).AddMonths(6) which would, for example, set the certificate expiration to 6 months. By default it is one year. I can add this function to the module

Comments are closed.