Examples of what you can do with Active Directory PowerShell related to certificate management in Active Directory Certificate Services (AD CS)
You can create a X509Certificate (or X509Certificate2) object using the certificate file. PS C:\> $cert1 = New-Object System.Security.Cryptography.X509Certificates.X509Certificate "C:\Certs\Test1.cer" PS C:\> $cert2 = New-Object System.Security.Cryptography.X509Certificates.X509Certificate "C:\Certs\Test2.cer"
PS C:\> $cert1 = New-Object System.Security.Cryptography.X509Certificates.X509Certificate "C:\Certs\Test1.cer" PS C:\> $cert2 = New-Object System.Security.Cryptography.X509Certificates.X509Certificate "C:\Certs\Test2.cer"
Then assign the certificates to a user account while creating it. PS C:\> $certs = $cert1,$cert2 #create certificate array PS C:\> New-ADUser -Name TestUser1 -SamAccountName TestUser1 -Certificates $certs
PS C:\> $certs = $cert1,$cert2 #create certificate array PS C:\> New-ADUser -Name TestUser1 -SamAccountName TestUser1 -Certificates $certs
Note: Parameter Certificates updates the LDAP attribute userCertificate.
You can also assign the certificates to an existing user account. PS C:\> Set-ADUser TestUser1 -Certificates @{Replace=$cert1,$cert2}
PS C:\> Set-ADUser TestUser1 -Certificates @{Replace=$cert1,$cert2}
You can fetch the certificates of an existing user. PS C:\> $user1 = Get-ADUser TestUser1 -Properties "Certificates"
PS C:\> $user1 = Get-ADUser TestUser1 -Properties "Certificates"
And then view the basic details of certificates as shown below: PS C:\> $user1.Certificates | fl * -f
PS C:\> $user1.Certificates | fl * -f
Handle : 456139856 Issuer : OU=EFS File Encryption Certificate, L=EFS, CN=Administrator Subject : OU=EFS File Encryption Certificate, L=EFS, CN=Administrator ...
X509Certificate2 can be used to view more details of certificates. PS C:\> $user1.Certificates | foreach {New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $_} | fl * -f
PS C:\> $user1.Certificates | foreach {New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $_} | fl * -f
... FriendlyName : IssuerName : System.Security.Cryptography.X509Certificates.X500DistinguishedName NotAfter : 2/24/2109 8:35:26 AM NotBefore : 3/20/2009 9:35:26 AM HasPrivateKey : False PrivateKey : PublicKey : System.Security.Cryptography.X509Certificates.PublicKey RawData : {48, 130, 3, 139...} SerialNumber : … SubjectName : System.Security.Cryptography.X509Certificates.X500DistinguishedName SignatureAlgorithm : System.Security.Cryptography.Oid Thumbprint : … Version : 3 Handle : 456139856 Issuer : OU=EFS File Encryption Certificate, L=EFS, CN=Administrator Subject : OU=EFS File Encryption Certificate, L=EFS, CN=Administrator
PS C:\> $user1 = Get-ADUser TestUser1 -Properties "Certificates" PS C:\> New-ADUser -Name TestUser2 -SamAccountName TestUser2 -Certificates $user1.Certificates Installing AD CS with Install-AdcsCertificationAuthority In Windows Server 2012, you can use Windows PowerShell to install AD CS. The syntax of the Install-AdcsCertificationAuthority command is documented in the TechNet Library. That syntax is not repeated here, but rather an odd situation that might arise if you are installing a new CA and you want to use a comma in for the name of the CA. For example, if you want to use the distinguished name suffix of OU=PKI,O=Contoso, Ltd.,C=US, you will need double-quotes around the name. You will also use the escape character for Windows PowerShell, which is the backtick (`), also called the grave access (ASCII 96) before each double-quote, so that Windows PowerShell does not misinterpret your intention with the distinguished name suffix. An example of this follows: Install-AdcsCertificationAuthority -AllowAdministratorInteraction -CAType StandaloneRootCA -CACommonName "Example Internal Root CA" -CADistinguishedNameSuffix "OU=PKI,O=`"Contoso, Ltd.`",C=US" -KeyLength 2048 -HashAlgorithmName SHA1 -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" -DatabaseDirectory "C:\CertDB" -LogDirectory "C:\CertLog" -ValidityPeriod "Years" -ValidityPeriodUnits 20 -Verbose Note: Special thanks to Brian Komar for providing the basis for above example.
In Windows Server 2012, you can use Windows PowerShell to install AD CS. The syntax of the Install-AdcsCertificationAuthority command is documented in the TechNet Library. That syntax is not repeated here, but rather an odd situation that might arise if you are installing a new CA and you want to use a comma in for the name of the CA. For example, if you want to use the distinguished name suffix of OU=PKI,O=Contoso, Ltd.,C=US, you will need double-quotes around the name. You will also use the escape character for Windows PowerShell, which is the backtick (`), also called the grave access (ASCII 96) before each double-quote, so that Windows PowerShell does not misinterpret your intention with the distinguished name suffix. An example of this follows: Install-AdcsCertificationAuthority -AllowAdministratorInteraction -CAType StandaloneRootCA -CACommonName "Example Internal Root CA" -CADistinguishedNameSuffix "OU=PKI,O=`"Contoso, Ltd.`",C=US" -KeyLength 2048 -HashAlgorithmName SHA1 -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" -DatabaseDirectory "C:\CertDB" -LogDirectory "C:\CertLog" -ValidityPeriod "Years" -ValidityPeriodUnits 20 -Verbose Note: Special thanks to Brian Komar for providing the basis for above example.
Additional Resources
Display Subject Alternative Names of a Certificate with PowerShell
This article was started from Ashish Sharma [MSFT] Active Directory PowerShell Blog post Working with Certificates in AD PowerShell.
Fernando Lugão Veltem edited Revision 5. Comment: removed (en-US) from the title
Richard Mueller edited Revision 4. Comment: Added tag
Kurt L Hudson edited Revision 3. Comment: Updated to clarify it is the distinguished name suffix as well as to point directly to the Install-AdcsCertificationAuthority cmdlet documentation
Kurt L Hudson edited Revision 2. Comment: Updated to reflect the way to escape characters in PowerShell to get a CA named with commas
Kurt L Hudson edited Revision 1. Comment: Added additional resources section and links to additional resources
Fernando Lugão Veltem edited Original. Comment: added toc and tags