Chapter 7. Managing and administering a certification authority database with PowerShell

 

Vadims Podans

Since the introduction of Windows 2000 Server, the Windows operating system has provided a built-in component that allows companies to use public key infrastructure (PKI) features in their private networks—either Certificate Services or, starting with Windows Server 2008, Active Directory Certificate Services (AD CS).

Unlike with commercial certificate providers (like VeriSign/Symantec, DigiCert, and others), private AD CS allows unlimited certificate issuance at minimal cost. The high level of security provided by digital certificates, coupled with a low price and automatic certificate distribution (through automatic enrollment), has allowed network administrators to use certificates to secure many internal (and, in some cases, external) services and applications.

Although Windows provides some command-line tools, they aren’t ready for PKI task automation. Only Windows PowerShell allows systems administrators to automate almost all PKI-related management tasks. In this chapter you’ll learn about using PowerShell to automate the PKI tasks related to your certification authority database.

For convenience, I’ll use the abbreviation AD CS to denote Active Directory Certificate Services as a technology, and the abbreviation CA to denote an instance of the certificate services—a certification authority.

Existing tools

Windows provides two built-in tools for accessing your CA database:

Querying the CA database

Advanced administration of the CA database

Summary

About the author