Working with Active Directory Certificate Services from Windows PowerShell

In Active Directory Certificate Services, the primary administration interface is the MMC snap-in Certification Authority exposed through Server Manager in Windows Server 2008 and Windows Server 2008 R2:

image

More advanced administration options is available through the command line utility certutil.exe.

I recently worked with an environment with an unusual amount of issued certificates (several hundreds of thousands), and working with the MMC-tools was not efficient.

I first started by exporting the issued certificates to a CSV-file by using certutil.exes csv option. This options seems to be new in Windows Server 2008 R2, although I havent found any documentation on this. Actually it`s possible to use certutil.exe from a Windows Server 2008 R2 member server against a Certification Authority running an earlier version of Windows Server to export issued certificates to CSV. It should also be noted that this can be accomplished using the Export List option in the Certification Authority MMC in both Windows Server 2008 R2 and earlier versions of Windows Server.

When the CSV-file are exported, we can import it to Windows PowerShell and do things like grouping and sorting:

001
002
003
004
005
006
007
008
009
010
011
#Export certificates to CSV
certutil -view -out "RequestID,RequesterName,RequestType,NotAfter,CommonName,Certificate Template" csv > c:tempcerts.csv

#Import CSV
$csv = Import-Csv C:Tempcerts.csv

#Group by requester name, and sort by count
$csv | Select-Object "requester name" | Group-Object -Property "requester name" | Sort-Object -Property count

#Work further with a specific computer based on the above results
$computer = $csv | Where-Object {$_."requester name" -eq "computer01"}

 

Note that using CSV when working with very large data sets might consume large amounts of system resources (up to 2,5 GB in my case), so this might not be the best approach. Another option would be to work directly against the Certification Authority database, where we can set filters directly on the queries.

There are several Com-objects available for working with Active Directory Certificate Services, which makes it possible to work directly against the Certification Authority database from PowerShell.

PowerShell MVP Vadim Podans has written a blog-post showing how this can be accomplished.

Another Com-object to look into is the ICertAdmin2 Interface, which can be accessed from PowerShell like this:

001
002
003
004
005
006
007
008
009
010
011
012 013
014
#Create Com-object
$certadmin = new-object -com "CertificateAuthority.Admin.1"

#Explore Com-object
$certadmin | Get-Member

#Sample usage for one of the available methods
$certadmin.DeleteRow(
"lab-dc-01Issuing CA 01", #Config-string
 0x0, #Flags, not set
 0x0, #Date, not set when using RowID
 0x0, #Table, set to 3 for CVRC_TABLE_REQCERT
 21 #RowId
 )