EGr*_*EGr 9 powershell certificate group-policy certificate-authority powershell-v3.0
现在,我正在执行以下操作以从 CEP 服务器请求证书:
在此之后,我获得了 CEP 的证书;然而,这是手动完成的痛苦过程。有没有办法在 Server 2008(和 2012)中自动执行此操作?我能找到的所有相关信息都说明了如何安装 CEP 服务以使服务器成为注册策略服务器(与实际请求新证书或在客户端启用它无关)。是否可以自动执行此操作?
看起来这个过程在HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography下添加了很多数据。我可以手动添加这个(并欺骗 GUID/ServiceID)吗?
这是我在 Windows 2012 R2 及更高版本上使用的过程。所有 PowerShell 代码都是从提升的 PowerShell 提示符运行的。完全自动化留给用户作为练习。
确保您的证书服务器上有一个模板,并且在“主题”选项卡中选择了“在请求中提供”单选按钮。由于这不是 AD 计算机,因此证书服务器无法充分查询 Active Directory 的信息。
导出证书服务器上的受信任根证书颁发机构证书,然后将该证书文件复制到目标服务器
certutil --% -ca.cert <name of certificate file>
将该证书导入到目标服务器上的受信任根证书颁发机构
$PathToCertificate=<name of certificate file>
$RootCertificate=Get-PfxCertificate -FilePath $PathToCertificate
$AlreadyExists=Get-ChildItem -Path "Cert:\LocalMachine\Root" | Where-Object { $_.Thumbprint -eq $RootCertificate.Thumbprint }
if ($AlreadyExists -eq $null) { Import-Certificate -CertStoreLocation "Cert:\LocalMachine\Root" -FilePath $PathToCertificate }
else { Write-Warning "Root certificate already installed" }
确定 Active Directory 策略提供程序的 URL
# Get AD Configuration Context
$RootDSE=[System.DirectoryServices.DirectoryEntry]::new("LDAP://RootDSE")
$ConfigContext="CN=Enrollment Services,CN=Public Key Services,CN=Services,"+$RootDSE.configurationNamingContext
# Get name of Enterprise Root Certificate Autority server
$Server=Get-ADObject -SearchBase $ConfigContext -Filter "*"
if ($Server.Count -eq 1) { throw "No Enterprise Root Certificate Autority server exists" }
else { $Server=$Server[1].Name }
# Get Enrollment URL
$ConfigContext="CN=$Server,"+$ConfigContext
$EnrollmentURL=(Get-ADObject -SearchBase $ConfigContext -Filter "*" -Properties "msPKI-Enrollment-Servers" | Select-Object -ExpandProperty "msPKI-Enrollment-Servers").Split("`n") | Where-Object { $_ -like "http*" }
if ($EnrollmentURL -eq $null) { $EnrollmentURL="" }
# Get AD Enrollment Policy URL
$Server=$Server+$RootDSE.configurationNamingContext.Value.Replace("CN=Configuration","").Replace(",DC=",".")
$WMI=Get-WmiObject -ComputerName $Server -Namespace "root\WebAdministration" -Class Application | Where-Object { $_.Path -eq "/ADPolicyProvider_CEP_UsernamePassword" }
if ($WMI -ne $null) { $PolicyURL="https://"+$Server+$WMI.Path+"/service.svc/CEP" }
else { $PolicyURL="" }
Write-Output "Enrollment URL = $EnrollmentURL"
Write-Output "Policy URL = $PolicyURL"
将注册策略添加到目标服务器(这只适用于 Windows 2012 及更高版本。有关 GUI 说明,请参见下文)。确保在创建非域模板后添加策略,否则由于策略未刷新而不会显示。
$User="<your domain name>\<your domain user name>"
$Pass="<Your domain password>"
$SecPass=ConvertTo-SecureString -String $Pass -AsPlainText -Force
$Cred=[System.Management.Automation.PSCredential]::new($User,$SecPass)
Add-CertificateEnrollmentPolicyServer -Url $PolicyURL -context Machine -NoClobber -AutoEnrollmentEnabled -Credential $Cred
您现在应该能够使用所需的模板注册证书
$DNS="<FQDN of your server>"
$URL=Get-CertificateEnrollmentPolicyServer -Scope All -Context Machine | Select-Object -ExpandProperty Url | Select-Object -ExpandProperty AbsoluteUri
$Enrollment=Get-Certificate -Url $URL -Template "<Template name (not display name)>" -SubjectName "CN=$DNS" -DnsName $DNS -Credential $Cred -CertStoreLocation cert:\LocalMachine\My
$Enrollment.Certificate.FriendlyName=$DNS
| 归档时间: |
|
| 查看次数: |
22406 次 |
| 最近记录: |