The purpose of this post is to show you the different available Powershell cmdlets to get a certificate from a Microsoft PKI using a base64 certificate request file. The following command lines will uses the Powershell module PSPKI. To install it, run the following command :
PS> Install-Module -Name PSPKI
This module is intended to simplify various PKI and Active Directory Certificate Services management tasks by using automation with Windows PowerShell.
This module is intended for Certification Authority management. For local certificate store management you should consider to use Quest AD PKI cmdlets.
You can use openssl to generate a csr. This procedure describes how to create the csr file.
In our exemple the csr file name will be : request.csr
Now you will need to get your local PKI server information. It is possible your infrastructure hosts multiple issuing CA server. To get the current list, execute the following command:
PS C:\Windows\system32> Get-CertificationAuthority DisplayName ComputerName IsAccessible ServiceStatus Type ----------- ------------ ------------ ------------- ---- IssuingCA01 caserver01.domain.local True Running Enterprise Subordinate CA IssuingCA02 caserver02.domain.local True Running Enterprise Subordinate CA
We will use for our example the IssuingCA02 (fqdn=caserver02.domain.local).
The following line will submit the csr request file to our CA server called IssuingCA02. We will use the template Webserver to issue the certificate:
Submit-CertificateRequest -path C:\Temp\request.csr -CertificationAuthority (Get-CertificationAuthority caserver02.domain.local) -Attribute CertificateTemplate:WebServer
CertificationAuthority : PKI.CertificateServices.CertificateAuthority
RequestID : 999
Status : Issued
Certificate : [Subject]
CN=mycommonname.domain.local
[Issuer]
CN=IssuingCA02, DC=domain, DC=local
[Serial Number]
4EXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX295
[Not Before]
9/15/2019 6:30:40 PM
[Not After]
9/15/2021 6:40:40 PM
[Thumbprint]
44514FXXXXXXXXXXXXXXXXXXXXXXXXXXXXXCAB1A
ErrorInformation :
We can now save the issued certificate by using these lines (destination certificate filename : C:\Temp\mycert.cer):
"-----BEGIN CERTIFICATE-----" | Out-File C:\Temp\mycert.cer
((Get-IssuedRequest -CertificationAuthority (Get-CertificationAuthority caserver02.domain.local) -RequestID 999 -Property "RawCertificate")."RawCertificate").trim("`r`n") | Out-File C:\Temp\mycert.cer -Append
"-----END CERTIFICATE-----" | Out-File C:\Temp\mycert.cer -Append
My Powershell script categories
- Active Directory
- Cluster
- Database
- Exchange
- Files and folders
- Hardware
- Network
- Operating System
- PKI
- SCCM
- Service and process
- Tips
- VMWare
Sample of the cmdlets availables in the PSPKI module (full list here):
Add-AdCertificate
Add-AdCertificateRevocationList
Add-AuthorityInformationAccess (Alias: Add-AIA)
Add-CAAccessControlEntry (Alias: Add-CAACL)
Add-CATemplate
Add-CertificateEnrollmentPolicyService
Add-CertificateEnrollmentService
Add-CertificateTemplateAcl
Add-CRLDistributionPoint (Alias: Add-CDP)
Convert-PemToPfx
Convert-PfxToPem
Deny-CertificateRequest
Disable-PolicyModuleFlag
Get-CATemplate
Get-CertificateRequest
Get-CertificateRevocationList (Alias: Get-CRL)
Get-CertificateRevocationListFlag (Alias: Get-CRLFlag)
Get-CertificateTemplate
Get-CertificateTemplateAcl
Get-IssuedRequest
Get-PendingRequest
Publish-CRL
Remove-CATemplate
Remove-ExtensionList
Restart-CertificationAuthority
Revoke-Certificate
Start-CertificationAuthority
Test-WebServerSSL
Uninstall-CertificationAuthority