Active Directory Certificate Services (AD CS) PowerShell Examples

Active Directory Certificate Services (AD CS) PowerShell Examples

Examples of what you can do with Active Directory PowerShell related to certificate management in Active Directory Certificate Services (AD CS)

Update User Certificates

You can create a X509Certificate (or X509Certificate2) object using the certificate file.
PS C:\> $cert1 = New-Object System.Security.Cryptography.X509Certificates.X509Certificate "C:\Certs\Test1.cer"
PS C:\> $cert2 = New-Object System.Security.Cryptography.X509Certificates.X509Certificate "C:\Certs\Test2.cer"

Then assign the certificates to a user account while creating it.
PS C:\> $certs = $cert1,$cert2 #create certificate array
PS C:\> New-ADUser -Name TestUser1 -SamAccountName TestUser1 -Certificates $certs

Note: Parameter Certificates updates the LDAP attribute userCertificate.

You can also assign the certificates to an existing user account.
PS C:\> Set-ADUser TestUser1 -Certificates @{Replace=$cert1,$cert2}

View User Certificates

You can fetch the certificates of an existing user.
PS C:\> $user1 = Get-ADUser TestUser1 -Properties "Certificates"

And then view the basic details of certificates as shown below:
PS C:\> $user1.Certificates | fl * -f

Handle  : 456139856
Issuer  : OU=EFS File Encryption Certificate, L=EFS, CN=Administrator
Subject : OU=EFS File Encryption Certificate, L=EFS, CN=Administrator
...

X509Certificate2 can be used to view more details of certificates.
PS C:\> $user1.Certificates | foreach {New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $_} | fl * -f

...
FriendlyName       :
IssuerName         : System.Security.Cryptography.X509Certificates.X500DistinguishedName
NotAfter           : 2/24/2109 8:35:26 AM
NotBefore          : 3/20/2009 9:35:26 AM
HasPrivateKey      : False
PrivateKey         :
PublicKey          : System.Security.Cryptography.X509Certificates.PublicKey
RawData            : {48, 130, 3, 139...}
SerialNumber       : …
SubjectName        : System.Security.Cryptography.X509Certificates.X500DistinguishedName
SignatureAlgorithm : System.Security.Cryptography.Oid
Thumbprint         : …
Version            : 3
Handle             : 456139856
Issuer             : OU=EFS File Encryption Certificate, L=EFS, CN=Administrator
Subject            : OU=EFS File Encryption Certificate, L=EFS, CN=Administrator

Also you can assign an existing user certificates to a new user.
PS C:\> $user1 = Get-ADUser TestUser1 -Properties "Certificates"
PS C:\> New-ADUser -Name TestUser2 -SamAccountName TestUser2 -Certificates $user1.Certificates

Installing AD CS with Install-AdcsCertificationAuthority

In Windows Server 2012, you can use Windows PowerShell to install AD CS. The syntax of the Install-AdcsCertificationAuthority command is documented in the TechNet Library. That syntax is not repeated here, but rather an odd situation that might arise if you are installing a new CA and you want to use a comma in for the name of the CA. For example, if you want to use the distinguished name suffix of OU=PKI,O=Contoso, Ltd.,C=US, you will need double-quotes around the name. You will also use the escape character for Windows PowerShell, which is the backtick (`), also called the grave access (ASCII 96) before each double-quote, so that Windows PowerShell does not misinterpret your intention with the distinguished name suffix. An example of this follows:

Install-AdcsCertificationAuthority -AllowAdministratorInteraction -CAType StandaloneRootCA -CACommonName "Example Internal Root CA" -CADistinguishedNameSuffix "OU=PKI,O=`"Contoso, Ltd.`",C=US" -KeyLength 2048 -HashAlgorithmName SHA1 -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" -DatabaseDirectory "C:\CertDB" -LogDirectory "C:\CertLog" -ValidityPeriod "Years" -ValidityPeriodUnits 20 -Verbose

Note: Special thanks to 
Brian Komar for providing the basis for above example.

Additional Resources

This article was started from Ashish Sharma [MSFT] Active Directory PowerShell Blog post Working with Certificates in AD PowerShell.


Leave a Comment
  • Please add 3 and 3 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
Comments
  • Fernando Lugão Veltem edited Revision 5. Comment: removed (en-US) from the title

  • Richard Mueller edited Revision 4. Comment: Added tag

  • Kurt L Hudson edited Revision 3. Comment: Updated to clarify it is the distinguished name suffix as well as to point directly to the Install-AdcsCertificationAuthority cmdlet documentation

  • Kurt L Hudson edited Revision 2. Comment: Updated to reflect the way to escape characters in PowerShell to get a CA named with commas

  • Kurt L Hudson edited Revision 1. Comment: Added additional resources section and links to additional resources

  • Fernando Lugão Veltem edited Original. Comment: added toc and tags

Page 1 of 1 (6 items)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
Comments
  • Fernando Lugão Veltem edited Original. Comment: added toc and tags

  • Kurt L Hudson edited Revision 1. Comment: Added additional resources section and links to additional resources

  • Kurt L Hudson edited Revision 2. Comment: Updated to reflect the way to escape characters in PowerShell to get a CA named with commas

  • Kurt L Hudson edited Revision 3. Comment: Updated to clarify it is the distinguished name suffix as well as to point directly to the Install-AdcsCertificationAuthority cmdlet documentation

  • Richard Mueller edited Revision 4. Comment: Added tag

  • Fernando Lugão Veltem edited Revision 5. Comment: removed (en-US) from the title

Page 1 of 1 (6 items)