Info: How to use PowerShell to retrieve certificates from a DigiCert CA


The DigiCert-Retrieve.ps1 script is designed to read a file containing a list of active order numbers from DigiCert.  These order numbers will be provided by the client and can be obtained via the DigiCert admin portal (standard reports).

Once the input file has been created the script will download each certificate over REST API calls and save the results (in base64 encoded format) to a filename\location provided.


ImportCertificateXML – Needed to convert base64 encoded format to XML for consumption by TPP. (This is a licensed utility and will require a PS license key – Product Code: ICX)
SCHEMATOOL – Needed to import XML results to the policy tree. (Included with TPP configuration)



Confirm the client has API capabilities as part of their DigiCert subscription .

Confirm the client has both the account number and API key which is needed for login.

Have client confirm White Listing with DigiCert.  Ensure that location running the utility or proxy (if being used) is registered with DigiCert’s whitelist as an approved connection.



1. Parse the clients existing report (CSV) and create an input file which includes a list of active order numbers.
2. From a PowerShell ISE shell run the Export-DigiCert-Certficates.ps1 script
3. When prompted for the ordersFile: supply the path and file name for the orders file.  (example: c:\temp\input-orders.txt
4. When prompted for the outputFile: supply the path and file name for an output file.  (example: c:\temp\output-orders.txt

Figure 1 - Windows PowerShell Login Screen

5. Once prompted with the PowerShell login screen provide the Account ID as the username and the API Key as the password as shown in Figure 1.
6. Once completed the number of certificates written to the output file should match the number of orders within the input file.  Sample screen of completed script below.


     $cred = $(Get-Credential -message "Enter DigiCert account ID as username, API Key as password"),

  $ordersFile, #List of order numbers, one per line

  $outputFile # Where do you want to save the results
# Force Strict Mode
Set-StrictMode -Version 2
[object]$result = $null
[string]$strOutput = ""
[int]$totalCount = 0

# Make sure we can open the file to the list of hostnames
if (-not (Test-Path $ordersFile)) {
    Write-Host -ForegroundColor Red "ERROR: Unable to open OrdersFile: '$($ordersFile)'"

$orders = Get-Content $ordersFile

foreach ($order in $orders) {
    $result = $null;
    try {
        $result = Invoke-RestMethod -Method Get -Uri "$orders/certificate" -Credential $cred -ContentType "application/";
        if ($result -ne $null -and $result.certs -ne $null -and $result.certs.certificate -ne $null) {
            $strOutput += $result.certs.certificate ;
    } catch {
        Write-Host -ForegroundColor Red "An error occured retrieving order $($order):`n`t $($_.Exception.Message)";

$strOutput | Out-File $outputFile
Write-Host "$($totalCount) Certificates written to $($outputFile)"


Was this article helpful?
1 out of 2 found this helpful


  • Avatar
    Igor Guarisma

    I'm getting an error message with this script:

    An error occured retrieving order 00795409:

        The remote server returned an error: (400) Bad Request.

    Is it out of date?