Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, September 10, 2015 8:52 AM
Hi,
When I import a certificate, the intended purpose is <All>. I'm trying to populate the intended purpose with just a select few purposes.
When I run the following commands:
$Cert = Get-ChildItem | where {$_.Subject -match "Certain Certificate"}
$Cert.EnhancedKeyUsageList = "Server Authentication (1.3.6.1.5.5.7.3.1), Client Authentication (1.3.6.1.5.5.7.3.2)"
I get the following error:
'EnhancedKeyUsageList' is a ReadOnly property.
Anyway of populating that field via Powershell? Thanks.
All replies (13)
Thursday, September 10, 2015 12:04 PM ✅Answered | 1 vote
I just want to find out if I can modify certain settings in the certificate using Powershell. Like Powershell allows me to set the friendly name. So would like to find out if its possible to set the intended purpose as well.
Pipe through Get-Member and look at the definitions. If you see 'set;', you can set that property. If you don't, you can't.
Additional information:
https://technet.microsoft.com/en-us/library/hh847807.aspx
Short answer - no (at least via the cert provider).
Thursday, September 10, 2015 9:14 AM
Yes. Order a new certificate with the correct usage settings and install it.
Your question is not a PowerShell issue. It is an issue of how to use certificates. Post in the security forum for more assistance.
\(ツ)_/
Thursday, September 10, 2015 11:04 AM
That's true. Its not a powershell issue. In fact, I don't have any issues at all.
I just want to find out if I can modify certain settings in the certificate using Powershell. Like Powershell allows me to set the friendly name. So would like to find out if its possible to set the intended purpose as well.
Sure, I could open up an MMC and set the intended purpose that way. But would be great if I knew how to do it by Powershell.
I guess base on your reply, you don't know how to do it.
Perhaps someone else with a deeper understanding of Powershell could advise if setting the intended purpose in a certificate is possible via powershell.
Thursday, September 10, 2015 1:31 PM
Post in security forum. You are asking a question that has nothing to do with anything and is a result of knowing what a certificate is.
Think about this: Can you change the name on your drivers license? What good would a certificate be if you could change it.
\(ツ)_/
Thursday, September 10, 2015 11:08 PM | 2 votes
Thanks Mike.
As for the validity of a certificate if we were able to change it, I think you (jrv) should take that up with Microsoft since they allow us to change certain fields via the MMC-Certificates Console.
Oh, maybe you didn't know how to do that as well.
So just to reiterate for your benefit (jrv), it is a powershell question as I want to find out how to do certain things with it which can be done via the mmc console. Whether it can be done or not is why this question was posted - irrespective of the validity it causes to the object.
If I wanted to know how it will affect the certificate's validity if I would to change its intended purpose, then yes, I would post that question in the security forum.
But oh, I guess that's too much of a stretch for you to differentiate. Its OK, sometimes I get my Homer Simpson days too. DOH!
Thursday, September 10, 2015 11:18 PM
As for the validity of a certificate if we were able to change it, I think you (jrv) should take that up with Microsoft since they allow us to change certain fields via the MMC-Certificates Console.
So just to reiterate for your benefit (jrv), it is a powershell question as I want to find out how to do certain things with it which can be done via the mmc console. Whether it can be done or not is why this question was posted - irrespective of the validity it causes to the object.
If I wanted to know how it will affect the certificate's validity if I would to change its intended purpose, then yes, I would post that question in the security forum.
But oh, I guess that's too much of a stretch for you to differentiate. Its OK, sometimes I get my Homer Simpson days too. DOH!
Yes but you can only enable or disable existing values. You cannot add purposes that were not initially included.
The cert utilities allow you to do a few operations but they have access to the full API. TO add purposes you need to reissue the cert.
Look into certmgr for commandline cert management. It uses the same API as the "Certificate" MMC snap-in.
This is why I suggested posting in the security forum. They should be able to give you good detailed explanations and links to documentation on how all of this works.
It is usually a best practice to check with the product forum first than to ask about how to script as this will filter out the impossible and point to the potential answer.
Mikes post about using PS to check for "set" properties is also very fundamental and useful.
