Skip to content

Instantly share code, notes, and snippets.

@ctkirkman

ctkirkman/Certificate PowerShell CommandLets

Created November 8, 2016 15:08
Show Gist options
  • Save ctkirkman/77729328070ee1e1057fa1e2a64121a5 to your computer and use it in GitHub Desktop.
Save ctkirkman/77729328070ee1e1057fa1e2a64121a5 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Certificate PowerShell CommandLets
#https://msdn.microsoft.com/en-us/library/windows/desktop/aa374830.aspx
$AlternativeNameType = @{
XCN_CERT_ALT_NAME_UNKNOWN = 0
XCN_CERT_ALT_NAME_OTHER_NAME = 1
XCN_CERT_ALT_NAME_RFC822_NAME = 2
XCN_CERT_ALT_NAME_DNS_NAME = 3
XCN_CERT_ALT_NAME_DIRECTORY_NAME = 5
XCN_CERT_ALT_NAME_URL = 7
XCN_CERT_ALT_NAME_IP_ADDRESS = 8
XCN_CERT_ALT_NAME_REGISTERED_ID = 9
XCN_CERT_ALT_NAME_GUID = 10
XCN_CERT_ALT_NAME_USER_PRINCIPLE_NAME = 11
}
#https://msdn.microsoft.com/en-us/library/windows/desktop/aa374827.aspx
$AlgorithmType = @{
XCN_BCRYPT_UNKNOWN_INTERFACE = 0
XCN_BCRYPT_SIGNATURE_INTERFACE = 0x5
XCN_BCRYPT_ASYMMETRIC_ENCRYPTION_INTERFACE = 0x3
XCN_BCRYPT_CIPHER_INTERFACE = 0x1
XCN_BCRYPT_HASH_INTERFACE = 0x2
XCN_BCRYPT_SECRET_AGREEMENT_INTERFACE = 0x4
XCN_BCRYPT_RNG_INTERFACE = 0x6
}
#https://msdn.microsoft.com/en-us/library/windows/desktop/aa374936.aspx
$EncodingType = @{
XCN_CRYPT_STRING_BASE64HEADER = 0
XCN_CRYPT_STRING_BASE64 = 0x1
XCN_CRYPT_STRING_BINARY = 0x2
XCN_CRYPT_STRING_BASE64REQUESTHEADER = 0x3
XCN_CRYPT_STRING_HEX = 0x4
XCN_CRYPT_STRING_HEXASCII = 0x5
XCN_CRYPT_STRING_BASE64_ANY = 0x6
XCN_CRYPT_STRING_ANY = 0x7
XCN_CRYPT_STRING_HEX_ANY = 0x8
XCN_CRYPT_STRING_BASE64X509CRLHEADER = 0x9
XCN_CRYPT_STRING_HEXADDR = 0xa
XCN_CRYPT_STRING_HEXASCIIADDR = 0xb
XCN_CRYPT_STRING_HEXRAW = 0xc
XCN_CRYPT_STRING_NOCRLF = 0x40000000
XCN_CRYPT_STRING_NOCR = 0x80000000
}
#https://msdn.microsoft.com/en-us/library/windows/desktop/ee338606.aspx
$EnrollmentCAProperty = @{
CAPropCommonName = 1
CAPropDistinguishedName = 2
CAPropSanitizedName = 3
CAPropSanitizedShortName = 4
CAPropDNSName = 5
CAPropCertificateTypes = 6
CAPropCertificate = 7
CAPropDescription = 8
CAPropWebServers = 9
CAPropSiteName = 10
CAPropSecurity = 11
CAPropRenewalOnly = 12
}
#https://msdn.microsoft.com/en-us/library/windows/desktop/aa374960.aspx
$EnrollmentEnrollStatus = @{
Enrolled = 0x00000001
EnrollPended = 0x00000002
EnrollUIDeferredEnrollmentRequired = 0x00000004
EnrollError = 0x00000010
EnrollUnknown = 0x00000020
EnrollSkipped = 0x00000040
EnrollDenied = 0x00000100
}
