Granikos Technology Blog

You can use PowerShell to manage your local certificate store.

The default PowerShell Get-ChildItem cmdlet allows for accessing the local certificate store. But you should start your PowerShell shell windows as administrator, as access might be restricted by GPO settings.


List all certificate folder on the local machine

Get-ChildItem -Path Cert:\LocalMachine

Name : TrustedPublisher
Name : ClientAuthIssuer
Name : Remote Desktop
Name : Root
Name : TrustedDevices
Name : SPC
Name : CA
Name : AuthRoot
Name : WebHosting
Name : TrustedPeople
Name : My
Name : SmartCardRoot
Name : Trust
Name : Disallowed


List all available certificates for the computer

Get-ChildItem -Path Cert:\LocalMachine\My

    Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\My

Thumbprint                                Subject
----------                                -------
EC225A0183DC64D864C8BEA1477822858FCEC767  CN=WMSvc-EXSRV02
E2BC29B1445FD267E5A2823591A5221D67D0D94F  CN=Microsoft Exchange Server Auth Certificate
D8EE794A39A8E04BE32A1E8BED93A3C46D15E0EF  CN=EXSRV02
60246A87C12BEB365E7B4044C926587590A3D7B6, O=mcmemail, C=DE
5F103D6C61BF57D86DB4AAA05597B0D1E8155884, CN=EXSRV02, CN=, CN=localhost, O=Trend Micro.


Retrieve certificate details

The example shows a self-signed certificate of a Trend Micro ScanMail for Exchange setup.

$cert = Get-ChildItem -Path Cert:\LocalMachine\My\5F103D6C61BF57D86DB4AAA05597B0D1E8155884
$cert | fl

Subject      :, CN=EXSRV02, CN=, CN=localhost, O=Trend Micro ScanMail for Microsoft
Issuer       :, CN=EXSRV02, CN=, CN=localhost, O=Trend Micro ScanMail for Microsoft
Thumbprint   : 5F103D6C61BF57D86DB4AAA05597B0D1E8155884
FriendlyName :
NotBefore    : 17.11.2014 00:00:00
NotAfter     : 16.11.2017 00:00:00
Extensions   : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid}


A certificate issued by an Enterprise CA looks like this

$cert = Get-ChildItem -Path Cert:\LocalMachine\My\60246A87C12BEB365E7B4044C926587590A3D7B6
$cert | fl

Subject      :, O=mcmemail, C=DE
Issuer       : CN=mcmemail-DC01-CA, DC=mcmemail, DC=de
Thumbprint   : 60246A87C12BEB365E7B4044C926587590A3D7B6
FriendlyName : mcmemail Exchange Server 2013 Certificate
NotBefore    : 28.08.2014 15:14:04
NotAfter     : 28.08.2015 15:24:04
Extensions   : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid,


Export a single certificate

$cert | Export-Certificate -FilePath C:\tmp\cert1.p7b -Type p7b

    Directory: C:\tmp

Mode                LastWriteTime     Length Name
----                -------------     ------ ----
-a---        23.12.2014     11:56       1380 cert1.p7b


Export multiple certificates as serialized certificates

$certarray = @()
$certarray += $cert
$cert = Get-ChildItem -Path Cert:\LocalMachine\My\D8EE794A39A8E04BE32A1E8BED93A3C46D15E0EF
$certarray += $cert

Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\My

Thumbprint                                Subject
----------                                -------
60246A87C12BEB365E7B4044C926587590A3D7B6, O=mcmemail, C=DE
D8EE794A39A8E04BE32A1E8BED93A3C46D15E0EF  CN=EXSRV02

$certarray | Export-Certificate -FilePath c:\tmp\certs.sst -Type SST

    Directory: C:\tmp

Mode                LastWriteTime     Length Name
----                -------------     ------ ----
-a---        23.12.2014     11:58       3056 certs.sst 


Enjoy working with certificates.


You plan to upgrade to Exchange Server 2013? You wonder what the benefits of Office 365 are? Contact us at

Weiterlesen »

The Community Script blog post has been updated, as a new script has been added to the Technet Gallery.

Updated blog post:


Weiterlesen »

Uninstalling Exchange Server 2013 will fail, if the PowerShell MachinePolicy or UserPolicy is set by GPO.

You will receive an error message referencing Microsoft KB article 981474, which refers primarily to Exchange Server 2010.

Screenshot Exchange Server 2013 Uninstall

The following PowerShell command removes the GPO setting.


 Set-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell -Name ExecutionPolicy -Value "" 


After setting the ExecutionPolicy attribute to an empty string, Exchange Server 2013 can be uninstalled successfully.



Weiterlesen »

Kemp Authorized PartnerGranikos GmbH & Co. KG, Germany, has been awarded the Kemp Authorized Partner status. The awarded status proves the technical experise of our staff for setup, configuration and optimization of Kemp Load Balancer Suite.

We have been working with Kemp Technologies Load Balancers in various projects for Exchange Server, Lync Server and Commerce Web Sites.

The successful Kemp Load Balancers are #1 in price/performance in the market. The various variants provide reliable load balancing capabilities for SMB as well as for the enterprise. Besides physical and virtualized Load Balancers Kemp offers Bare Metal variants and versions for Windows Azure.

If you need Kemp Load Balancer consulting for your IT project visit our website or contact us at:

Weiterlesen »
On November 6, 2014


After In-place upgrading from Windows Server 2008 R2 to Windows Server 2012 R2 (not a good idea in production environment) and activating the new Windows Server Updates Services Role, I´ve encountered several errors. The machine had also the System Center Configuration Manager 2012 R2 installed.

The post-installation task ended with the error Failed to start and configure the WSUS service.

WSUS Post-Installation Task failed


A manually start did not work either (Error 193: 0xc1):

WSUS Post-Installation Error 193



CCMSetup (SCCM) created a file called Program in the root folder and the WSUS Application Pool ran under the wrong .NET CLR Version.

CCMSetup Error



Delete or rename Program file and change the .NET CLR Version from .NET 2 to .NET 4.

Change .NET CLR Version


After an IISReset restart the Post-installation tasks of WSUS:

Post-Installation Task finishing



Weiterlesen »