\(ツ)_/
Thursday, September 10, 2015 11:33 PM
A little info on the cert provider and the display:
These properties are added by the providers formatter:
DnsNameList ScriptProperty
EnhancedKeyUsageList ScriptProperty
EnrollmentPolicyEndPoint ScriptProperty
EnrollmentServerEndPoint ScriptProperty
PolicyId ScriptProperty
SendAsTrustedIssuer ScriptProperty
They may even appear to be editable but they are not. They are extractions from the binary cert data which is here:
$c=get-item .\24B8A548D85045D92A55C471734A4811C70D1546
$c.RawData
The PS provider has no facility to edit this data. It is a very complex set of structures. Most certs cannot be edited even in MMC we can only disable or enable elements. Self generated certs will allow editing things like comments and other support fields but only through the MMC or certmgr API.
\(ツ)_/
Friday, September 11, 2015 3:41 AM | 2 votes
Yes, Mike's post about "set" properties was useful. Order a new certificate wasn't useful.
I've no requirement to understand how certificates work so hence did not see a need to ask for help in the security forum. I just need to understand what my current environment is where certificates are concerned and fortunately, I'm doing fine on that end.
And while we're talking about my environment, I can open MMC>Certificates>Local Computer. Then open the properties of any certificate, say Go Daddy Root Certificate Authority – G2, and add/remove intended purposes to my heart's content. If my understanding of certificates is lacking and I break anything, well I guess that's tough - for ME. Not going to blame anyone for that.
So in my quest to understand and utilised Powershell more, I ask for advice on how I can do certain stuff on certificates with Powershell. And as mentioned earlier, I can modify the friendly name using Powershell. But not EnhancedKeyUsageList.
So why you insist its not related to Powershell is beyond me. So what if I don't understand how certificates work. I just want to understand how powershell works. Googling didn't get me very far so I ask for help. Last I check, this is what the forum is for.
Your last 2 posts would have been much more helpful than "Order a new cert". But if I were to give out the points, Mike's short answer would get it. And that wasn't impossible, was it?
Friday, September 11, 2015 4:02 AM
I don't understand why it is so hard to understand that you cannot directly edit a certificate with the PowerShell cert provider. There are no methods or properties that can be edited. That is all I am saying. You can use other utilities or you can create a new cert reuest to get a cert that has a different purpose. It is not a debate it is just a fact.
So ... "order a new cert" means to either create a new request or edit a multi-use cert in MMC or with other cert utilities. THe security forum would explain that and tell you how to do other things.
And you cannot add purposes to a cert. You can only enable or disable purposes even in MMC.
The edits you make are actually not to the cert but are to the binding of the cert. You can restrict the usage and you can crate a friendly name. I believe these items are stored in the registry they are not part of the cert.
\(ツ)_/
Friday, September 11, 2015 8:48 AM | 1 vote
It IS very easy to understand that I can't directly edit a certificate with Powershell. And if you've provided that as an answer initially, the points would have gone to you because that's exactly what I was trying to find out. No arguments from me at all.
So I can't add purposes to a certificate, only enable/disable purposes. Geeez, I'll remember to mind my semantics the next time.
At the end of the day, I came here for help on Powershell. If I wanted help on cert utilites, I'll go to some cert utilities forum. If I wanted some help on certificates, I'll go to some certificates forum. But even here on the powershell forum, any additional info on cert utilities, registry etc would be welcome and not treated as extraneous.
So you can either help me out like what others here try to do, or you could do your thing coz there's always someone out there who gets off on doing that kinda of thing. Whatever floats your boat.
Wednesday, December 16, 2015 12:01 AM
Anyone ever figure out if there are powershell commands to enable or disable Certificate Purposes.
I know you are able to using the MMC Cert Snap. Just looking for a way to do so using Powershell.
This is for a self-signed cert.. which i am able to manually add Purpose also.
Greatly appreciate anyone's input.
Wednesday, December 16, 2015 1:38 AM
See my short answer up there.
Wednesday, June 10, 2020 5:56 AM
hi, five years after...
You can search by thumbprint code all entries in Regedit with reference your certificate. Alter purpose on certmgr, export all Key with purpose altered and use reg import on all reg files.