#https://msdn.microsoft.com/en-us/library/windows/desktop/ee338609.aspx
$EnrollmentTemplateProperty = @{
TemplatePropCommonName = 1
TemplatePropFriendlyName = 2
TemplatePropEKUs = 3
TemplatePropCryptoProviders = 4
TemplatePropMajorRevision = 5
TemplatePropDescription = 6
TemplatePropKeySpec = 7
TemplatePropSchemaVersion = 8
TemplatePropMinorRevision = 9
TemplatePropRASignatureCount = 10
TemplatePropMinimumKeySize = 11
TemplatePropOID = 12
TemplatePropSupersede = 13
TemplatePropRACertificatePolicies = 14
TemplatePropRAEKUs = 15
TemplatePropCertificatePolicies = 16
TemplatePropV1ApplicationPolicy = 17
TemplatePropAsymmetricAlgorithm = 18
TemplatePropKeySecurityDescriptor = 19
TemplatePropSymmetricAlgorithm = 20
TemplatePropSymmetricKeyLength = 21
TemplatePropHashAlgorithm = 22
TemplatePropEnrollmentFlags = 23
TemplatePropSubjectNameFlags = 24
TemplatePropPrivateKeyFlags = 25
TemplatePropGeneralFlags = 26
TemplatePropSecurityDescriptor = 27
TemplatePropExtensions = 28
TemplatePropValidityPeriod = 29
TemplatePropRenewalPeriod = 30
}
#https://msdn.microsoft.com/en-us/library/windows/desktop/aa379061.aspx
$KeyIdentifierHashAlgorithm = @{
SKIHashDefault = 0
SKIHashSha1 = 1
SKIHashCapiSha1 = 2
SKIHashSha256 = 3
}
#https://msdn.microsoft.com/en-us/library/windows/desktop/aa379070.aspx
$ObjectIdGroupId = @{
XCN_CRYPT_ANY_GROUP_ID = 0
XCN_CRYPT_HASH_ALG_OID_GROUP_ID = 1
XCN_CRYPT_ENCRYPT_ALG_OID_GROUP_ID = 2
XCN_CRYPT_PUBKEY_ALG_OID_GROUP_ID = 3
XCN_CRYPT_SIGN_ALG_OID_GROUP_ID = 4
XCN_CRYPT_RDN_ATTR_OID_GROUP_ID = 5
XCN_CRYPT_EXT_OR_ATTR_OID_GROUP_ID = 6
XCN_CRYPT_ENHKEY_USAGE_OID_GROUP_ID = 7
XCN_CRYPT_POLICY_OID_GROUP_ID = 8
XCN_CRYPT_TEMPLATE_OID_GROUP_ID = 9
XCN_CRYPT_LAST_OID_GROUP_ID = 9
XCN_CRYPT_FIRST_ALG_OID_GROUP_ID = 1
XCN_CRYPT_LAST_ALG_OID_GROUP_ID = 4
XCN_CRYPT_OID_DISABLE_SEARCH_DS_FLAG = 0x80000000
XCN_CRYPT_KEY_LENGTH_MASK = 0xffff0000
}
#https://msdn.microsoft.com/en-us/library/windows/desktop/aa379394.aspx
$X500NameFlags = @{
XCN_CERT_NAME_STR_NONE = 0
XCN_CERT_SIMPLE_NAME_STR = 1
XCN_CERT_OID_NAME_STR = 2
XCN_CERT_X500_NAME_STR = 3
XCN_CERT_XML_NAME_STR = 4
XCN_CERT_NAME_STR_SEMICOLON_FLAG = 0x40000000
XCN_CERT_NAME_STR_NO_PLUS_FLAG = 0x20000000
XCN_CERT_NAME_STR_NO_QUOTING_FLAG = 0x10000000
XCN_CERT_NAME_STR_CRLF_FLAG = 0x8000000
XCN_CERT_NAME_STR_COMMA_FLAG = 0x4000000
XCN_CERT_NAME_STR_REVERSE_FLAG = 0x2000000
XCN_CERT_NAME_STR_FORWARD_FLAG = 0x1000000
XCN_CERT_NAME_STR_DISABLE_IE4_UTF8_FLAG = 0x10000
XCN_CERT_NAME_STR_ENABLE_T61_UNICODE_FLAG = 0x20000
