Share via

Active Directory Certificate Services (AD CS) PowerShell Examples

  • Article

Examples of what you can do with Active Directory PowerShell related to certificate management in Active Directory Certificate Services (AD CS)

Update User Certificates

You can create a X509Certificate (or X509Certificate2) object using the certificate file.
PS C:\> $cert1 = New-Object System.Security.Cryptography.X509Certificates.X509Certificate "C:\Certs\Test1.cer"
PS C:\> $cert2 = New-Object System.Security.Cryptography.X509Certificates.X509Certificate "C:\Certs\Test2.cer"

Then assign the certificates to a user account while creating it.
PS C:\> $certs = $cert1,$cert2 #create certificate array
PS C:\> New-ADUser -Name TestUser1 -SamAccountName TestUser1 -Certificates $certs

Note: Parameter Certificates updates the LDAP attribute userCertificate.

You can also assign the certificates to an existing user account.
PS C:\> Set-ADUser TestUser1 -Certificates @{Replace=$cert1,$cert2}

View User Certificates

You can fetch the certificates of an existing user.
PS C:\> $user1 = Get-ADUser TestUser1 -Properties "Certificates"

And then view the basic details of certificates as shown below:
PS C:\> $user1.Certificates | fl * -f

Handle  : 456139856
Issuer  : OU=EFS File Encryption Certificate, L=EFS, CN=Administrator
Subject : OU=EFS File Encryption Certificate, L=EFS, CN=Administrator
...

X509Certificate2 can be used to view more details of certificates.
PS C:\> $user1.Certificates | foreach {New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $_} | fl * -f

...
FriendlyName       :
IssuerName         : System.Security.Cryptography.X509Certificates.X500DistinguishedName
NotAfter           : 2/24/2109 8:35:26 AM
NotBefore          : 3/20/2009 9:35:26 AM
HasPrivateKey      : False
PrivateKey         :
PublicKey          : System.Security.Cryptography.X509Certificates.PublicKey
RawData            : {48, 130, 3, 139...}
SerialNumber       : …
SubjectName        : System.Security.Cryptography.X509Certificates.X500DistinguishedName
SignatureAlgorithm : System.Security.Cryptography.Oid
Thumbprint         : …
Version            : 3
Handle             : 456139856
Issuer             : OU=EFS File Encryption Certificate, L=EFS, CN=Administrator
Subject            : OU=EFS File Encryption Certificate, L=EFS, CN=Administrator

Also you can assign an existing user certificates to a new user.
PS C:\> $user1 = Get-ADUser TestUser1 -Properties "Certificates"
PS C:\> New-ADUser -Name TestUser2 -SamAccountName TestUser2 -Certificates $user1.Certificates

Installing AD CS with Install-AdcsCertificationAuthority

In Windows Server 2012, you can use Windows PowerShell to install AD CS. The syntax of the Install-AdcsCertificationAuthority command is documented in the TechNet Library. That syntax is not repeated here, but rather an odd situation that might arise if you are installing a new CA and you want to use a comma in for the name of the CA. For example, if you want to use the distinguished name suffix of OU=PKI,O=Contoso, Ltd.,C=US, you will need double-quotes around the name. You will also use the escape character for Windows PowerShell, which is the backtick (`), also called the grave access (ASCII 96) before each double-quote, so that Windows PowerShell does not misinterpret your intention with the distinguished name suffix. An example of this follows:

Install-AdcsCertificationAuthority -AllowAdministratorInteraction -CAType StandaloneRootCA -CACommonName "Example Internal Root CA" -CADistinguishedNameSuffix "OU=PKI,O=`"Contoso, Ltd.`",C=US" -KeyLength 2048 -HashAlgorithmName SHA1 -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" -DatabaseDirectory "C:\CertDB" -LogDirectory "C:\CertLog" -ValidityPeriod "Years" -ValidityPeriodUnits 20 -Verbose

Note: Special thanks to Brian Komar for providing the basis for above example.

Additional Resources

This article was started from Ashish Sharma [MSFT] Active Directory PowerShell Blog post Working with Certificates in AD PowerShell.

See Also