PowerShell module "SystemAdmins.AdcsToolbox" for Active Directory Certificate Services (ADCS).
SystemAdmins.AdcsToolbox is a PowerShell module designed to simplify the management and automation of Active Directory Certificate Services (ADCS). This module provides a set of cmdlets to perform common tasks related to ADCS such as database maintenance.
This module is only able to run on a Windows Server with the AD CS role installed.
If the AD CS server have access to the internet.
-
Open a PowerShell session
-
Install and import the module
Install-Module -Name SystemAdmins.AdcsToolbox -Scope CurrentUser;
Most AD CS servers don't have access to the internet, therefore it's required to manually download the module and copy it to the server.
-
Open a PowerShell session from a computer with internet access
-
Download the PowerShell module
Save-Module -Name SystemAdmins.AdcsToolbox -Path ([Environment]::GetFolderPath("Desktop")) -Force;
-
Copy the folder "SystemAdmins.AdcsToolbox" from your desktop on to the AD CS server to the following path "C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules".
-
Open a elevated PowerShell session (run as administrator) on the AD CS server.
-
Import the module
Import-Module SystemAdmins.AdcsToolbox;
Backup certificate authority with or without the private key.
| Type | Parameter | Description | Optional | Accepted Values |
|---|---|---|---|---|
| String | Path | Backup folder path | False | C:\Path\To\My\Folder |
| Switch | PrivateKey | Include private key in the backup | True |
Create a backup without a private key to the folder "C:\Backup".
Backup-CA -Path 'C:\Backup'Create a backup with the private key to the folder "C:\Backup".
Backup-CA -Path 'C:\Backup' -PrivateKeyHashtable
Export certificate authority certificate (public key).
| Type | Parameter | Description | Optional | Accepted Values |
|---|---|---|---|---|
| String | FolderPath | Backup folder path | False | C:\Path\To\My\Folder |
Export the CA certificate (public key) the folder "C:\Backup".
Export-CACertificate -FolderPath 'C:\Backup'String
Get revoked, expired, failed or denied certificates from the AD CS database.
| Type | Parameter | Description | Optional | Accepted Values |
|---|---|---|---|---|
| String | State | State of certificate/request | True | Revoked, Expired, Denied, Failed |
| DateTime | Date | Date limit (up-to) for the certificate/request | True |
Get all evoked certificates from the AD CS database.
Get-CACertificate -State 'Revoked'Get all expired certificates up to 30 days ago.
Get-CACertificate -State 'Expired' -Date (Get-Date).AddDays(-30)System.Collections.ArrayList
Get certificate authority common name.
| Type | Parameter | Description | Optional | Accepted Values |
|---|---|---|---|---|
Get CommonName from Certificate Authority.
Get-CACommonNameString
Get certificate authority revocation configuration.
| Type | Parameter | Description | Optional | Accepted Values |
|---|---|---|---|---|
Get revocation configuration.
Get-CACrlConfigPSCustomObject
Get AD CS database path.
| Type | Parameter | Description | Optional | Accepted Values |
|---|---|---|---|---|
Get database path.
Get-CADatabasePathPSCustomObject
Get the AD CS database size.
| Type | Parameter | Description | Optional | Accepted Values |
|---|---|---|---|---|
Get database path.
Get-CADatabaseSizePSCustomObject
Defragment the Active Directory Certificate Services database. The CertSvc service must be stopped (Stop-CAService), prior running this cmdlet.
| Type | Parameter | Description | Optional | Accepted Values |
|---|---|---|---|---|
Get database path.
Invoke-CADatabaseDefragmentationVoid
Get the status of the AD CS (CertSvc) service.
| Type | Parameter | Description | Optional | Accepted Values |
|---|---|---|---|---|
Get the service if "running" or "stopped".
Get-CAServiceString
Invoke AD CS database cleanu. It will perform the following:
- Take a backup of the AD CS database.
- If the AD CS service is running.
- Take a backup of the original CRL configuration.
- Stop the service
- Extend the CRL expiration to two weeks
- Start the service
- Publish the CRL
- Remove failed, denied, expired and revoked certificates up to a given date (default is older than three months)
- Stop the service
- Do a AD CS database defragmentation
- Restore original CRL configuration
- If the server was is a running state before starting the maintenance job
- Start the service
- Publish the CRL
| Type | Parameter | Description | Optional | Accepted Values |
|---|---|---|---|---|
| DateTime | CertificateRemovalDate | Date to remove expired and revoked certificates from | True | |
| String | BackupFolderPath | Path to the backup folder | True | C:\Path\To\My\Backup\Folder |
| Switch | Confirm | Confirmation prior to starting the maintenance | True |
Run the maintenance on the AD CS database by taking a backup and removing old certificates and request.
Invoke-CADatabaseMaintenance -CertificateRemovalDate (Get-Date).AddMonths(-3) -BackupFolderPath 'C:\ADCSBackup' -ConfirmVoid
Publish the certificate revocation list.
| Type | Parameter | Description | Optional | Accepted Values |
|---|---|---|---|---|
Publish the CRL file(s)
Publish-CACrlVoid
Remove certificate/request from certificate authority.
| Type | Parameter | Description | Optional | Accepted Values |
|---|---|---|---|---|
| String | State | State of certificate/request | True | Revoked, Expired, Denied, Failed |
| DateTime | Date | Date limit (up-to) for the certificate/request | True | |
| Switch | Confirm | Confirmation prior to removing certificates | True |
Remove revoked certificate older than 30 days.
Remove-CACertificate -State 'Revoked' -Date (Get-Date).AddDays(-30)System.Collections.ArrayList
Set certificate authority revocation configuration.
| Type | Parameter | Description | Optional | Accepted Values |
|---|---|---|---|---|
| Int | PeriodUnits | Period units | True | 0-2147483647 |
| String | Period | Period | True | Days, Weeks, Months, Years |
| Int | DeltaPeriodUnits | Delta period units | True | 0-2147483647 |
| String | DeltaPeriod | Delta period | True | Days, Weeks, Months, Years |
| Int | OverlapUnits | Overlap units | True | 0-2147483647 |
| String | OverlapPeriod | Overlap period | True | Days, Weeks, Months, Years |
| Int | DeltaOverlapPeriodUnits | Delta overlap period units | True | 0-2147483647 |
| String | DeltaOverlapPeriod | Delta overlap period | True | Days, Weeks, Months, Years |
| Bool | RevocationCheck | Disable or enable revocation check on startup | True | True, False |
Set CRL to only update every second week and disable revocation check at service startup.
Set-CACrlConfig -PeriodUnits 2 -Period Weeks -DeltaPeriodUnits 0 -DeltaPeriod Days -OverlapUnits 0 -OverlapPeriod Weeks -DeltaOverlapUnits 0 -DeltaOverlapPeriod Days -RevocationCheck $trueVoid
Start the AD CS (CertSvc) service.
| Type | Parameter | Description | Optional | Accepted Values |
|---|---|---|---|---|
Start the AD CS service.
Start-CAServiceVoid
Stop the AD CS (CertSvc) service.
| Type | Parameter | Description | Optional | Accepted Values |
|---|---|---|---|---|
Stop the AD CS service.
Stop-CAServiceVoid
-
Why was this PowerShell module created?
During a project at a customer we needed to automate the AD CS database maintenance job. The customer did not want to use the PSPKI module due to compiled DLL files.
-
I'm missing vital cmdlet for my work
Please create an issue on the GitHub repository
Contributions are welcome! Please fork the repository and submit a pull request.