Function to Create Certificate Template in Active Directory Certificate Services for PowerShell DSC and CMS Encryption

  • Article

Today I’m cleaning out my code closet. I found this script that I have wanted to share for a while now.

Problem

Active Directory Certificate Services does not include a template for Document Encryption. This is required for DSC credential encryption and the CMS encryption cmdlets. Current processes require manual effort to create the template. Or you must figure out how to use the less-than-friendly AD CS API from .NET. We all know I ain’t no .NET developer.

Solution

I reverse-engineered the resulting OID and certificate objects in Active Directory and wrote a function to create this template from code. This provides a fully-automated solution for creating the template in a lab or production environment.

Functionality

  • Take parameters
  • Generate a unique OID for the template
  • Create the template
  • Optionally permission the template with Enroll for specified group(s)
  • Optionally add AutoEnroll permission as well
  • Optionally publish the template to CA(s)
  • Optionally target all operations to a designated DC

Requirements:

  • Enterprise AD CS PKI
  • Tested on Windows Server 2012 R2 & 2016
  • Enterprise Administrator rights
  • ActiveDirectory PowerShell Module

Template generated will have these properties:

  • 2 year lifetime
  • 2003 lowest compatibility level
  • Private key not exportable
  • Not stored in AD
  • Document Encryption
  • No digital signature

Sample Usage

 # Create only the template
# Least valuable approach
New-ADCSTemplateForPSEncryption -DisplayName PowerShellCMS

 # Full template creation, permissioning, and deployment
New-ADCSTemplateForPSEncryption -DisplayName PSEncryption `
-Server dc1.contoso.com -GroupName G_DSCNodes -AutoEnroll -Publish

# From a client configured via GPO for AD CS autoenrollment:
$Req = @{
    Template          = 'PSEncryption'
    Url               = 'ldap:'
    CertStoreLocation = 'Cert:\LocalMachine\My'
}
Get-Certificate @Req
# Note: If you have the Carbon module installed, it conflicts with Get-Certificate native cmdlet.

$DocEncrCert = (dir Cert:\LocalMachine\My -DocumentEncryptionCert |
 Sort-Object NotBefore)[-1]

Protect-CmsMessage -To $DocEncrCert -Content "Encrypted with my new cert from the new template!"

Get the code

I have posted this code to the PowerShell Gallery here. Enjoy!