05 May 2011

Save and restore user certificates using Powershell

After a lot of unsuccessful tries (even with Appsense Personalization Manager it’s hard to save and restore user certificates, if AppData is not redirected), I found a valuable way to export and import user certificates at Logoff / Logon.


  • Powershell 2.0 installed
  • Execution Policy must be set accordingly
  • Users logging on / off must have the permission to execute scripts of course

These two scripts do the job.


  • Exports all user certificates to a destination folder in a PKCS12 format (.pfx)
  • Accepts filters based on issuer attributes
  • Exports User or Machine Certificates from local cert store


Powershell.exe ./ExportCert.ps1 <destinationpath> <certstore>  [optional <filter>]


Powershell.exe C:\Scripts\ExportCert.ps1 H:\Profile\Certs CurrentUser DC=Microsoft

This command exports all user certificates from CurrentUser store to H:\Profile\Certs and excludes certificates where issuer attribute contains “DC=Microsoft”


  • Imports all Certificates within a given folder into User or Machine cert store


Powershell.exe ./ImportCert.ps1 <sourcepath> <certstore>


Powershell.exe C:\Scripts\ImportCert.ps1 H:\Profile\Certs CurrentUser

This command imports all user certificates into the  CurrentUser store to H:\Profile\Certs

Integrating the scripts into a Appsense Environment Manager Config

As currently the Appsense EM does not support Powershell scripts as custom actions, we have to wrap the call of powershell scripts around a simple VBscript. If you download the scripts here, you’ll find usable examples for how to call the Import / Export Scripts at logon / logoff using EM custom actions.

Special Notes:

  • The scripts are provided as they are without any warranty. Use at your own risk
  • The password for private key protection of the PFX is not that strong as it has to be automatically set on import, but I’m currently thinking about other possibilities.
  • Any bugs or feature requests are welcome