Friday, February 7, 2020

PowerShell - Active Directory PKI - Computer Certificate enrollment

For several years I've been working with Windows Server and desktop infrastructure (dating back from Windows NT 4.0) and Active Directory Services starting with Windows Server 2000. Along these years a subject that remains often unknown to most IT professions is the PKI (Public Key Infrastructure) that hosts the corporate environment Certification Authorities, templates, enrollment services and other components that provide a framework of authenticity to an entity resources. Windows Server Infra can host stand-alone PKI servers or "Active Directory Integrated" which provides the most reliable and efficient method to an AD on-premises production environment, publishing the available templates and CAs forest-wide, root certificates and policies to all member servers, workstations and resources that rely on AD.

For example, 802.1x network authentication relies heavily on the certification authority to validate the computer machine certificate using LDAP queries against the global catalog. 

Also, VPN Gateways may use the same certificate to validate if the computer is allowed to connect checking if the cert is published by the corporate CA and has a valid computer object.

In order to achieve this a computer that's being joined to the domain must have a valid certificate stored in Windows 'Local Machine' cert store and thus I've created the following PowerShell script that performs the certificate enrollment for the desired template which has been published to Active Directory. 

This script developed in PowerShell was designed to perform a LDAP query the AD forest the computer is joined retrieving the published Enrollment Services. It will parse all CAs for the specified cert template and once found will perform the enrollment.

It has built-in resiliency to attempt enrollment for a defined time frame considering network disruption might occur.

Although this is focused to a machine certificate it can be customized to any type of certificate enrollment by modifying the desired cert template and the target store.

I hope you enjoy it and should it be useful or have any suggestion let me know on the comments and I'll be glad to help!


Additional reading about PKI: here

GitHub source:
Auxiliary ntrights to grant 'Network Service' permission to enroll:


1 comment:

Powershell - Azure - Create VM using templates

During my recent studies on the cloud realm, I've been experimenting with Azure PowerShell module that allows you to manage your Azure s...