function Save-CertificatesToDisk {
<#
.SYNOPSIS
    Saves Certificates to Disk.
#>

    [CmdletBinding()]
    Param(
        [Alkami.Ops.SecretServer.Model.Certificate]$cert,
        [ref]$savedCertificates,
        [string]$downloadFolder
    )

    $logLead  = (Get-LogLeadName);

    $rootCertFolder = Join-Path $downloadFolder "ROOT"
    $personalCertFolder = Join-Path $downloadFolder "Personal"
    $trustedPeopleFolder = Join-Path $downloadFolder "TrustedPeople"

    if (!([System.IO.Directory]::Exists($rootCertFolder))) {
        Write-Verbose ("$logLead : Creating root cert folder {0}" -f $rootCertFolder)
        New-Item $rootCertFolder -ItemType Directory -Force | Out-Null
    }

    if (!([System.IO.Directory]::Exists($personalCertFolder))) {
        Write-Verbose ("$logLead : Creating personal cert folder {0}" -f $personalCertFolder)
        New-Item $personalCertFolder -ItemType Directory -Force | Out-Null
    }

    if (!([System.IO.Directory]::Exists($trustedPeopleFolder))) {
        Write-Verbose ("$logLead : Creating trusted people folder {0}" -f $trustedPeopleFolder)
        New-Item $trustedPeopleFolder -ItemType Directory -Force | Out-Null
    }

    if ($cert.Name -like "*entrust*" -or $cert.Name -like "*identityguard*") {
        # Entrust must go in to Trusted People and Root
        Write-Verbose ("$logLead : Downloading Entrust certificate to {0}" -f $rootCertFolder)
        $savedCertificates.Value += @{FileName = ($cert.SaveFileToDisk($rootCertFolder)); Password = ""; }
        Write-Verbose ("$logLead : Downloading Entrust certificate to {0}" -f $trustedPeopleFolder)
        $savedCertificates.Value += @{FileName = ($cert.SaveFileToDisk($trustedPeopleFolder)); Password = ""; }
    }
    elseif ($cert.Name -like "*root*") {
        # If the certificate name contains "root" we will assume it's a root certificate
        Write-Verbose ("$logLead : Downloading Root certificate to {0}" -f $rootCertFolder)
        $savedCertificates.Value += @{FileName = ($cert.SaveFileToDisk($rootCertFolder)); Password = ""; }
    }
    elseif ($cert.FileName -match "Alkami.+(Issued|Mutual|RPSTS)") {
        # Certs for Web <-> App Communication go in TrustedPeople and Personal
        Write-Verbose ("$logLead : Downloading Alkami certificate {0} to {1}" -f $cert.FileName, $trustedPeopleFolder)
        $savedCertificates.Value += @{FileName = ($cert.SaveFileToDisk($trustedPeopleFolder)); Password = $cert.Password; }
        Write-Verbose ("$logLead : Downloading Alkami certificate {0} to {1}" -f $cert.FileName, $personalCertFolder)
        $savedCertificates.Value += @{FileName = ($cert.SaveFileToDisk($personalCertFolder)); Password = $cert.Password; }
    }
    elseif ($cert.FileName.EndsWith(".zip")) {
        # Client Certs are saved in Secret as ZIP files
        # We need to unzip to Personal
        Write-Verbose ("$logLead : Downloading certificate ZIP file {0} to {1}" -f $cert.FileName, $downloadFolder)
        $downloadedZIP = $cert.SaveFileToDisk($downloadFolder)

        $randomFolderName = [System.IO.Path]::GetRandomFileName().Split('.') | Select-Object -First 1
        $unzipFolder = Join-Path $personalCertFolder $randomFolderName

        if (!([System.IO.Directory]::Exists($unzipFolder))) {
            Write-Verbose ("$logLead : Creating temporary unzip folder {0}" -f $unzipFolder)
            New-Item $unzipFolder -ItemType Directory -Force | Out-Null
        }

        Write-Verbose ("$logLead : Unzipping ZIP file contents to {0}" -f $unzipFolder)
        [System.IO.Compression.ZipFile]::ExtractToDirectory($downloadedZIP, $unzipFolder)
        $savedCertificates.Value += @{FileName = (Get-ChildItem $unzipFolder -Recurse -Include *.PFX | Sort-Object -Property LastWriteTimeUtc -Descending | Select-Object -First 1 -ExpandProperty FullName); Password = $cert.Password; }
    }
    elseif ($cert.FileName -like "*trusted*") {
        # If the filename contains "trusted" we will assume it's a trusted people certificate
        Write-Verbose ("$logLead : Downloading certificate {0} to {1}" -f $cert.FileName, $trustedPeopleFolder)
        $savedCertificates.Value += @{FileName = ($cert.SaveFileToDisk($trustedPeopleFolder)); Password = ""; }
    }
    elseif ($cert.FileName.EndsWith(".cer")) {
        # Any other .CER files will be saved to ROOT
        Write-Verbose ("$logLead : Downloading certificate {0} to {1}" -f $cert.FileName, $rootCertFolder)
        $savedCertificates.Value += @{FileName = ($cert.SaveFileToDisk($rootCertFolder)); Password = ""; }
    }
    elseif ($cert.FileName.EndsWith(".pfx")) {
        # All .PFX files will be saved to Personal
        Write-Verbose ("$logLead : Downloading certificate with private key {0} to {1}" -f $cert.FileName, $personalCertFolder)
        $savedCertificates.Value += @{FileName = ($cert.SaveFileToDisk($personalCertFolder)); Password = $cert.Password; }
    }
    else {
        Write-Output ("$logLead : Unable to determine what to do with certificate {0} with SecretID {1}" -f $cert.FileName, $cert.Id)
    }
}