With the following function, it is possible to renew a Local machine certificate by providing the certificate thumbprint to the function. To simply get a certificate thumbprint, you can run this command:
gci -path Cert:\LocalMachine\My | select Thumbprint
If you want more information (Subject,Issuer, Validity dates and thumbprint) on the certificate listed above, type :
gci -path Cert:\LocalMachine\My | select Subject,Thumbprint,Issuer,NotAfter,NotBefore |ft -autosize
Note that the command above and below are running on the Local Machine Certificate store. This is why the first variable ( $ContextAdministratorForceMachine ) has been set to 0x3 : the certificate is being requested by an administrator acting on the behalf of a computer.
You can find a full version of this function here (thank you Slogmeister Extraordinaire for your post)
function renew_cert($thumbprint) { #https://msdn.microsoft.com/en-us/library/windows/desktop/aa379399(v=vs.85).aspx $ContextAdministratorForceMachine=0x3 #https://msdn.microsoft.com/en-us/library/windows/desktop/aa374936(v=vs.85).aspx $XCN_CRYPT_STRING_BASE64=0x1 #https://msdn.microsoft.com/en-us/library/windows/desktop/aa379430(v=vs.85).aspx $InheritDefault=0x00000000 $InheritRenewalCertificateFlag=0x00000020 $InheritTemplateFlag=0x00000040 $InheritSubjectFlag=0x00000080 $InheritExtensionsFlag=0x00000100 $InheritSubjectAltNameFlag=0x00000200 $X509RequestInheritOptions=$InheritDefault+$InheritRenewalCertificateFlag+$InheritTemplateFlag+$InheritSubjectAltNameFlag+$InheritExtensionsFlag+$InheritSubjectFlag $Cert=Get-Item -Path "Cert:\LocalMachine\my\$thumbprint" $PKCS10=New-Object -ComObject X509Enrollment.CX509CertificateRequestPkcs10 $PKCS10.Silent=$true $PKCS10.InitializeFromCertificate($ContextAdministratorForceMachine,[System.Convert]::ToBase64String($Cert.RawData), $XCN_CRYPT_STRING_BASE64, $X509RequestInheritOptions) $PKCS10.AlternateSignatureAlgorithm=$false $PKCS10.SmimeCapabilities=$false $PKCS10.SuppressDefaults=$true $PKCS10.Encode() $Enroll=New-Object -ComObject X509Enrollment.CX509Enrollment $Enroll.InitializeFromRequest($PKCS10) $Enroll.Enroll() } # renew_cert "9A1910E097EDEEC6173E7C4F322977F2EA8BAC7F"
My Powershell script categories
- Active Directory
- Cluster
- Database
- Exchange
- Files and folders
- Hardware
- Network
- Operating System
- PKI
- SCCM
- Service and process
- Tips
- VMWare
Certificate renewal with Powershell
Hi,
I am trying to use your code on windows server 2008 and 2012 to renew a celf signed certificate in the location:
“cert:\LocalMachine\Remote Desktop\”cert:\LocalMachine\Remote Desktop\” , but am getting the following error:
Exception calling “InitializeFromCertificate” with “4” argument(s): “CertEnroll::CX509CertificateRequestCertificate::InitializeFromCertificate: Cannot find object or property. 0x80092004 (-2146885628)”
At C:\Monitoring_DoNotRemove\CertificateRenewal\CertificateRenawal.ps1:59 char:35
+ $PKCS10.InitializeFromCertificate <<<< ($ContextAdministratorForceMachine, $strCertificate, $XCN_CRYPT_STRING_BASE64, $X509RequestInheritOptions)
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : ComMethodTargetInvocation
After trying to Inititialize the certificate
$strCertificate=[System.Convert]::ToBase64String($Cert.RawData)
#$PKCS10.InitializeFromCertificate($ContextAdministratorForceMachine,[System.Convert]::ToBase64String($Cert.RawData), $XCN_CRYPT_STRING_BASE64, $X509RequestInheritOptions)
$PKCS10.InitializeFromCertificate($ContextAdministratorForceMachine, $strCertificate, $XCN_CRYPT_STRING_BASE64, $X509RequestInheritOptions)
I really need this to be working as the windows command line alternative is poor.
Apreciate a lot any answer.
Cheers
M.
Hello,
I have to test your case using self signed certificate. Tell me if you still need this script.
Regards
Hi,
I am trying to use your code on windows server 2008 and 2012 to renew a celf signed certificate in the location:
“cert:\LocalMachine\Remote Desktop\”cert:\LocalMachine\Remote Desktop\” , but am getting the following error:
Exception calling “InitializeFromCertificate” with “4” argument(s): “CertEnroll::CX509CertificateRequestCertificate::InitializeFromCertificate: Cannot find object or property. 0x80092004 (-2146885628)”
At C:\Monitoring_DoNotRemove\CertificateRenewal\CertificateRenawal.ps1:59 char:35
+ $PKCS10.InitializeFromCertificate <<<< ($ContextAdministratorForceMachine, $strCertificate, $XCN_CRYPT_STRING_BASE64, $X509RequestInheritOptions)
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : ComMethodTargetInvocation
After trying to Inititialize the certificate
$strCertificate=[System.Convert]::ToBase64String($Cert.RawData)
#$PKCS10.InitializeFromCertificate($ContextAdministratorForceMachine,[System.Convert]::ToBase64String($Cert.RawData), $XCN_CRYPT_STRING_BASE64, $X509RequestInheritOptions)
$PKCS10.InitializeFromCertificate($ContextAdministratorForceMachine, $strCertificate, $XCN_CRYPT_STRING_BASE64, $X509RequestInheritOptions)
I really need this to be working as the windows command line alternative is poor.
Apreciate a lot any answer.
Cheers
M.
Hello,
I have to test your case using self signed certificate. Tell me if you still need this script.
Regards