Sometimes you have use a specific TLS/SSL certificate or thumbprint for outgoing HTTPS connections because of endpoint restrictions. To test these connections you can use PowerShell, but how do you get the required certificate from your certificate store?
In this post you’ll learn how to use a specific TLS certificate or thumbprint for outgoing HTTPS connections because of endpoint restrictions. All with PowerShell of course.
If an endpoint has restricted HTTPS connections based on security certificates or certificate thumbprints, you must be able to pull that certificate from your Windows Certificate Store and use it in your request. This is not a big issue if the certificate is stored in the CurrentUser store, but it gets harder when it’s in LocalComputer.
Starting May 15, 2026, newly issued SSL / TLS certificates will no longer include the Client Authentication function EKU (also known as id-kp-clientAuth). This industry-wide change is part of a broader effort to improve security and clarify certificate usage. See Sectigo’s FAQ Deprecation of Client Authentication EKU from Sectigo SSL / TLS Certificates for more information.
How to use an SSL certificate from CurrentUser certificate store in PowerShell Invoke-WebRequest
Use certmgr.msc on your command line to open up the CurrentUser certificate store in Managment Console.
If you need to use a personal TLS/SSL certificate you can pull it up using PowerShell:
$certStorePath = "Cert:\CurrentUser\My"
# Must return one result:
$certhash = (
Get-ChildItem -Path $certStorePath | Where-Object {
$_.Subject -like "CN=Part_of_Common_Name*"
}
).ThumbprintBecause Invoke-WebRequest will only look in the CurrentUser certificate store, this will suffice for your HTTPS request. Try:
Invoke-WebRequest -Uri https://example.com -CertificateThumbprint $certThumbPrintIf you need a LocalMachine certificate, then it becomes a (small) bit harder.
Found this guide helpful? You can support my independent deep dives into Windows Server and DevOps by donating via PayPal. Every bit of support helps keep saotn.org fast and updated!
LocalMachine SSL certificate to use in PowerShell Invoke-WebRequest HTTPS requests
Start LocalMachine certificate store management console directly with certlm.msc.
Invoke-WebRequests only looks at the CurrentUser certificate store, you need a second approach for SSL certificates stored in LocalMachine:
Use Get-ChildItem to get the certificate itself, and pass that to Invoke-WebRequest instead of a thumbprint:
$certStorePath = "Cert:\LocalMachine\My"
# Must return one result:
$certificate = Get-ChildItem -Path $certStorePath | Where-Object {
$_.Subject -like "CN=Part_of_Common_Name*"
}
Invoke-WebRequest -Uri https://example.com -Certificate $certificateConclusion
In this post you learned how you can use PowerShell to retrieve specific TLS certificates from your certificate store for outgoing HTTPS connections. Sometimes this is required, for example when the remote endpoint is secured using client authentication certificates.
If needed you can substitute Invoke-WebRequest with Invoke-RestMethod for APIs.
Summary
- You can use PowerShell to retrieve a specific TLS certificate or thumbprint for outgoing HTTPS connections due to endpoint restrictions.
- Access certificates in the CurrentUser store easily, but LocalMachine certificates require a different approach using certlm.msc.
- For LocalMachine certificates, use Get-ChildItem and pass the certificate to Invoke-WebRequest instead of a thumbprint.
- This article explains how to manage SSL certificates, including an important note on the deprecation of the Client Authentication EKU after May 2026.