locked
Using CertEnroll and CertCli in PS RRS feed

  • Question

  • I want to create a script that renews certificates by submitting certificate request to its CA. I'm able to do that in C# using the CertCli and CertEnroll COM libraries. How do I utilize these libraries to achieve the same task in Powershell?
    Thursday, October 9, 2014 12:56 PM

Answers

  • You can create com objects in Powershell quite easily, I'm afraid I don't have much experience working with certificates through powershell so I can't be much help. I did, however, have a peek at the COM classes on my machine and pulled this list back - 

    CertificateAuthority.EncodeCRLDistInfo                                                                                                              
    CAPICOM.Certificates                                                                                                                                
    CertificateAuthority.EncodeStringArray                                                                                                              
    CertificateAuthority.EncodeAltName                                                                                                                  
    CertificateAuthority.EncodeDateArray                                                                                                                
    CAPICOM.Certificates                                                                                                                                
    CertificateAuthority.Config                                                                                                                         
    CertificateAuthority.ServerExit                                                                                                                     
    CertificateAuthority.EncodeLongArray                                                                                                                
    CertificateAuthority.EncodeBitString                                                                                                                
    X509Enrollment.CX509CertificateTemplateADWritable                                                                                                   
    X509Enrollment.CCertificatePolicy                                                                                                                   
    X509Enrollment.CCertificatePolicies                                                                                                                 
    X509Enrollment.CX509ExtensionCertificatePolicies                                                                                                    
    X509Enrollment.CX509AttributeRenewalCertificate                                                                                                     
    X509Enrollment.CCertProperty                                                                                                                        
    X509Enrollment.CCertProperties                                                                                                                      
    X509Enrollment.CCertPropertyFriendlyName                                                                                                            
    X509Enrollment.CCertPropertyDescription                                                                                                             
    X509Enrollment.CCertPropertyAutoEnroll                                                                                                              
    X509Enrollment.CCertPropertyRequestOriginator                                                                                                       
    X509Enrollment.CCertPropertySHA1Hash                                                                                                                
    X509Enrollment.CCertPropertyKeyProvInfo                                                                                                             
    X509Enrollment.CCertPropertyArchived                                                                                                                
    X509Enrollment.CCertPropertyBackedUp                                                                                                                
    X509Enrollment.CCertPropertyEnrollment                                                                                                              
    X509Enrollment.CCertPropertyRenewal                                                                                                                 
    X509Enrollment.CCertPropertyArchivedKeyHash                                                                                                         
    X509Enrollment.CSignerCertificate                                                                                                                   
    X509Enrollment.CX509CertificateRequestPkcs10                                                                                                        
    X509Enrollment.CX509CertificateRequestCertificate                                                                                                   
    X509Enrollment.CX509CertificateRequestPkcs7                                                                                                         
    X509Enrollment.CX509CertificateRequestCmc                                                                                                           
    X509Enrollment.CCertPropertyEnrollmentPolicyServer                                                                                                  
    CAPICOM.Certificate                                                                                                                                 
    CCMCertMaintenanceTask.CCMCertMaintenanceTask                                                                                                       
    CertificateAuthority.Request                                                                                                                        
    CertificateAuthority.ServerPolicy                                                                                                                   
    CertificateAuthority.GetConfig                                                                                                                      
    CAPICOM.Certificate                                                                                                                                 
    CAPICOM.Certificates

    CertificateAuthority.Request may be of interest. You can use it like so

    $cer = new-object -comobject CertificateAuthority.Request

    It might be do-able with .net classes directly [System.Security.Cryptography.X509Certificates] but I'm afraid it's not really my area.

