Automate certificate revocation on a Microsoft PKI
Create a certificate from a request file with Powershell

The purpose of this post is to show you the different available Powershell cmdlets to get a certificate from a Microsoft PKI using a base64 certificate request file. The following command lines will uses the Powershell module PSPKI. To install it, run the following command :

PS> Install-Module -Name PSPKI

This module is intended to simplify various PKI and Active Directory Certificate Services management tasks by using automation with Windows PowerShell.

This module is intended for Certification Authority management. For local certificate store management you should consider to use Quest AD PKI cmdlets.

You can use openssl to generate a csr. This procedure describes how to create the csr file.

In our exemple the csr file name will be : request.csr

Now you will need to get your local PKI server information. It is possible your infrastructure hosts multiple issuing CA server. To get the current list, execute the following command:

PS C:\Windows\system32> Get-CertificationAuthority

DisplayName                              ComputerName              IsAccessible ServiceStatus Type
-----------                              ------------              ------------ ------------- ----
IssuingCA01                           caserver01.domain.local      True         Running       Enterprise Subordinate CA
IssuingCA02                           caserver02.domain.local      True         Running       Enterprise Subordinate CA

We will use for our example the IssuingCA02 (fqdn=caserver02.domain.local).

The following line will submit the csr request file to our CA server called IssuingCA02. We will use the template Webserver to issue the certificate:

Submit-CertificateRequest -path C:\Temp\request.csr -CertificationAuthority (Get-CertificationAuthority caserver02.domain.local) -Attribute CertificateTemplate:WebServer

CertificationAuthority : PKI.CertificateServices.CertificateAuthority
RequestID              : 999
Status                 : Issued
Certificate            : [Subject]
                           CN=mycommonname.domain.local

                         [Issuer]
                           CN=IssuingCA02, DC=domain, DC=local

                         [Serial Number]
                           4EXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX295

                         [Not Before]
                           9/15/2019 6:30:40 PM

                         [Not After]
                           9/15/2021 6:40:40 PM

                         [Thumbprint]
                           44514FXXXXXXXXXXXXXXXXXXXXXXXXXXXXXCAB1A

ErrorInformation       :

We can now save the issued certificate by using these lines (destination certificate filename : C:\Temp\mycert.cer):

"-----BEGIN CERTIFICATE-----" | Out-File C:\Temp\mycert.cer
((Get-IssuedRequest -CertificationAuthority (Get-CertificationAuthority caserver02.domain.local) -RequestID 999 -Property "RawCertificate")."RawCertificate").trim("`r`n") | Out-File C:\Temp\mycert.cer -Append
"-----END CERTIFICATE-----" | Out-File C:\Temp\mycert.cer -Append
<>

My Powershell script categories

Sample of the cmdlets availables in the PSPKI module (full list here):
Add-AdCertificate
Add-AdCertificateRevocationList
Add-AuthorityInformationAccess (Alias: Add-AIA)
Add-CAAccessControlEntry (Alias: Add-CAACL)
Add-CATemplate
Add-CertificateEnrollmentPolicyService
Add-CertificateEnrollmentService
Add-CertificateTemplateAcl
Add-CRLDistributionPoint (Alias: Add-CDP)
Convert-PemToPfx
Convert-PfxToPem
Deny-CertificateRequest
Disable-PolicyModuleFlag
Get-CATemplate
Get-CertificateRequest
Get-CertificateRevocationList (Alias: Get-CRL)
Get-CertificateRevocationListFlag (Alias: Get-CRLFlag)
Get-CertificateTemplate
Get-CertificateTemplateAcl
Get-IssuedRequest
Get-PendingRequest
Publish-CRL
Remove-CATemplate
Remove-ExtensionList
Restart-CertificationAuthority
Revoke-Certificate
Start-CertificationAuthority
Test-WebServerSSL
Uninstall-CertificationAuthority

Create a certificate from a request file with Powershell

Leave a Reply

Your email address will not be published. Required fields are marked *