XCN_CERT_NAME_STR_ENABLE_UTF8_UNICODE_FLAG = 0x40000
XCN_CERT_NAME_STR_FORCE_UTF8_DIR_STR_FLAG = 0x80000
XCN_CERT_NAME_STR_DISABLE_UTF8_DIR_STR_FLAG = 0x100000
}
#https://msdn.microsoft.com/en-us/library/windows/desktop/aa379399.aspx
$X509CertificateEnrollmentContext = @{
ContextUser = 0x1
ContextMachine = 0x2
ContextAdministratorForceMachine = 0x3
}
#https://msdn.microsoft.com/en-us/library/windows/desktop/ee351760.aspx
$X509EnrollmentPolicyLoadOption = @{
LoadOptionDefault = 0
LoadOptionCacheOnly = 1
LoadOptionReload = 2
LoadOptionRegisterForADChanges = 4
}
#https://msdn.microsoft.com/en-us/library/windows/desktop/aa379410.aspx
$X509KeyUsageFlags = @{
XCN_CERT_NO_KEY_USAGE = 0
XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE = 0x80
XCN_CERT_NON_REPUDIATION_KEY_USAGE = 0x40
XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE = 0x20
XCN_CERT_DATA_ENCIPHERMENT_KEY_USAGE = 0x10
XCN_CERT_KEY_AGREEMENT_KEY_USAGE = 0x8
XCN_CERT_KEY_CERT_SIGN_KEY_USAGE = 0x4
XCN_CERT_OFFLINE_CRL_SIGN_KEY_USAGE = 0x2
XCN_CERT_CRL_SIGN_KEY_USAGE = 0x2
XCN_CERT_ENCIPHER_ONLY_KEY_USAGE = 0x1
XCN_CERT_DECIPHER_ONLY_KEY_USAGE = ( 0x80 -shl 8 )
}
#https://msdn.microsoft.com/en-us/library/windows/desktop/aa379412.aspx
$X509PrivateKeyExportFlags = @{
XCN_NCRYPT_ALLOW_EXPORT_NONE = 0
XCN_NCRYPT_ALLOW_EXPORT_FLAG = 0x1
XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG = 0x2
XCN_NCRYPT_ALLOW_ARCHIVING_FLAG = 0x4
XCN_NCRYPT_ALLOW_PLAINTEXT_ARCHIVING_FLAG = 0x8
}
#https://msdn.microsoft.com/en-us/library/windows/desktop/aa379417.aspx
$X509PrivateKeyUsageFlags = @{
XCN_NCRYPT_ALLOW_USAGES_NONE = 0
XCN_NCRYPT_ALLOW_DECRYPT_FLAG = 0x1
XCN_NCRYPT_ALLOW_SIGNING_FLAG = 0x2
XCN_NCRYPT_ALLOW_KEY_AGREEMENT_FLAG = 0x4
XCN_NCRYPT_ALLOW_ALL_USAGES = 0xffffff
}
#https://msdn.microsoft.com/en-us/library/windows/desktop/aa378132.aspx
$X509ExtensionEnhancedKeyUsage = @{
XCN_OID_ANY_APPLICATION_POLICY = "1.3.6.1.4.1.311.10.12.1"
XCN_OID_AUTO_ENROLL_CTL_USAGE = "1.3.6.1.4.1.311.20.1"
XCN_OID_DRM = "1.3.6.1.4.1.311.10.5.1"
XCN_OID_DS_EMAIL_REPLICATION = "1.3.6.1.4.1.311.21.19"
XCN_OID_EFS_RECOVERY = "1.3.6.1.4.1.311.10.3.4.1"
XCN_OID_EMBEDDED_NT_CRYPTO = "1.3.6.1.4.1.311.10.3.8"
XCN_OID_ENROLLMENT_AGENT = "1.3.6.1.4.1.311.20.2.1"
XCN_OID_IPSEC_KP_IKE_INTERMEDIATE = "1.3.6.1.5.5.8.2.2"
XCN_OID_KP_CA_EXCHANGE = "1.3.6.1.4.1.311.21.5"
XCN_OID_KP_CTL_USAGE_SIGNING = "1.3.6.1.4.1.311.10.3.1"
XCN_OID_KP_DOCUMENT_SIGNING = "1.3.6.1.4.1.311.10.3.12"
