powershellpermissionscertificatecertificate-store

How to access a certifciate with error: "Unable to retrieve certificates because the thumbprint is not valid"


I'm getting the error

Unable to retrieve certificates because the thumbprint is not valid. Verify the thumbprint and retry.

when I try to use a certificate in the LocalMachine certificate store.

I've had an admin account install the certificate (including the private key) in the LocalMachine certificate store, and have provided access to the private key for certain users (e.g. functional ID).

I expected to be able to run the following code to get the thumbprint, which is then used in the Invoke-WebRequest call:

$certStorePath  = "Cert:\LocalMachine\My"
$certDetails    = Get-ChildItem -Path $certStorePath | Where-Object {$_.Subject -like "*myCert*"}   # Returns one result
$certThumbprint = $certDetails.Thumbprint

Invoke-WebRequest -Uri $externalUrl -Proxy $proxyServer -UseBasicParsing -CertificateThumbprint $certThumbprint

I can get the cert details including thumbprint ($certDetails), but seems like permissions aren't allowing me (or the FID) to use the certificate (or perhaps just access the private key part of the certificate). The code works when the certificate is installed in the CurrentUser store.

How can I enable access to the certificate in the LocalMachine store for such non-admin users?


Solution

  • Seems that the problem is linked to Invoke-WebRequest and how it's used in this piece of code.

    The first part of the code is able to access the certificate successfully:

    $certStorePath  = "Cert:\LocalMachine\My"
    $certDetails    = Get-ChildItem -Path $certStorePath | Where-Object {$_.Subject -like "*myCert*"}
    

    However, although the thumbprint is unique in across all certificate stores (e.g. this one only exists in LocalMachine), Invoke-WebRequest cannot access it, because it will only look in the CurrentUser certificate store.

    So, overall to get this working:

    1. Install the certificate which includes the private key.
    2. Provide access to the private key part of the certificate, to the appropriate users/FID.
    3. Use Get-ChildItem to get the certificate itself, and pass that to Invoke-WebRequest instead of a thumbprint:
    $certStorePath = "Cert:\LocalMachine\My"
    $certificate   = Get-ChildItem -Path $certStorePath | Where-Object {$_.Subject -like "*myCert*"}   # Returns one result
    
    Invoke-WebRequest -Uri $externalUrl -Proxy $proxyServer -UseBasicParsing -Certificate $certificate