none
Generate certificates from CA Template using Powershell RRS feed

  • Question

  • I have a 2008 R2 CA and I setup auto enrollment for user certificates. That is working properly. However I need to be able to generate user certificates using PowerShell or some other kind of scripting for 500+ users.

    The basic script layout would be as follows.

    Starting with User1

    Request Cert from CA

    Install Cert

    Export New Cert to pfx

    Start again with User2 and continue up to User500

    I'm familiar with basic PowerShell functionality but this is over my head. I'm hoping someone can help me.


    Vincent Sprague

    Monday, May 11, 2015 8:32 PM

Answers

  • Hi Vincent,

    Please check the variable scope in function, and how to use the variable between functions:

    Controlling the Scope of Variables

    If there is anything else regarding this issue, please feel free to post back.

    Best Regards,

    Anna Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    • Edited by AnnaWYModerator Wednesday, May 13, 2015 2:16 AM
    • Marked as answer by Baron164 Wednesday, May 13, 2015 1:27 PM
    Wednesday, May 13, 2015 2:16 AM
    Moderator
  • Thanks, I used this instead for ease of use and due to time constraints.

    get-childitem c:\certexport -include *.ini -recurse | foreach ($_) {remove-item $_.fullname}
    get-childitem c:\certexport -include *.req -recurse | foreach ($_) {remove-item $_.fullname}
    get-childitem c:\certexport -include *.rsp -recurse | foreach ($_) {remove-item $_.fullname}


    Vincent Sprague

    • Marked as answer by Baron164 Wednesday, May 13, 2015 1:27 PM
    Wednesday, May 13, 2015 1:27 PM

All replies

  • Hi Vincent,

    If you have server 2012 and newer, you can refer to the PKI Client Cmdlets in Windows PowerShell, and go through this article:

    Request, Export and Import Certificate Using PowerShell

    To request Certificate from CA on server 2008 R2, please refer to the cms "certreq.exe", and you can also refer to the function "New-CertificateRequest" in this article:

    SSL SAN Certificate Request and Import from PowerShell

    To export certificate to pfx, please refer to this script to start:

    exporting certificate from user store to PFX using powershell

    If there is anything else regarding this issue, please feel free to post back.

    Best Regards,

    Anna Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Tuesday, May 12, 2015 9:01 AM
    Moderator
  • Thank you, I am running into a few issues. I found a powershell script based on that same script here. http://www.jamesbannanit.com/2015/03/bulk-request-and-export-client-certificates-with-powershell/

    So far I'm running into two issues. The first is that the .ini, .req. and .cer files are being named with the proper usernames, however when I open the .cer I see that they are being issued to the user account I am logged in with when I run the script. This doesn't do me any good. But I'm thinking this may be an issue with the template I'm using. I am using a custom template that I use for auto-enrollment. Maybe I need to try a different template?

    The second issue I'm having is part of this script uses the export-pfxcertificate command. This command is present on my Windows 8.1 machine but since I am running this in a different domain I am using the CA server itself to run the script. That server is 2008 R2. I upgrade Powershell on the server to version 4 but that export-pfxcertificate command is still not present.


    Vincent Sprague

    Tuesday, May 12, 2015 1:52 PM
  • Ok, I fixed the first issue, I created a new template that uses the req for the subject name instead of getting it from Active Directory. I need to make some more changes but progress. I still can't get export-pfxcertificate to work though.

    I upgraded Powershell on the 2008 R2 server but the PKI module is not available like it is in 2012/Win8. Is there anyway for me to load the PKI module into the 2008 r2 server?

    I've given up on trying to load the newer PKI module into the older VM so I'm spinning up a 2012 R2 VM and I'll use that VM to run the script instead of the older 2008 R2 box.


    Vincent Sprague



    • Edited by Baron164 Tuesday, May 12, 2015 2:52 PM
    Tuesday, May 12, 2015 2:11 PM
  • So the only issue I have at this point is this section.

    Function Clean-CertificateRequest {
     
        $Certificate = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -eq $SubjectName}
     
        if (Test-Path $CertificateREQ) {Remove-Item $CertificateREQ}
        if (Test-Path $CertificateCER) {Remove-Item $CertificateCER}
        if (Test-Path $CertificateRSP) {Remove-Item $CertificateRSP}
        if (Test-Path $CertificateINI) {Remove-Item $CertificateINI}
     
        Remove-Item $certificate.PSPath
    }

    I keep getting "Test-Path : Cannot bind argument to parameter 'Path' because it is null."


    Vincent Sprague



    • Edited by Baron164 Tuesday, May 12, 2015 3:31 PM
    Tuesday, May 12, 2015 3:26 PM
  • Hi Vincent,

    Please check the variable scope in function, and how to use the variable between functions:

    Controlling the Scope of Variables

    If there is anything else regarding this issue, please feel free to post back.

    Best Regards,

    Anna Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    • Edited by AnnaWYModerator Wednesday, May 13, 2015 2:16 AM
    • Marked as answer by Baron164 Wednesday, May 13, 2015 1:27 PM
    Wednesday, May 13, 2015 2:16 AM
    Moderator
  • Thanks, I used this instead for ease of use and due to time constraints.

    get-childitem c:\certexport -include *.ini -recurse | foreach ($_) {remove-item $_.fullname}
    get-childitem c:\certexport -include *.req -recurse | foreach ($_) {remove-item $_.fullname}
    get-childitem c:\certexport -include *.rsp -recurse | foreach ($_) {remove-item $_.fullname}


    Vincent Sprague

    • Marked as answer by Baron164 Wednesday, May 13, 2015 1:27 PM
    Wednesday, May 13, 2015 1:27 PM