XCN_OID_KP_EFS = "1.3.6.1.4.1.311.10.3.4"
XCN_OID_KP_KEY_RECOVERY = "1.3.6.1.4.1.311.10.3.11"
XCN_OID_KP_KEY_RECOVERY_AGENT = "1.3.6.1.4.1.311.21.6"
XCN_OID_KP_LIFETIME_SIGNING = "1.3.6.1.4.1.311.10.3.13"
XCN_OID_KP_QUALIFIED_SUBORDINATION = "1.3.6.1.4.1.311.10.3.10"
XCN_OID_KP_SMARTCARD_LOGON = "1.3.6.1.4.1.311.20.2.2"
XCN_OID_KP_TIME_STAMP_SIGNING = "1.3.6.1.4.1.311.10.3.2"
XCN_OID_LICENSE_SERVER = "1.3.6.1.4.1.311.10.6.2"
XCN_OID_LICENSES = "1.3.6.1.4.1.311.10.6.1"
XCN_OID_NT5_CRYPTO = "1.3.6.1.4.1.311.10.3.7"
XCN_OID_OEM_WHQL_CRYPTO = "1.3.6.1.4.1.311.10.3.7"
XCN_OID_PKIX_KP_CLIENT_AUTH = "1.3.6.1.5.5.7.3.2"
XCN_OID_PKIX_KP_CODE_SIGNING = "1.3.6.1.5.5.7.3.3"
XCN_OID_PKIX_KP_EMAIL_PROTECTION = "1.3.6.1.5.5.7.3.4"
XCN_OID_PKIX_KP_IPSEC_END_SYSTEM = "1.3.6.1.5.5.7.3.5"
XCN_OID_PKIX_KP_IPSEC_TUNNEL = "1.3.6.1.5.5.7.3.6"
XCN_OID_PKIX_KP_IPSEC_USER = "1.3.6.1.5.5.7.3.7"
XCN_OID_PKIX_KP_OCSP_SIGNING = "1.3.6.1.5.5.7.3.9"
XCN_OID_PKIX_KP_SERVER_AUTH = "1.3.6.1.5.5.7.3.1"
XCN_OID_PKIX_KP_TIMESTAMP_SIGNING = "1.3.6.1.5.5.7.3.8"
XCN_OID_ROOT_LIST_SIGNER = "1.3.6.1.4.1.311.10.3.9"
XCN_OID_WHQL_CRYPTO = "1.3.6.1.4.1.311.10.3.5"
}
#https://msdn.microsoft.com/en-us/library/windows/desktop/aa379409.aspx
$X509KeySpec = @{
XCN_AT_NONE = 0
XCN_AT_KEYEXCHANGE = 1
XCN_AT_SIGNATURE = 2
}
#https://msdn.microsoft.com/en-us/library/windows/desktop/aa376782.aspx
$InstallResponseRestrictionFlags = @{
AllowNone = 0x00000000
AllowNoOutstandingRequest = 0x00000001
AllowUntrustedCertificate = 0x00000002
AllowUntrustedRoot = 0x00000004
}
#https://msdn.microsoft.com/en-us/library/windows/desktop/aa379071.aspx
$ObjectIdPublicKeyFlags = @{
XCN_CRYPT_OID_INFO_PUBKEY_ANY = 0
XCN_CRYPT_OID_INFO_PUBKEY_SIGN_KEY_FLAG = 0x80000000
XCN_CRYPT_OID_INFO_PUBKEY_ENCRYPT_KEY_FLAG = 0x40000000
}
#https://msdn.microsoft.com/en-us/library/windows/desktop/aa374813.aspx
$AlgorithmFlags = @{
AlgorithmFlagsNone = 0x00000000
AlgorithmFlagsWrap = 0x00000001
}
#https://msdn.microsoft.com/en-us/library/windows/desktop/ee373782.aspx
$X509EnrollmentAuthFlags = @{
X509AuthNone = 0
X509AuthAnonymous = 1
X509AuthKerberos = 2
X509AuthUsername = 4
X509AuthCertificate = 8
}
function New-DistinguishedName {
param(
[Parameter(Position=0,Mandatory=$true, ValueFromPipeline=$true)][ValidateNotNullOrEmpty()][String]$Subject,
[Parameter(Mandatory=$false)][ValidateNotNullOrEmpty()][String]$NameFlags = $X500NameFlags.XCN_CERT_NAME_STR_NONE
)
process {
#For a list of valid RDN keys: https://msdn.microsoft.com/en-us/library/aa377051.aspx
