Share via

Working with Certificates in Active Directory Powershell

  • Article
  • 04/26/2009

AD Powershell uses .NET class X509Certificate to represent a certificate. Let's see how you can manage the certificates for a user.

Update User Certificates

You can create a X509Certificate (or X509Certificate2) object using the certificate file.PS C:\> $cert1 = New-Object System.Security.Cryptography.X509Certificates.X509Certificate "C:\Certs\Test1.cer"PS C:\> $cert2 = New-Object System.Security.Cryptography.X509Certificates.X509Certificate "C:\Certs\Test2.cer"

Then assign the certificates to a user account while creating it.PS C:\> $certs = $cert1,$cert2 #create certificate arrayPS C:\> New-ADUser -Name TestUser1 -SamAccountName TestUser1 -Certificates $certs

Note: Parameter Certificates updates the LDAP attribute userCertificate.

You can also assign the certificates to an existing user account.PS C:\> Set-ADUser TestUser1 -Certificates @{Replace=$cert1,$cert2}

 

View User Certificates

You can fetch the certificates of an existing user.PS C:\> $user1 = Get-ADUser TestUser1 -Properties "Certificates"

And then view the basic details of certificates as shown below:PS C:\> $user1.Certificates | fl * -f

Handle  : 456139856
Issuer  : OU=EFS File Encryption Certificate, L=EFS, CN=Administrator
Subject : OU=EFS File Encryption Certificate, L=EFS, CN=Administrator
...

X509Certificate2 can be used to view more details of certificates.PS C:\> $user1.Certificates | foreach {New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $_} | fl * -f

...
FriendlyName       :
IssuerName         : System.Security.Cryptography.X509Certificates.X500DistinguishedName
NotAfter           : 2/24/2109 8:35:26 AM
NotBefore          : 3/20/2009 9:35:26 AM
HasPrivateKey      : False
PrivateKey         :
PublicKey          : System.Security.Cryptography.X509Certificates.PublicKey
RawData            : {48, 130, 3, 139...}
SerialNumber       : …
SubjectName        : System.Security.Cryptography.X509Certificates.X500DistinguishedName
SignatureAlgorithm : System.Security.Cryptography.Oid
Thumbprint         : …
Version            : 3
Handle             : 456139856
Issuer             : OU=EFS File Encryption Certificate, L=EFS, CN=Administrator
Subject            : OU=EFS File Encryption Certificate, L=EFS, CN=Administrator

 

Also you can assign an existing user certificates to a new user.PS C:\> $user1 = Get-ADUser TestUser1 -Properties "Certificates"PS C:\> New-ADUser -Name TestUser2 -SamAccountName TestUser2 -Certificates $user1.Certificates

 

Tips: Certificates are also applicable to Computer/ServiceAccount and can be managed as mentioned here.

Hope this will help.

Cheers!
Ashish

--
Ashish Sharma [MSFT]
Developer – Active Directory Powershell Team

Comments

  • Anonymous
    April 27, 2009
    AD Powershell uses .NET class X509Certificate to represent a certificate. Let's see how you can manage
  • Anonymous
    September 02, 2015
    Hi Is there any way for multiple users