February 27, 2026 • Mid-Level (3-5 years) How-To
Certificate Management in Windows
Managing certificates in Windows. SSL, code signing, and enterprise PKI. PowerShell certificate operations.
Certificate Management in Windows
Certificates are everywhere in enterprise IT. Here’s how to manage them in Windows.
Certificate Stores
# View certificate stores
Get-ChildItem Cert:
# Local Machine stores
Cert:\LocalMachine\My # Personal
Cert:\LocalMachine\Root # Trusted Root
Cert:\LocalMachine\CA # Intermediate CA
Cert:\LocalMachine\TrustedPeople
# Current User stores
Cert:\CurrentUser\My
Cert:\CurrentUser\RootView Certificates
# List certificates in store
Get-ChildItem -Path Cert:\LocalMachine\My
# Find expiring certificates
Get-ChildItem -Path Cert:\LocalMachine\My |
Where-Object { $_.NotAfter -lt (Get-Date).AddDays(30) } |
Select-Object Subject, NotAfter, ThumbprintInstall Certificate
# From file
$Cert = Import-Certificate -FilePath "C:\certs\mycert.cer" -CertStoreLocation Cert:\LocalMachine\My
# From PFX (with private key)
$Cert = Import-PfxCertificate -FilePath "C:\certs\mycert.pfx" -CertStoreLocation Cert:\LocalMachine\My -Password (ConvertTo-SecureString "password" -AsPlainText -Force)Request Certificate from CA
# Create request
$CSR = New-CertificateRequest -Subject "CN=webserver.domain.com" -KeyAlgorithm RSA -KeyLength 2048
# Submit to CA
Submit-CertificateRequest -CertificateRequest $CSR -CertificationAuthority "corp-ca.domain.com"
# Install response
Install-Certificate -Cert (Get-IssuedCertificate)Export Certificates
# Export without private key
Export-Certificate -Cert Cert:\LocalMachine\My\Thumbprint -FilePath "C:\certs\export.cer"
# Export with private key (PFX)
$Cert = Get-ChildItem -Path Cert:\LocalMachine\My | Select-Object -First 1
Export-PfxCertificate -Cert $Cert -FilePath "C:\certs\backup.pfx" -Password (ConvertTo-SecureString "password" -AsPlainText -Force)Remove Expired Certificates
# Find and remove expired
Get-ChildItem -Path Cert:\LocalMachine\My |
Where-Object { $_.NotAfter -lt (Get-Date) } |
Remove-Item
# Remove specific certificate
Get-ChildItem -Path Cert:\LocalMachine\My -Thumbprint "thumbprinthere" | Remove-ItemSSL Certificate Binding
# Bind certificate to IIS
New-WebBinding -Name "Default Web Site" -Protocol https -Port 443 -SslCertificateThumbprint "thumbprint"
# Or use netsh
netsh http add sslcert ipport=0.0.0.0:443 certhash=thumbprint appid="{guid}"Check Certificate Chain
# Verify chain
$Cert = Get-ChildItem -Path Cert:\LocalMachine\My | Select-Object -First 1
[System.Security.Cryptography.X509Certificates.X509Chain]::Create().Chain.Build($Cert)Wrap-Up
Certificates are essential. Automate expiration checks and always have a renewal process.
Questions? Drop them below!
Was this helpful?