Geek asks and answers

Powershell Script to install a certificate in Active Directory storage

I am trying to write a powershell script to install a certificate in the certificate store of the active directory,

Here are the steps that need to be done manually; any help would be greatly appreciated.

On a Windows 2008R2 domain controller

Click "Start" β†’ "Run"

type MMC

click ok

Click File β†’ Add / Remove Snap-In

Choose "Certificates" β†’ Add

Select "Service Account"

Click "Next"

Select "Local Computer"

Click "Next"

Select Active Directory Domain Services

Click Finish

Click ok

I want the script to install the certificate:

NTDS \ Personal

, , -, "", .

, , , powershell , β†’ , , .

"NTDS\Personal" , $certRootStore localmachine CurrentUser, :/

function Import-PfxCertificate 
{
    param
    (
        [String]$certPath,
        [String]$certRootStore = "localmachine",
        [String]$certStore = "My",
        $pfxPass = $null
    ) 
    $pfx = new-object System.Security.Cryptography.X509Certificates.X509Certificate2 

    if ($pfxPass -eq $null) 
    {
        $pfxPass = read-host "Password" -assecurestring
    } 

    $pfx.import($certPath,$pfxPass,"Exportable,PersistKeySet") 

    $store = new-object System.Security.Cryptography.X509Certificates.X509Store($certStore,$certRootStore) 
    $store.open("MaxAllowed") 
    $store.add($pfx) 
    $store.close() 
}

Import-PfxCertificate -certPath "d:\Certificate.pfx"

+4
3

, . LocalMachine CurrentUser, powershell.

. , "" ( - MS, ) ADDS, HKLM\Software\Microsoft\Cryptography\Services\NTDS\SystemCertificates. :

# 2 , , NTDS for. , .

enter image description here

- . powershell reg, -PSProvider Certificate , , .

, X509Store, IntPtr SystemStore, . , - , - , , this googling HCERTSTORE # .

+1

, , , .

, , NTDS , , .

function Import-NTDSCertificate {
    [CmdletBinding()]
    param(
        [Parameter(Mandatory)]
        [string]$PFXFile,

        [Parameter(Mandatory)]
        [string]$PFXPassword,

        #Remove certificate from LocalMachine\Personal certificate store
        [switch]$Cleanup
        )
        begin{
            Write-Verbose -Message "Importing PFX file."
            $PFXObject = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Certificate2
            $PFXObject.Import($PFXFile,$PFXPassword,[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)

            $thumbprint = $PFXObject.Thumbprint
        }
        process{
            Write-Verbose -Message "Importing certificate into LocalMachine\Personal"
            $certificateStore = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Store('My','LocalMachine')
            $certificateStore.Open('MaxAllowed')
            $certificateStore.Add($PFXObject)
            $certificateStore.Close()

            Write-Verbose -Message "Copying certificate from LocalMachine\Personal to NTDS\Personal"
            $copyParameters = @{
                'Path' = "HKLM:\Software\Microsoft\SystemCertificates\MY\Certificates\$thumbprint"
                'Destination' = "HKLM:\SOFTWARE\Microsoft\Cryptography\Services\NTDS\SystemCertificates\My\Certificates\$thumbprint"
                'Recurse' = $true
            }
            Copy-Item @copyParameters
        }
        end{
            if ($Cleanup){
                Write-Verbose -Message "Removing certificate from LocalMachine\Personal"
                $removalParameters = @{
                    'Path' = "HKLM:\SOFTWARE\Microsoft\SystemCertificates\MY\Certificates\$thumbprint"
                    'Recurse' = $true
                }
                Remove-Item @removalParameters
            }
        }
}
0

Despite the fact that this post is already several years old, it is still useful and is found when searching, so to answer the question "I don’t know how NTDS determines which certificate to use when there are several of them in the certificate store", the answer is: that you will get unreliable results when two or more valid certificates are installed that meet the requested criteria, so it is recommended to delete the old / unnecessary certificate and just leave the newest / best certificate for server authentication.

0
source

More articles:


All Articles