Home / server / Questions / 685812
Accepted
Phil
Asked: 2015-04-28 02:12:45 +0800 CST

Powershell to transfer certificates to a new PC - how to determine if certificate is exportable

  • 772

I'm using the following powershell to get a list of certificates including any archived ones so that I can easily transfer them to a new PC

$store=new-object 
System.Security.Cryptography.X509Certificates.X509Store("My","CurrentUser")
$store.open("ReadOnly,IncludeArchived")
$privateCerts = $store.Certificates | Where-Object { $_.hasPrivateKey }

However, when I try and export them to pfx files using e.g.

$privateCerts| Foreach-Object { [system.IO.file]::WriteAllBytes("$($_.thumbprint)$($_.Subject).pfx", ($_.Export('PFX', 'password')) ) }

It throws exceptions for any that are not exportable. Now I know that I cant export those but I'd like to just skip over them without having the script throw an error. I can work around it by catching the exception but is there a way to determine if a certificate is exportable.

I found reference to x509keystorageflags which has an "exportable" bit I could check but I cant work out how to get that info for a certificate using powershell.

powershell

1 Answers

  1. Best Answer

    The Exportable bit is set on the Private Key container itself, not directly on the certificate:

    $privateCerts = $store.Certificates | Where-Object {$_.HasPrivateKey}
$Exportables  = $privateCerts | Where-Object {$_.PrivateKey.CspKeyContainerInfo.Exportable}

    I don't think this will work for other types than RSA-based keypairs

    • 1