$DN = New-Object -ComObject X509Enrollment.CX500DistinguishedName
$DN.Encode($Subject, $NameFlags)
return $DN
}
}
function New-PrivateKey {
param (
[Parameter(Mandatory=$false)][ValidateNotNullOrEmpty()][String]$ProviderName = "Microsoft RSA SChannel Cryptographic Provider",
[Parameter(Mandatory=$false)][ValidateNotNullOrEmpty()][Long]$KeySize = 4096,
[Parameter(Mandatory=$false)][ValidateNotNullOrEmpty()][Long]$ExportPolicy = $X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG,
[Parameter(Mandatory=$false)][ValidateNotNullOrEmpty()][Long]$KeySpec = $X509KeySpec.XCN_AT_KEYEXCHANGE,
[Parameter(Mandatory=$false)][ValidateNotNullOrEmpty()][Long]$KeyUsage = $X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES,
[Parameter(Mandatory=$false)][ValidateNotNullOrEmpty()][bool]$MachineContext = $true
)
process {
$CCspInformations = New-Object -ComObject X509Enrollment.CCspInformations
$CCspInformations.AddAvailableCsps()
$Key = New-Object -ComObject X509Enrollment.CX509PrivateKey
$Key.ProviderName = $ProviderName
$Key.KeySpec = $KeySpec
$Key.KeyUsage = $KeyUsage
$Key.Length = $KeySize
$Key.MachineContext = $MachineContext
$Key.ExportPolicy = $ExportPolicy
$Key.CspInformations = $CCspInformations
return $Key
}
}
function Get-AvailableCsps {
process {
$AvailableCsps = New-Object -ComObject X509Enrollment.CCspInformations
$AvailableCsps.AddAvailableCsps()
return $AvailableCsps
}
}
function New-ExtensionEnhancedKeyUsage {
param (
[Parameter(Mandatory=$true)][ValidateNotNullOrEmpty()][System.Object[]]$Objects
)
process {
$ExtensionEnhancedKeyUsage = New-Object -ComObject X509Enrollment.CX509ExtensionEnhancedKeyUsage
$ObjectIds = New-Object -ComObject X509Enrollment.CObjectIds
$Objects | %{
$ObjectIds.Add($_)
}
$ExtensionEnhancedKeyUsage.InitializeEncode($ObjectIds)
return $ExtensionEnhancedKeyUsage
}
}
function Get-ExtensionEnhancedKeyUsageOids {
process {
return $X509ExtensionEnhancedKeyUsage
}
}
function New-ObjectId {
param (
[Parameter(Position=0,Mandatory=$true,ValueFromPipeline=$true)][ValidateNotNullOrEmpty()][String]$OID
)
process {
$ObjectId = New-Object -ComObject X509Enrollment.CObjectId
$ObjectId.InitializeFromValue($OID)
return $ObjectId
}
}
function New-ExtensionKeyUsage {
param (
[Parameter(Mandatory=$true)][ValidateNotNullOrEmpty()][System.Object[]]$Usage
)
process {
$ExtensionKeyUsage = New-Object -ComObject X509Enrollment.CX509ExtensionKeyUsage
$Flags = 0
$Usage | %{ $Flags = $Flags -bor $_ }
