locked
How to Export/Import Relying Party Trust RST and Encryption Certificates using PowerShell? RRS feed

  • Question

  • Hello everyone

    Does anyone here know how to export/import RST (Signature) and Encryption Certificates used by a particular Relying Party Trust using PowerShell?

    The idea is that one script will export all the settings (certificates, SAMLEndpoints etc.) and another script will import all of these into another farm.

    Right now I'm stuck on the part about exporting/importing the certificates.

    Yes, I know that there are some files on the Windows Server 2012R2 DVD that do this but they are HUGE and complex and as far as I understand export the entire ADFS farm including RPTs and CPTs and all ADFS Certificates etc.

    I only need to learn how to export/import the RST (Signature) and Encryption Certificates used by a particular Relying Party Trust. I'm thinking perhaps into a Base64 encoded text-file or what ever format the Add-ADFSRelyingPartyTrust cmdlet would like.




    Friday, April 22, 2016 12:53 PM

Answers

  • Finally I've figured out how to do this on ADFS 2.0.

    The following will export the RPT encryption and signing certificates, into a Base64-encoded certificates which can then be imported using Add-ADFSRelyingPartyTrust or Set-ADFSRelyingPartyTrust on either ADFS 2.0, 2.1 or 3.0.

    $temp=Get-AdfsRelyingPartyTrust -Name "RPT1"
    $decimalcertencryption = ($temp.EncryptionCertificate.GetRawCertData())
    [Convert]::ToBase64String($decimalcertencryption) | Out-File RPT1_Encryption_Certificate.cer
    $decimalcertsigning = ($temp.RequestSigningCertificate.GetRawCertData())
    [Convert]::ToBase64String($decimalcertsigning) | Out-File RPT1_Signing_Certificate.cer

    Wednesday, April 27, 2016 6:19 PM
  • The documentation specifies it. When you do a Get/Add/Set-ADFSRelyingPartyTrust, the properties EncryptionCertificate and RequestSigningCertificate will be of the type: System.Security.Cryptography.X509Certificates.X509Certificate2.

    So you can manipulate as such. By storing them in a variable, or for "offline" storage, into a basic file... Exemple of export:

    $_rp_signing_cert = (Get-AdfsRelyingPartyTrust -Identifier "<my RP identifer>").RequestSigningCertificate
    $_rp_signing_cert | ForEach-Object {
        Export-Certificate -Cert $_ -FilePath "$($_.Thumbprint).cer"
    }
    $_rp_encryption_cert = (Get-AdfsRelyingPartyTrust -Identifier "<my RP identifer>").EncryptionCertificate
    Export-Certificate -Cert $_rp_encryption_cert -FilePath "$($_rp_encryption_cert.Thumbprint).cer"

    Follow the same logic to re-import them...


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.




    Sunday, April 24, 2016 3:20 AM

All replies

  • The documentation specifies it. When you do a Get/Add/Set-ADFSRelyingPartyTrust, the properties EncryptionCertificate and RequestSigningCertificate will be of the type: System.Security.Cryptography.X509Certificates.X509Certificate2.

    So you can manipulate as such. By storing them in a variable, or for "offline" storage, into a basic file... Exemple of export:

    $_rp_signing_cert = (Get-AdfsRelyingPartyTrust -Identifier "<my RP identifer>").RequestSigningCertificate
    $_rp_signing_cert | ForEach-Object {
        Export-Certificate -Cert $_ -FilePath "$($_.Thumbprint).cer"
    }
    $_rp_encryption_cert = (Get-AdfsRelyingPartyTrust -Identifier "<my RP identifer>").EncryptionCertificate
    Export-Certificate -Cert $_rp_encryption_cert -FilePath "$($_rp_encryption_cert.Thumbprint).cer"

    Follow the same logic to re-import them...


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.




    Sunday, April 24, 2016 3:20 AM
  • Thank you very much Pierre!

    But this doesn't work on Windows Server 2008R2 and ADSF 2.0 even with PowerShell 4.0 installed, right?

    Sorry for not mentioning this in my original post. I need to export from 2008R2 and import on 2012R2.

    So far I've at least managed to export the Encryption Certificate using the following cmdlet which exports it in Hexadecimal-format. If there's way to convert it into Base64 using PowerShell that would be great :-)

    $temprpt=Get-AdfsRelyingPartyTrust -Name "My RPT"
    
    $temprpt.EncryptionCertificate.GetRawCertDataString() | Out-File "C:\EncryptionCertificateInHex_$($temprpt.EncryptionCertificate.Thumbprint).txt"

    Monday, April 25, 2016 7:46 AM
  • Sorry, I assumed it was ADFS on Windows Server 2012 R2.

    Well, good occasion to move to Windows Server 2012 R2 then :) I don't have an ADFS 2.1 handy, I'll leave the others answering.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, April 25, 2016 12:14 PM
  • Yes that's what we're doing hence the need to easily export +200 Relying Party Trusts :-) Well I'll just convert the hexadecimal certificate output to Base64 manually. Luckily only about 10% of the RPTs we have use encryption and signing certificates. Once I have them in ADFS 3.0 I'll use Export-Certificate to back them up. Thank you Pierre!
    Monday, April 25, 2016 11:03 PM
  • Finally I've figured out how to do this on ADFS 2.0.

    The following will export the RPT encryption and signing certificates, into a Base64-encoded certificates which can then be imported using Add-ADFSRelyingPartyTrust or Set-ADFSRelyingPartyTrust on either ADFS 2.0, 2.1 or 3.0.

    $temp=Get-AdfsRelyingPartyTrust -Name "RPT1"
    $decimalcertencryption = ($temp.EncryptionCertificate.GetRawCertData())
    [Convert]::ToBase64String($decimalcertencryption) | Out-File RPT1_Encryption_Certificate.cer
    $decimalcertsigning = ($temp.RequestSigningCertificate.GetRawCertData())
    [Convert]::ToBase64String($decimalcertsigning) | Out-File RPT1_Signing_Certificate.cer

    Wednesday, April 27, 2016 6:19 PM