PowerShell PKI Module Documentation

Documentation Home
This command requires installed Remote Server Administration Tools (RSAT)

Import-LostCertificate

Synopsis

Imports previously issued certificate to a Certification Authority (CA) database

Syntax

Import-LostCertificate -CertificationAuthority <CertificateAuthority> -Path <String> [<CommonParameters>]

Import-LostCertificate -CertificationAuthority <CertificateAuthority> -Certificate <X509Certificate2> [<CommonParameters>]

Import-LostCertificate -CertificationAuthority <CertificateAuthority> -RawData <Byte[]> [<CommonParameters>]

Description

Imports previously issued certificate to a Certification Authority (CA) database.

In the case when CA server fails and you have backup taken certain time prior, CA server may issue certificates that are not included in the most recent backup tape. If a certificate is not on the backup tapes used to restore the certification authority but exists in a file, the certificate can be imported by means of this command.

Note: the certificate being imported must have been previously issued by the certification authority specified in CA parameter. The restored certification authority will validate the certificate's signature, and if the signature is not valid, the command will throw error.

Note: you cannot import a certificate if it already exists in the database. Each certificate in the database must be unique. The database ensures uniqueness by checking the certificate's serial number.

Parameters

-CertificationAuthority <CertificateAuthority>

Specifies the Certification Authority object. This object can be retrieved by running Get-CertificationAuthority command.

Required? True
Position? named
Default value
Accept pipeline input? true (ByValue, ByPropertyName)
Accept wildcard characters? False

-Path <String>

Specifies the path to a certificate file. This parameter accepts only certificates saved in a DER or Base64 encoding without private key (with CER extension).

Required? True
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? False

-Certificate <X509Certificate2>

Specifies an existing X509Certificate2 object. This object can be retrieved from local store by searching through local store (Get-ChilItem cert:\CurrentUser\My) or obtained through other means as an X509Certificate2 object.

Required? True
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? False

-RawData <Byte[]>

Specifies a DER-encoded byte array of a target certificate. This byte array can be retrieved by searching through Active Directory user account published certificates stored in userCertificates attribute.

Required? True
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? False

<CommonParameters>

This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).

Inputs

PKI.CertificateServices.CertificateAuthority

Outputs

System.Int64

Return value specifies the row number in the database which holds imported certificate.

Notes

Examples

Example 1

PS C:\> Get-CertificationAuthority -Name MyCA | Import-LostCertificate -Path C:\lostcert.cer

Imports certificate from a file and adds it to a CA database.

Example 2

PS C:\> $IssuedWhen = (Get-Date).AddDays(-1)
C:\PS>$cert = Get-ChildItem cert:\CurrentUser\My | Where-Object {$_.NotBefore -gt $IssuedWhen}
C:\PS>$cert | Foreach-Object {Get-CertificationAuthority ca01.company.com | Import-LostCertificate -Certificate $_}

In this example we set a date when the last backup was taken. In the second line we search through current user Personal certificate store and select certificates was issued after the last backup was taken. The last command will import these certificates to a CA database by using Foreach-Object loop.

Example 3

PS C:\> Import-Module ActiveDirectory
C:\PS>$user = Get-ADUser vpodans -Properties "userCertificate"
C:\PS>Get-CertificationAuthority MyCA | Import-LostCertificate -RawData @(,$user.userCertificate[0])

In this example first command imports ActiveDirectory PowerShell module (available on domain controllers running Windows Server 2008 R2 or Windows 7 with installed RSAT). The second command retrieves specified user (vpodans) account with populated userCertificate property. The last command will import first published certificate to a CA database.

Related links

Get-CertificationAuthority
Connect-CertificationAuthority

Minimum PowerShell version support

  • Windows PowerShell 3.0

Operating System Support

  • Windows 7
  • Windows 8
  • Windows 8.1
  • Windows 10
  • Windows 11
  • Windows Server 2008 R2 all editions
  • Windows Server 2012 all editions
  • Windows Server 2012 R2 all editions
  • Windows Server 2016 all editions
  • Windows Server 2019 all editions
  • Windows Server 2022 all editions