We're headed to GridSecCon 2024, October 22-25 in Minneapolis, MN! Learn more here

PowerShell PKI Module Documentation

Documentation Home
This command is not available in non-domain environments

Add-AdCertificate

Synopsis

Adds certificate to a specified AD-based certificate PKI container.

Syntax

Add-AdCertificate [-AdContainer] <DsPkiCertContainer> [-Certificate] <X509Certificate2[]> [-CrossCA] [-Dispose] [<CommonParameters>]

Description

Adds certificate to a specified AD-based certificate PKI container.

AD PKI container managements require Enterprise Admins permissions or explicitly delegated permissions to Public Key Services container in Active Directory.

Parameters

-AdContainer <DsPkiCertContainer>

Specifies the AD-based PKI certificate container the certificate is added to. Input object is retrieved by calling a Get-AdPkiContainer cmdlet with NTAuth, AIA, RootCA or KRA container type.

Required? True
Position? 0
Default value
Accept pipeline input? true (ByValue, ByPropertyName)
Accept wildcard characters? False

-Certificate <X509Certificate2[]>

Specifies a collection of certificates to add to AD certificate store.

If input AD container is of DsKraContainer type, a certificate is expected to be a key recovery agent (KRA) certificate and must be valid for key recovery operation (OID=1.3.6.1.4.1.311.21.6). In other cases, the certificate is expected to be a CA certificate.

Required? True
Position? 1
Default value
Accept pipeline input? false
Accept wildcard characters? False

-CrossCA <SwitchParameter>

Specifies whether the certificate is published as cross-certificate. This switch parameter makes sense only when input AD container is of DsAiaContainer type. For other containers, this parameter is ignored.

Required? False
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? False

-Dispose <SwitchParameter>

Disposes input AD container object. AD container object contains active reference to LDAP object and it is recommended to release object when it is no longer necessary to avoid memory leaks.

Required? False
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? False

<CommonParameters>

This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).

Inputs

Outputs

SysadminsLV.PKI.Management.ActiveDirectory.DsPkiContainer

Notes

Examples

Example 1

PS C:\> $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 "c:\pki\root_cacert.crt"
PS C:\> Get-AdPkiContainer -ContainerType RootCA | Add-AdCertificate -Certificate $cert -Dispose

This example gets certificate from a file, retrieves RootCA (trusted root CAs) AD container and publishes certificate to RootCA container. After operation completion, input object (RootCA container) is disposed. After autoenrollment trigger, domain members will get new trusted root CA.

Example 2

PS C:\> $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 "c:\pki\cross.cer"
PS C:\> Get-AdPkiContainer -ContainerType AIA | Add-AdCertificate -Certificate $cert -CrossCertificate -Dispose

This example gets certificate from a file, retrieves AIA (intermediate CA) AD container and publishes certificate to AIA container as cross-certificate. After operation completion, input object (AIA container) is disposed. After autoenrollment trigger, domain members will get new certificate in Intermediate CAs local store.

Related links

Get-AdPkiContainer
Remove-AdCertificate
Add-AdCertificateRevocationList
Remove-AdCertificateRevocationList

Minimum PowerShell version support

  • Windows PowerShell 3.0

Operating System Support

  • Windows 7
  • Windows 8
  • Windows 8.1
  • Windows 10
  • Windows 11
  • Windows Server 2008 R2 all editions
  • Windows Server 2012 all editions
  • Windows Server 2012 R2 all editions
  • Windows Server 2016 all editions
  • Windows Server 2019 all editions
  • Windows Server 2022 all editions