PowerShell module "SystemAdmins.AdcsToolbox" for Active Directory Certificate Services (ADCS).
SystemAdmins.AdcsToolbox is a PowerShell module designed to simplify the management and automation of Active Directory Certificate Services (ADCS). This module provides a set of cmdlets to perform common tasks related to ADCS such as database maintenance.
This module is only able to run on a Windows Server with the AD CS role installed.
If the AD CS server have access to the internet.
-
Open a PowerShell session
-
Install and import the module
Install-Module -Name SystemAdmins.AdcsToolbox -Scope CurrentUser;
Most AD CS servers don't have access to the internet, therefore it's required to manually download the module and copy it to the server.
-
Open a PowerShell session from a computer with internet access
-
Download the PowerShell module
Save-Module -Name SystemAdmins.AdcsToolbox -Path ([Environment]::GetFolderPath("Desktop")) -Force;
-
Copy the folder "SystemAdmins.AdcsToolbox" from your desktop on to the AD CS server to the following path "C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules".
-
Open a elevated PowerShell session (run as administrator) on the AD CS server.
-
Import the module
Import-Module SystemAdmins.AdcsToolbox;
Backup certificate authority with or without the private key.
Type | Parameter | Description | Optional | Accepted Values |
---|---|---|---|---|
String | Path | Backup folder path | False | C:\Path\To\My\Folder |
Switch | PrivateKey | Include private key in the backup | True |
Create a backup without a private key to the folder "C:\Backup".
Backup-CA -Path 'C:\Backup'
Create a backup with the private key to the folder "C:\Backup".
Backup-CA -Path 'C:\Backup' -PrivateKey
Hashtable
Export certificate authority certificate (public key).
Type | Parameter | Description | Optional | Accepted Values |
---|---|---|---|---|
String | FolderPath | Backup folder path | False | C:\Path\To\My\Folder |
Export the CA certificate (public key) the folder "C:\Backup".
Export-CACertificate -FolderPath 'C:\Backup'
String
Get revoked, expired, failed or denied certificates from the AD CS database.
Type | Parameter | Description | Optional | Accepted Values |
---|---|---|---|---|
String | State | State of certificate/request | True | Revoked, Expired, Denied, Failed |
DateTime | Date | Date limit (up-to) for the certificate/request | True |
Get all evoked certificates from the AD CS database.
Get-CACertificate -State 'Revoked'
Get all expired certificates up to 30 days ago.
Get-CACertificate -State 'Expired' -Date (Get-Date).AddDays(-30)
System.Collections.ArrayList
Get certificate authority common name.
Type | Parameter | Description | Optional | Accepted Values |
---|---|---|---|---|
Get CommonName from Certificate Authority.
Get-CACommonName
String
Get certificate authority revocation configuration.
Type | Parameter | Description | Optional | Accepted Values |
---|---|---|---|---|
Get revocation configuration.
Get-CACrlConfig
PSCustomObject
Get AD CS database path.
Type | Parameter | Description | Optional | Accepted Values |
---|---|---|---|---|
Get database path.
Get-CADatabasePath
PSCustomObject
Get the AD CS database size.
Type | Parameter | Description | Optional | Accepted Values |
---|---|---|---|---|
Get database path.
Get-CADatabaseSize
PSCustomObject
Defragment the Active Directory Certificate Services database. The CertSvc service must be stopped (Stop-CAService), prior running this cmdlet.
Type | Parameter | Description | Optional | Accepted Values |
---|---|---|---|---|
Get database path.
Invoke-CADatabaseDefragmentation
Void
Get the status of the AD CS (CertSvc) service.
Type | Parameter | Description | Optional | Accepted Values |
---|---|---|---|---|
Get the service if "running" or "stopped".
Get-CAService
String
Invoke AD CS database cleanu. It will perform the following:
- Take a backup of the AD CS database.
- If the AD CS service is running.
- Take a backup of the original CRL configuration.
- Stop the service
- Extend the CRL expiration to two weeks
- Start the service
- Publish the CRL
- Remove failed, denied, expired and revoked certificates up to a given date (default is older than three months)
- Stop the service
- Do a AD CS database defragmentation
- Restore original CRL configuration
- If the server was is a running state before starting the maintenance job
- Start the service
- Publish the CRL
Type | Parameter | Description | Optional | Accepted Values |
---|---|---|---|---|
DateTime | CertificateRemovalDate | Date to remove expired and revoked certificates from | True | |
String | BackupFolderPath | Path to the backup folder | True | C:\Path\To\My\Backup\Folder |
Switch | Confirm | Confirmation prior to starting the maintenance | True |
Run the maintenance on the AD CS database by taking a backup and removing old certificates and request.
Invoke-CADatabaseMaintenance -CertificateRemovalDate (Get-Date).AddMonths(-3) -BackupFolderPath 'C:\ADCSBackup' -Confirm
Void
Publish the certificate revocation list.
Type | Parameter | Description | Optional | Accepted Values |
---|---|---|---|---|
Publish the CRL file(s)
Publish-CACrl
Void
Remove certificate/request from certificate authority.
Type | Parameter | Description | Optional | Accepted Values |
---|---|---|---|---|
String | State | State of certificate/request | True | Revoked, Expired, Denied, Failed |
DateTime | Date | Date limit (up-to) for the certificate/request | True | |
Switch | Confirm | Confirmation prior to removing certificates | True |
Remove revoked certificate older than 30 days.
Remove-CACertificate -State 'Revoked' -Date (Get-Date).AddDays(-30)
System.Collections.ArrayList
Set certificate authority revocation configuration.
Type | Parameter | Description | Optional | Accepted Values |
---|---|---|---|---|
Int | PeriodUnits | Period units | True | 0-2147483647 |
String | Period | Period | True | Days, Weeks, Months, Years |
Int | DeltaPeriodUnits | Delta period units | True | 0-2147483647 |
String | DeltaPeriod | Delta period | True | Days, Weeks, Months, Years |
Int | OverlapUnits | Overlap units | True | 0-2147483647 |
String | OverlapPeriod | Overlap period | True | Days, Weeks, Months, Years |
Int | DeltaOverlapPeriodUnits | Delta overlap period units | True | 0-2147483647 |
String | DeltaOverlapPeriod | Delta overlap period | True | Days, Weeks, Months, Years |
Bool | RevocationCheck | Disable or enable revocation check on startup | True | True, False |
Set CRL to only update every second week and disable revocation check at service startup.
Set-CACrlConfig -PeriodUnits 2 -Period Weeks -DeltaPeriodUnits 0 -DeltaPeriod Days -OverlapUnits 0 -OverlapPeriod Weeks -DeltaOverlapUnits 0 -DeltaOverlapPeriod Days -RevocationCheck $true
Void
Start the AD CS (CertSvc) service.
Type | Parameter | Description | Optional | Accepted Values |
---|---|---|---|---|
Start the AD CS service.
Start-CAService
Void
Stop the AD CS (CertSvc) service.
Type | Parameter | Description | Optional | Accepted Values |
---|---|---|---|---|
Stop the AD CS service.
Stop-CAService
Void
-
Why was this PowerShell module created?
During a project at a customer we needed to automate the AD CS database maintenance job. The customer did not want to use the PSPKI module due to compiled DLL files.
-
I'm missing vital cmdlet for my work
Please create an issue on the GitHub repository
Contributions are welcome! Please fork the repository and submit a pull request.