Managing Active Directory User Certificates using PowerShell

I first came across user certificates when I was working with email certificates a few years ago and I have to admit that I had trouble updating the certificates on the objects!

Most organizations have a Microsoft Active Directory Certification Authority that issues the certificates used internally. When a certificate is issued to a user, the Microsoft Certificate Service saves the public key in Active Directory. The userCertificate attribute is a multi-valued attribute that contains the DER-encoded X509v3 certificates issued to the user.

Although we rarely need to pay attention to this attribute, there are cases where we have to update it. To make things easier, I've written PowerShell functions to Get, Remove, Import and Export the certificates on that field.

To get the list of certificates for an object, use the Get-ActiveDirectoryObjectCertificate function:

PS C:\> Get-ActiveDirectoryObjectCertificate -UserPrincipalName cpolydorou@lab.local

DistinguishedName         UserPrincipalName    SamAccountName Certificate
-----------------         -----------------    -------------- -----------
CN=CPolydorou,OU=Users... cpolydorou@lab.local CPolydorou     {[Subject]...

PS C:\>

The object to query can be specified using it's DistinguishedName, SamAccountName or UserPrincipal name. The object that is returned has the DistinguishedName,UserPrincipalName and SamAccountName properties of the object and an new property named Certificate that contains the array of the object's certificates in X509 format. Let's take a closer look on the certificates...

PS C:\> $certs = Get-ActiveDirectoryObjectCertificate -UserPrincipalName cpolydorou@lab.local

PS C:\> $certs.Certificate

Thumbprint   Subject
----------   -------
29893A9CC... E=cpolydorou@lab.local, CN=CPolydorou, OU=Users...
6C1FC4638... E=cpolydorou@lab.com, CN=CPolydorou, OU=Users, ...

PS C:\>

As shown above, I have configured two certificates on my Active Directory user account. Having the certificates in X509 format, gives us the ability to examine more properties such as the validity period.

PS C:\> $certs.Certificate | ft Thumbprint,NotBefore,NotAfter -AutoSize

Thumbprint   NotBefore             NotAfter
----------   ---------             --------
29893A9CC... 10/9/2016 10:40:34 AM 10/9/2017 10:40:34 AM
6C1FC4638... 2/14/2017 3:44:51 PM  2/14/2018 3:44:51 PM

PS C:\>

Now that we have a way to get the certificates, we'll move on to the
Remove-ActiveDirectoryObjectCertificate function which removes certificates from the objects. To identity the certificate to remove, we are going to use it's thumbprint.

PS C:\> Remove-ActiveDirectoryObjectCertificate -UserPrincipalName cpolydorou@lab.local -Thumbprint "6C1FC463805E72EBF401E039EC307627078C1339"

PS C:\> Get-ActiveDirectoryObjectCertificate -UserPrincipalName cpolydorou@lab.local | % Certificate | % Thumbprint

29893A9CCF471215371DBB29F29832A1C30C488C

PS C:\>

There's a switch named "Expired" that will remove all the expired certificates without having to use the certificate thumbprint. If the -Thumbprint parameter is not used, all the certificates are going to be removed.

The last two functions are Import-ActiveDirectoryObjectCertificate and Export-ActiveDirectoryObjectCertificate. As their names suggest, they are used in order to import and export certificates from the objects.

PS C:\> Import-ActiveDirectoryObjectCertificate -UserPrincipalName cpolydorou@lab.local `
                                                -Path .\certificate.cer

PS C:\>

PS C:\> Export-ActiveDirectoryObjectCertificate -UserPrincipalName cpolydorou@lab.local `
               -Thumbprint "DABB8EBD081390207E98320CB9915D848FB9A0F4" `
               -Path C:\Temp\certificate.cer

PS C:\>

On the first example the certificate in file "certificate.cer" is imported to the object and on the second the certificate with thumbprint "DABB8EBD081390207E98320CB9915D848FB9A0F4" is exported to the file "C:\Temp\certificate.cer".

Keep in mind that since we are updating Active Directory objects, some time may be required in order for replication to occur.

In case you're updating SMIME certificates and want the change to take effect immediately, you have to update your GAL on Exchange and download the new copy on the client.

All those functions are included in the version of my Active Directory module that is published on the PowerShell Gallery.

Have fun!

PS: Be the hero, set up Active Directory snapshots today!

Popular posts from this blog

Syslog Message Collection for OMS from sources that do not support the agent

How to Configure Message Forwarding on a Mailbox Level

Generating Alerts On OMS