$ExtensionKeyUsage.InitializeEncode($Flags)
return $ExtensionKeyUsage
}
}
function Get-ExtensionKeyUsageFlags {
process {
return $X509KeyUsageFlags
}
}
function New-CertificateRequestCertificate {
process {
$CertificateRequest = New-Object -ComObject X509Enrollment.CX509CertificateRequestCertificate
return $CertificateRequest
}
}
function New-CertEnrollment {
process {
$CertEnrollment = New-Object -ComObject X509Enrollment.CX509Enrollment
return $CertEnrollment
}
}
function New-EnrollmentPolicyWebService {
param (
[Parameter(Mandatory=$true)][ValidateNotNullOrEmpty()][String]$PolicyServerUrl,
[Parameter(Mandatory=$false)][ValidateNotNullOrEmpty()][String]$PolicyServerId = "",
[Parameter(Mandatory=$false)][ValidateNotNullOrEmpty()][Long]$Authentication = $X509EnrollmentAuthFlags.X509AuthKerberos,
[Parameter(Mandatory=$false)][ValidateNotNullOrEmpty()][bool]$AllowUntrusted = $false,
[Parameter(Mandatory=$false)][ValidateNotNullOrEmpty()][Long]$Context = $X509CertificateEnrollmentContext.ContextMachine,
[Parameter(Mandatory=$false)][ValidateNotNullOrEmpty()][String]$Username = "",
[Parameter(Mandatory=$false)][ValidateNotNullOrEmpty()][String]$Password = "",
[Parameter(Mandatory=$false)][ValidateNotNullOrEmpty()][String]$LoadOption = $X509EnrollmentPolicyLoadOption.LoadOptionDefault
)
process {
#https://msdn.microsoft.com/en-us/library/windows/desktop/ee351692.aspx
$ParentWindowHandle = 0
$EnrollmentPolicyWebService = New-Object -ComObject x509Enrollment.CX509EnrollmentPolicyWebService
$EnrollmentPolicyWebService.Initialize($PolicyServerUrl,$PolicyServerId,$Authentication,$AllowUntrusted,$Context)
$EnrollmentPolicyWebService.SetCredential($ParentWindowHandle, $Authentication, $Username, $Password)
$EnrollmentPolicyWebService.LoadPolicy($X509EnrollmentPolicyLoadOption.LoadOptionDefault)
return $EnrollmentPolicyWebService
}
}
function New-CertificateRequestPkcs10 {
process {
$CertificateRequestPkcs10 = New-Object -ComObject X509Enrollment.CX509CertificateRequestPkcs10
return $CertificateRequestPkcs10
}
}
function New-Enrollment {
process {
$Enrollment = New-Object -ComObject X509Enrollment.CX509Enrollment
return $Enrollment
}
}
function New-CARequest {
process {
$CARequest = New-Object -ComObject CertificateAuthority.Request
return $CARequest
}
}
function Get-CertEnrollmentContexts {
process {
return $X509CertificateEnrollmentContext
}
}
function Get-EncodingTypes {
process {
return $EncodingType
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment