Forum Discussion

h3rb3rt's avatar
h3rb3rt
Copper Contributor
Dec 16, 2021

PowerShell Export-PfxCertificate Problem

Hello Community,

 

i have the following problem:

 

When i export my root-Certificate as cer with PowerShell and with certmgr i get completly the same content in my files.

 

BUT

 

My child-pfx-Certificate exported with crtmgr is smaller (4KB), than the same certificate exported with PowerShell (15KB).

 

I think the reason are missing options in Export-PfxCertificate

My Command is:

Get-ChildItem -Path $systemcertpath | Export-PfxCertificate -FilePath $childcert -NoProperties -Password $password

 

When i export with crtmgr i have 4 checkboxes (first and last checked):

 

  • Including all certificates in the certification path if possible
  • Delete the private key if the export is successful
  • Export all extended properties
  • Enable certificate privacy

 

I think with "-NoProperties" i disable the Export of all extended properties (third Checkbox), but im not sure.

 

Why my exported Certificates are not equal? How to solve this?

 

Best regards and thanks for your help!

 

 

  • Hello, how are you?

    How many certificates "Get-ChildItem -Path $systemcertpath" is outputting? it seems it is probably more than one certificate there, but you need only one, right?

    I used this and I got the same certificate size both with mmc and Ps

    Get-ChildItem -Path cert:\LocalMachine\my\327911063683D218873824A150B695F3875F8A38 | Export-PfxCert
    ificate -NoProperties -ChainOption EndEntityCertOnly -Password $mypwd -FilePath C:\Users\Desktop\qaz321.pfx
  • Hello
    Exactly as you thought, -NoProperties description confirms

    "Specifies whether the extended properties for a certificate are exported. If this parameter is specified, then extended properties are not included with the export. By default, all extended properties are included in the exported file."

    Are they equal if you remove -NoProperties?
    • h3rb3rt's avatar
      h3rb3rt
      Copper Contributor
      Thanks for your answer!

      When i remove -NoProperties, i get another file, but still not a copy of my pfx exported with crtmgr.

      In addition i did not check "Export all extended properties" in crtmgr, so i will need "-NoProperties".

      I specified the -CryptoAlgorithmOption, but it should be useless because TripleDES_SHA1 is the default Value.
      I specified the -ChainOption with value BuildChain. I think thats the equivalent of my checked checkbox "Including all certificates in the certification path if possible" in crtmgr.

      Still my pfx from PowerShell is much bigger, than my pfx from crtmgr.


      Get-ChildItem -Path $systemcertpath | Export-PfxCertificate -FilePath $childcert -NoProperties -CryptoAlgorithmOption TripleDES_SHA1 -ChainOption BuildChain -Password $password
      • Hello, how are you?

        How many certificates "Get-ChildItem -Path $systemcertpath" is outputting? it seems it is probably more than one certificate there, but you need only one, right?

        I used this and I got the same certificate size both with mmc and Ps

        Get-ChildItem -Path cert:\LocalMachine\my\327911063683D218873824A150B695F3875F8A38 | Export-PfxCert
        ificate -NoProperties -ChainOption EndEntityCertOnly -Password $mypwd -FilePath C:\Users\Desktop\qaz321.pfx

Resources