PowerShell Universal
DownloadsIssuesDiscordForums
v4
v4
  • About
  • What's New in v4?
  • Get Started
  • Additional Resources
  • Installation
    • Docker
    • Upgrading
    • Uninstall
  • Licensing
  • System Requirements
  • Supported Browsers
  • Cmdlet Help
  • API
    • About
    • Endpoints
    • Event Hubs
    • Security
    • Error Handling
    • Rate Limiting
  • Automation
    • About Automation
    • Scripts
      • Parameters
    • Jobs
    • Schedules
    • System Events
    • Terminals
    • Triggers
    • Queues
  • User Interfaces
    • About
    • Apps
    • Examples
    • Components
      • Pages
      • Dynamic Regions
      • Element
      • Error Boundary
      • HTML
      • Custom Components
        • Building Custom JavaScript Components
      • Data Display
        • Alert
        • Badge
        • Chip
        • Data Grid
        • Date and Time
        • Icon
        • List
        • Markdown
        • Table
        • Timeline
        • Tooltip
        • Tree View
        • Typography
      • Data Visualization
        • Charts
        • Image
        • Map
      • Feedback
        • Backdrop
        • Modal
        • Progress
        • Skeleton
      • Inputs
        • Autocomplete
        • Button
        • Checkbox
        • Code Editor
        • Date Picker
        • Editor
        • Floating Action Button
        • Form
        • Radio
        • Rating
        • Select
        • Slider
        • Switch
        • Textbox
        • Time Picker
        • Transfer List
        • Upload
      • Navigation
        • Drawer
        • Link
        • Menu
        • Stepper
        • Tabs
      • Layout
        • Grid Layout
        • Grid
        • Hidden
        • Stack
      • Utilities
        • Protect Section
        • Transitions
      • Surfaces
        • AppBar
        • Card
        • Paper
        • Expansion Panel
    • Custom Variable Scopes
    • Interaction
    • Role Based Access
    • Scheduled Endpoints
    • Sessions
    • Themes
      • Cascading Style Sheets
      • Styles
  • Desktop
    • About Desktop Mode
    • File Associations
    • Hotkeys
    • Pages
    • Protocol Handlers
  • Platform
    • Cache
    • Computers
    • Health Checks
    • Middleware
    • Modules
    • Monitoring
    • Notifications
    • Plugins
    • Published Folders
    • Templates
    • Translations
    • User Sessions
    • Variables
  • Configuration
    • About
    • API
    • Command Line Options
    • Environments
    • Feature Flags
    • Git
    • Hosting
      • Azure
      • High Availability
      • IIS
      • Reverse Proxy
    • Login Page
    • Management API
    • Persistence
    • App Settings
    • Security
      • Access Controls
      • App Tokens
      • Client Certificate
      • OpenID Connect
      • PowerShell Protect
      • SAML2
      • WS-Federation
    • Repository
    • Running as a Service Account
    • Best Practices
  • Development
    • Debugging Scripts
    • Editor
    • Hangfire
    • Logging
    • Profiling
    • Visual Studio Code Extension
  • Samples
    • APIs
      • Custom Status Codes
    • Apps
      • Active Directory Tree View
      • Export-CSV Download
      • Dynamic Select Dropdown
      • Textbox Length Validation
      • Tree View Font Size
      • SQL Data Grid
  • Changelogs
    • Changelog
    • Extension Changelog
Powered by GitBook

PowerShell Universal

  • Downloads
  • Pricing
  • Gallery

Community

  • Issues
  • Forums
  • Discord

Support

  • Portal
  • Knowledgebase

Copyright 2025 Ironman Software

On this page
  • Enable Client Certificate Authentication
  • Authorization

Was this helpful?

Edit on GitHub
Export as PDF
  1. Configuration
  2. Security

Client Certificate

Client certificate authentication for PowerShell Universal.

PreviousApp TokensNextOpenID Connect

Last updated 2 years ago

Was this helpful?

Client certificate authentication ensures that client machines hold a particular certificate when connecting to PowerShell Universal. The certificate check is handled during the HTTP negotiation so it affects the entire webserver and cannot be configured per route.

For detailed information about client certificate authentication in ASP.NET Core 5.0, you can visit the .

Enable Client Certificate Authentication

You will need to enable HTTPS hosting and turn on client certificate authentication. First, ensure that you have an HTTP certificate selected and you have set the ClientCertificateMode to RequireCertificate. These settings can be set within the appsettings.json file.

"Kestrel": {
  "Endpoints": {
    "HTTPS": {
      "Url": "https://*:5000",
      "ClientCertificateMode": "RequireCertificate",
      "Certificate": {
        "Subject": "localhost",
        "Store": "My",
        "Location": "LocalMachine",
        "AllowInvalid": "true"
      }
    }
  },
  "RedirectToHttps": "false"
},

Next, you will need to enable client certificate authentication.

"ClientCertificate": {
  "Enabled": "true"
},

Authorization

You can use the roles.ps1 file to evaluate the certificate provided by the client. This can be used to determine which roles the user will receive when connecting to PSU.

To evaluate the properties that are available during authorization, you can serialize the $user variable provided to the role policy functions.

param($User)

$User | ConvertTo-Json | Out-File .\user.txt

$true

You will receive information about the certificate within the user object similar to below.

{
  "Claims": [
    {
      "Type": "issuer",
      "Value": "CN=Cert1, OU=Cert2, O=Org, L=Scottsdale, S=Arizona, C=US",
      "ValueType": "http://www.w3.org/2001/XMLSchema#string",
      "Issuer": "LOCAL AUTHORITY",
      "Properties": "System.Collections.Generic.Dictionary`2[System.String,System.String]"
    },
    {
      "Type": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprint",
      "Value": "8D2212B6EA170A33055A5",
      "ValueType": "http://www.w3.org/2001/XMLSchema#base64Binary",
      "Issuer": "LOCAL AUTHORITY",
      "Properties": "System.Collections.Generic.Dictionary`2[System.String,System.String]"
    },
    {
      "Type": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishedname",
      "Value": "CN=*.cert.com, OU=Domain Control Validated",
      "ValueType": "http://www.w3.org/2001/XMLSchema#string",
      "Issuer": "LOCAL AUTHORITY",
      "Properties": "System.Collections.Generic.Dictionary`2[System.String,System.String]"
    },
    {
      "Type": "http://schemas.microsoft.com/ws/2008/06/identity/claims/serialnumber",
      "Value": "009D21369",
      "ValueType": "http://www.w3.org/2001/XMLSchema#string",
      "Issuer": "LOCAL AUTHORITY",
      "Properties": "System.Collections.Generic.Dictionary`2[System.String,System.String]"
    },
    {
      "Type": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns",
      "Value": "*.cert.com",
      "ValueType": "http://www.w3.org/2001/XMLSchema#string",
      "Issuer": "LOCAL AUTHORITY",
      "Properties": "System.Collections.Generic.Dictionary`2[System.String,System.String]"
    },
    {
      "Type": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
      "Value": "*.cert.com",
      "ValueType": "http://www.w3.org/2001/XMLSchema#string",
      "Issuer": "LOCAL AUTHORITY",
      "Properties": "System.Collections.Generic.Dictionary`2[System.String,System.String]"
    }
  ],
  "Identity": {
    "Name": "*.cert.com"
  }
}

You can evaluate the the claims using the HasClaim method. The following is an example of checking the thumbprint of the certificate.

param($User)

$User.HasClaim('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprint', '8D2212B6EA170A33055A5')
Microsoft documentation here