    • Marked as answer by srmocher Friday, October 10, 2014 2:12 AM
    Thursday, October 9, 2014 1:52 PM

All replies

  • You can create com objects in Powershell quite easily, I'm afraid I don't have much experience working with certificates through powershell so I can't be much help. I did, however, have a peek at the COM classes on my machine and pulled this list back - 

    CertificateAuthority.EncodeCRLDistInfo                                                                                                              
    CAPICOM.Certificates                                                                                                                                
    CertificateAuthority.EncodeStringArray                                                                                                              
    CertificateAuthority.EncodeAltName                                                                                                                  
    CertificateAuthority.EncodeDateArray                                                                                                                
    CAPICOM.Certificates                                                                                                                                
    CertificateAuthority.Config                                                                                                                         
    CertificateAuthority.ServerExit                                                                                                                     
    CertificateAuthority.EncodeLongArray                                                                                                                
    CertificateAuthority.EncodeBitString                                                                                                                
    X509Enrollment.CX509CertificateTemplateADWritable                                                                                                   
    X509Enrollment.CCertificatePolicy                                                                                                                   
    X509Enrollment.CCertificatePolicies                                                                                                                 
    X509Enrollment.CX509ExtensionCertificatePolicies                                                                                                    
    X509Enrollment.CX509AttributeRenewalCertificate                                                                                                     
    X509Enrollment.CCertProperty                                                                                                                        
    X509Enrollment.CCertProperties                                                                                                                      
    X509Enrollment.CCertPropertyFriendlyName                                                                                                            
    X509Enrollment.CCertPropertyDescription                                                                                                             
    X509Enrollment.CCertPropertyAutoEnroll                                                                                                              
    X509Enrollment.CCertPropertyRequestOriginator                                                                                                       
    X509Enrollment.CCertPropertySHA1Hash                                                                                                                
    X509Enrollment.CCertPropertyKeyProvInfo                                                                                                             
    X509Enrollment.CCertPropertyArchived                                                                                                                
    X509Enrollment.CCertPropertyBackedUp                                                                                                                
    X509Enrollment.CCertPropertyEnrollment                                                                                                              
    X509Enrollment.CCertPropertyRenewal                                                                                                                 
    X509Enrollment.CCertPropertyArchivedKeyHash                                                                                                         
    X509Enrollment.CSignerCertificate                                                                                                                   
    X509Enrollment.CX509CertificateRequestPkcs10                                                                                                        
    X509Enrollment.CX509CertificateRequestCertificate                                                                                                   
    X509Enrollment.CX509CertificateRequestPkcs7                                                                                                         
    X509Enrollment.CX509CertificateRequestCmc                                                                                                           
    X509Enrollment.CCertPropertyEnrollmentPolicyServer                                                                                                  
    CAPICOM.Certificate                                                                                                                                 
    CCMCertMaintenanceTask.CCMCertMaintenanceTask                                                                                                       
    CertificateAuthority.Request                                                                                                                        
    CertificateAuthority.ServerPolicy                                                                                                                   
    CertificateAuthority.GetConfig                                                                                                                      
    CAPICOM.Certificate                                                                                                                                 
    CAPICOM.Certificates

    CertificateAuthority.Request may be of interest. You can use it like so

    $cer = new-object -comobject CertificateAuthority.Request

    It might be do-able with .net classes directly [System.Security.Cryptography.X509Certificates] but I'm afraid it's not really my area.

    • Marked as answer by srmocher Friday, October 10, 2014 2:12 AM
    Thursday, October 9, 2014 1:52 PM
  • PowerShell has cert enrollment commands:

    http://technet.microsoft.com/en-us/library/hh848632.aspx


    ¯\_(ツ)_/¯

    Thursday, October 9, 2014 2:12 PM
  • Here are the full set of PKI commands:

    http://technet.microsoft.com/en-us/library/hh848636.aspx


    ¯\_(ツ)_/¯

    Thursday, October 9, 2014 2:14 PM
  • Working with COM objects is one of the least pleasant experiences in PowerShell.  You can make it work, but sometimes you wind up having to use Reflection to get at the methods and properties of your objects.  You may find that it's easier to just use certreq.exe instead.
    Thursday, October 9, 2014 2:15 PM
  • Ahaha, should've checked the Cmdlets first :)
    Thursday, October 9, 2014 2:15 PM
  • You can also use the cert utilities in PowerSHell:

    http://www.networkworld.com/article/2348550/microsoft-subnet/completing-a-certificate-request-using-powershell-.html

    Look in Repository for more scripts.


    ¯\_(ツ)_/¯

    Thursday, October 9, 2014 2:16 PM