Certificate renewal with Powershell
Certificate renewal with Powershell

With the following function, it is possible to renew a Local machine certificate by providing the certificate thumbprint to the function. To simply get a certificate thumbprint, you can run this command:

gci -path Cert:\LocalMachine\My | select Thumbprint

If you want more information (Subject,Issuer, Validity dates and thumbprint) on the certificate listed above, type :

gci -path Cert:\LocalMachine\My | select Subject,Thumbprint,Issuer,NotAfter,NotBefore |ft -autosize

Note that the command above and below are running on the Local Machine Certificate store. This is why the first variable ( $ContextAdministratorForceMachine ) has been set to 0x3 : the certificate is being requested by an administrator acting on the behalf of a computer.

You can find a full version of this function here (thank you Slogmeister Extraordinaire for your post)

function renew_cert($thumbprint) {
	#https://msdn.microsoft.com/en-us/library/windows/desktop/aa379399(v=vs.85).aspx
	$ContextAdministratorForceMachine=0x3
	
	#https://msdn.microsoft.com/en-us/library/windows/desktop/aa374936(v=vs.85).aspx
	$XCN_CRYPT_STRING_BASE64=0x1
	
	#https://msdn.microsoft.com/en-us/library/windows/desktop/aa379430(v=vs.85).aspx
	$InheritDefault=0x00000000
	$InheritRenewalCertificateFlag=0x00000020
	$InheritTemplateFlag=0x00000040
	$InheritSubjectFlag=0x00000080
	$InheritExtensionsFlag=0x00000100
	$InheritSubjectAltNameFlag=0x00000200
	$X509RequestInheritOptions=$InheritDefault+$InheritRenewalCertificateFlag+$InheritTemplateFlag+$InheritSubjectAltNameFlag+$InheritExtensionsFlag+$InheritSubjectFlag
	
	$Cert=Get-Item -Path "Cert:\LocalMachine\my\$thumbprint"
	
	$PKCS10=New-Object -ComObject X509Enrollment.CX509CertificateRequestPkcs10
	$PKCS10.Silent=$true
	$PKCS10.InitializeFromCertificate($ContextAdministratorForceMachine,[System.Convert]::ToBase64String($Cert.RawData), $XCN_CRYPT_STRING_BASE64, $X509RequestInheritOptions)
	
	$PKCS10.AlternateSignatureAlgorithm=$false
	$PKCS10.SmimeCapabilities=$false
	$PKCS10.SuppressDefaults=$true
	$PKCS10.Encode()
	
	$Enroll=New-Object -ComObject X509Enrollment.CX509Enrollment
	$Enroll.InitializeFromRequest($PKCS10)
	
	$Enroll.Enroll()
}

# renew_cert "9A1910E097EDEEC6173E7C4F322977F2EA8BAC7F"

<>

My Powershell script categories

Certificate renewal with Powershell

4 thoughts on “Certificate renewal with Powershell

  • February 28, 2019 at 11:58 am
    Permalink

    Hi,

    I am trying to use your code on windows server 2008 and 2012 to renew a celf signed certificate in the location:
    “cert:\LocalMachine\Remote Desktop\”cert:\LocalMachine\Remote Desktop\” , but am getting the following error:

    Exception calling “InitializeFromCertificate” with “4” argument(s): “CertEnroll::CX509CertificateRequestCertificate::InitializeFromCertificate: Cannot find object or property. 0x80092004 (-2146885628)”
    At C:\Monitoring_DoNotRemove\CertificateRenewal\CertificateRenawal.ps1:59 char:35
    + $PKCS10.InitializeFromCertificate <<<< ($ContextAdministratorForceMachine, $strCertificate, $XCN_CRYPT_STRING_BASE64, $X509RequestInheritOptions)
    + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : ComMethodTargetInvocation

    After trying to Inititialize the certificate

    $strCertificate=[System.Convert]::ToBase64String($Cert.RawData)

    #$PKCS10.InitializeFromCertificate($ContextAdministratorForceMachine,[System.Convert]::ToBase64String($Cert.RawData), $XCN_CRYPT_STRING_BASE64, $X509RequestInheritOptions)

    $PKCS10.InitializeFromCertificate($ContextAdministratorForceMachine, $strCertificate, $XCN_CRYPT_STRING_BASE64, $X509RequestInheritOptions)

    I really need this to be working as the windows command line alternative is poor.

    Apreciate a lot any answer.

    Cheers

    M.

    Reply
    • June 14, 2019 at 6:28 am
      Permalink

      Hello,

      I have to test your case using self signed certificate. Tell me if you still need this script.

      Regards

      Reply
  • February 28, 2019 at 11:58 am
    Permalink

    Hi,

    I am trying to use your code on windows server 2008 and 2012 to renew a celf signed certificate in the location:
    “cert:\LocalMachine\Remote Desktop\”cert:\LocalMachine\Remote Desktop\” , but am getting the following error:

    Exception calling “InitializeFromCertificate” with “4” argument(s): “CertEnroll::CX509CertificateRequestCertificate::InitializeFromCertificate: Cannot find object or property. 0x80092004 (-2146885628)”
    At C:\Monitoring_DoNotRemove\CertificateRenewal\CertificateRenawal.ps1:59 char:35
    + $PKCS10.InitializeFromCertificate <<<< ($ContextAdministratorForceMachine, $strCertificate, $XCN_CRYPT_STRING_BASE64, $X509RequestInheritOptions)
    + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : ComMethodTargetInvocation

    After trying to Inititialize the certificate

    $strCertificate=[System.Convert]::ToBase64String($Cert.RawData)

    #$PKCS10.InitializeFromCertificate($ContextAdministratorForceMachine,[System.Convert]::ToBase64String($Cert.RawData), $XCN_CRYPT_STRING_BASE64, $X509RequestInheritOptions)

    $PKCS10.InitializeFromCertificate($ContextAdministratorForceMachine, $strCertificate, $XCN_CRYPT_STRING_BASE64, $X509RequestInheritOptions)

    I really need this to be working as the windows command line alternative is poor.

    Apreciate a lot any answer.

    Cheers

    M.

    Reply
    • June 14, 2019 at 6:28 am
      Permalink

      Hello,

      I have to test your case using self signed certificate. Tell me if you still need this script.

      Regards

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *