PowerShell and local certificate stores

Recently someone asked a question about how to remove unused certificate stores. GUI and .NET don't provide this functionality (within X509Store class) and you will have to use other things. New Quest AD PKI cmdlets adds some features for certificate stores:

  • Review certificate store
Get-QADLocalCertificateStore -StoreLocation CurrentUser
Get-QADLocalCertificateStore -StoreLocation LocalMachine

these commands can be used to explore available certificate containers in CurrentUser and LocalMachine store location. In addition these commands can be used to retrieve certificates from local stores as shown:

Get-QADLocalCertificateStore -StoreLocation LocalMachine -StoreName My | Get-QADCertificate
  • Add new certificate store

If your application requires specific certificate store you can easily add new one:

New-QADLocalCertificateStore -StoreLocation CurrentUser -StoreName CustomStoreNameToAdd
  • Remove unnecessary certificate store

If you remove application that used custom certificate store and they aren't removed during uninstallation process you can manually delete them:

Remove-QADLocalCertificateStore -StoreLocation LocalMachine -StoreName CustomStoreToDelete

or equivalent:

Get-QADLocalCertificateStore CustomStoreToDelete LocalMachine | Remove-QADLocalCertificateStore

the only difference between commands is that second command utilizes PowerShell pipeline.

Enjoy the scripting with Windows PowerShell!