Last active
August 25, 2022 17:18
-
-
Save ramondeklein/ebf0764fd9341c0850f308f86e31adcc to your computer and use it in GitHub Desktop.
Script to generate ca-cert.crt file based on the Windows Certificate store
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This script can be used to generate a ca-cert.crt file that can be used by | |
# Unix-based utilities like curl, git, ... | |
# | |
# It allows you to synchronize the root certificates (CA) based on the | |
# certificates installed in your Windows certification stores. You can also | |
# get a list from Mozilla, but I think it's convenient to have the same CA | |
# certificates in all tools. | |
# | |
# Some examples on how to use this script: | |
# | |
# CreateCaCert.ps1 -StoreLocation CurrentUser | |
# CreateCaCert.ps1 -StoreLocation LocalMachine | Out-File -Encoding utf8 ca-cert.crt | |
# | |
# Written by Ramon de Klein <[email protected]> | |
[CmdletBinding()] | |
Param( | |
[ValidateSet( | |
[System.Security.Cryptography.X509Certificates.StoreLocation]::CurrentUser, | |
[System.Security.Cryptography.X509Certificates.StoreLocation]::LocalMachine)] | |
[string] | |
$StoreLocation = [System.Security.Cryptography.X509Certificates.StoreLocation]::CurrentUser | |
) | |
$maxLineLength = 77 | |
# Open the store | |
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store ([System.Security.Cryptography.X509Certificates.StoreName]::AuthRoot, $StoreLocation) | |
$store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadOnly); | |
# Write header | |
Write-Output "# Root certificates ($StoreLocation) generated at $(Get-Date)" | |
# Write all certificates | |
Foreach ($certificate in $store.Certificates) | |
{ | |
# Start with an empty line | |
Write-Output "" | |
# Convert the certificate to a BASE64 encoded string | |
$certString = [Convert]::ToBase64String($certificate.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert)); | |
# Write the actual certificate | |
Write-Output "# Friendly name: $($certificate.FriendlyName)" | |
Write-Output "# Issuer: $($certificate.Issuer)" | |
Write-Output "# Expiration: $($certificate.GetExpirationDateString())" | |
Write-Output "# Serial: $($certificate.SerialNumber)" | |
Write-Output "# Thumbprint: $($certificate.Thumbprint)" | |
Write-Output "-----BEGIN CERTIFICATE-----" | |
For ($i = 0; $i -lt $certString.Length; $i += $maxLineLength) | |
{ | |
Write-Output $certString.Substring($i, [Math]::Min($maxLineLength, $certString.Length - $i)) | |
} | |
Write-Output "-----END CERTIFICATE-----" | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thanks for this, very helpful,
I had a need to query different store names so I added a parameter called StoreName:
[System.Security.Cryptography.X509Certificates.StoreName]
$StoreName = "AuthRoot"
and then I changed line 28 to:
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store ([System.Security.Cryptography.X509Certificates.StoreName]::$StoreName, $StoreLocation)
Then I could find certificates in CertificateAuthority which is where my organization stores its own certs.