I can currently create multiple certificate templates using a powershell script and an xml file with some details, however I cannot currently set the Compatibility for the CA or Certificate Recipient, they remain at 2003/XP regardless.
Is it possible to update these config items using this current method?
The Powershell script I am using is this (yes, I know I've got it spelt Temaplate in places):
Param($nameList,$configModel)
$Domain = $configModel.UserDomain
$CAConfigStr = "{0}\{1}" -f $configModel.CAServer.IP, $configModel.CAName
$TemplatesFile = $MyInvocation.MyCommand.Path.Replace(".ps1",".xml")
function Main($CAConfigStr, $TemplatesFile)
{
$ImportBytes = [System.IO.File]::ReadAllBytes($TemplatesFile)
$CEP = New-Object -ComObject X509enrollment.CX509EnrollmentPolicyWebService
$CEP.InitializeImport($ImportBytes)
$CEP.GetTemplates()|%{$_}|%{
$ADWritable = New-Object -ComObject X509Enrollment.CX509CertificateTemplateADWritable
$ADWritable.Initialize($_); $TemaplateName = $ADWritable.Property(1)
$ConfigContext = ([ADSI]"LDAP://RootDSE").ConfigurationNamingContext
$LDAPPath = "LDAP://CN=$TemaplateName,CN=Certificate Templates,CN=Public Key Services,CN=Services,$ConfigContext"
if(![ADSI]::Exists($LDAPPath)){
$ADWritable.Commit(1,$null); while(-not [ADSI]::Exists($LDAPPath)){sleep 5}
}
$CertAdmin = New-Object -ComObject CertificateAuthority.Admin
$Templates = $CertAdmin.GetCAProperty($CAConfigStr,29,0,4,0)
$Templates += $TemaplateName + "`n" + $ADWritable.Property(12).Value + "`n"
$CertAdmin.SetCAProperty($CAConfigStr, 29, 0, 4, $Templates);
Assign-CertificateTemplatePermission $Domain $TemaplateName
}
}
function Set-CertificateTemplateSecurity($TemaplateName, $User, $Permission)
{
[string[]]$Rights = $null
[string[]]$Permission = $Permission.Replace(' ','').Split(',')
if($Permission -contains "FullControl"){
$Rights += "GenericAll"
}
else{
if($Permission -contains "Read"){$Rights += "ReadProperty, GenericExecute"}
if($Permission -contains "Write"){$Rights += "WriteProperty, WriteDacl, WriteOwner"}
if($Permission -contains "Enroll" -and $Permission -contains "AutoEnroll"){$Rights += "ExtendedRight"}
}
$ConfigContext = ([ADSI]"LDAP://RootDSE").ConfigurationNamingContext
$ADSI = [ADSI]"LDAP://CN=$TemaplateName,CN=Certificate Templates,CN=Public Key Services,CN=Services,$ConfigContext"
$NTAccount = New-Object System.Security.Principal.NTAccount($User)
$IdentityReference = $NTAccount.Translate([System.Security.Principal.SecurityIdentifier])
if($Rights){
$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($IdentityReference, ($Rights -join ','),"Allow")
$ADSI.psbase.ObjectSecurity.SetAccessRule($ACE)
}
if($Permission -contains "Enroll" -and $Permission -notmatch "AutoEnroll"){
$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($IdentityReference,"ExtendedRight","Allow",[GUID]"0e10c968-78fb-11d2-90d4-00c04f79dc55")
$ADSI.psbase.ObjectSecurity.AddAccessRule($ACE)
}
elseif($Permission -notcontains "Enroll" -and $Permission -match "AutoEnroll"){
$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($IdentityReference,"ExtendedRight","Allow",[GUID]"a05b8cc2-17bc-4802-a710-e7c15ab866a2")
$ADSI.psbase.ObjectSecurity.AddAccessRule($ACE)
}
$ADSI.psbase.commitchanges()
}
function Assign-CertificateTemplatePermission($Domain, $TemaplateName)
{
switch -Wildcard ($TemaplateName)
{
"SAT*"
{
"$Domain\Domain Admins","$Domain\Administrator","$Domain\Enterprise Admins","$Domain\scepservice"|%{Set-CertificateTemplateSecurity $TemaplateName $_ "FullControl"}
"NT AUTHORITY\Authenticated Users","$Domain\Domain Computers","$Domain\causer"|%{Set-CertificateTemplateSecurity $TemaplateName $_ "Read,Enroll"}
break
}
"Client"
{
"$Domain\Domain Admins","$Domain\Administrator","$Domain\Enterprise Admins","$Domain\scepservice"|%{Set-CertificateTemplateSecurity $TemaplateName $_ "FullControl"}
"NT AUTHORITY\Authenticated Users","$Domain\Domain Computers"|%{Set-CertificateTemplateSecurity $TemaplateName $_ "Read,Enroll"}
break
}
"*V2"
{
"$Domain\Domain Admins","$Domain\Administrator","$Domain\Enterprise Admins","$Domain\scepservice"|%{Set-CertificateTemplateSecurity $TemaplateName $_ "FullControl"}
"NT AUTHORITY\Authenticated Users"|%{Set-CertificateTemplateSecurity $TemaplateName $_ "Read,Enroll"}
}
"ThirdPartyVendors"
{
"$Domain\Domain Admins","$Domain\Administrator","$Domain\Enterprise Admins"|%{Set-CertificateTemplateSecurity $TemaplateName $_ "FullControl"}
"NT AUTHORITY\Authenticated Users","$Domain\Domain Computers","$Domain\causer"|%{Set-CertificateTemplateSecurity $TemaplateName $_ "Read,Enroll"}
}
"EGMap"
{
"$Domain\Domain Admins","$Domain\Administrator","$Domain\Enterprise Admins"|%{Set-CertificateTemplateSecurity $TemaplateName $_ "FullControl"}
"NT AUTHORITY\Authenticated Users","$Domain\Domain Computers"|%{Set-CertificateTemplateSecurity $TemaplateName $_ "Read,Enroll"}
"$Domain\scepservice"|%{Set-CertificateTemplateSecurity $TemaplateName $_ "Read,Enroll,AutoEnroll"}
}
"UIIntegration"
{
"$Domain\Domain Computers"|%{Set-CertificateTemplateSecurity $TemaplateName $_ "Enroll"}
}
}
}
Main $CAConfigStr $TemplatesFile
@{"IsSucceeded"="true";"ErrorMsg"=""}
And an excerp of the XML file I have is thus:
<GetPoliciesResponse xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy">
<response>
<policyID/>
<policyFriendlyName/>
<nextUpdateHours>8</nextUpdateHours>
<policiesNotChanged a:nil="true" xmlns:a="http://www.w3.org/2001/XMLSchema-instance"/>
<policies>
<policy>
<policyOIDReference>5</policyOIDReference>
<cAs>
<cAReference>0</cAReference>
</cAs>
<attributes>
<commonName>CEPEncryptionV2</commonName>
<policySchema>2</policySchema>
<certificateValidity>
<validityPeriodSeconds>473040000</validityPeriodSeconds>
<renewalPeriodSeconds>220752000</renewalPeriodSeconds>
</certificateValidity>
<permission>
<enroll>true</enroll>
<autoEnroll>true</autoEnroll>
</permission>
<privateKeyAttributes>
<minimalKeyLength>2048</minimalKeyLength>
<keySpec>1</keySpec>
<keyUsageProperty a:nil="true" xmlns:a="http://www.w3.org/2001/XMLSchema-instance"/>
<permissions a:nil="true" xmlns:a="http://www.w3.org/2001/XMLSchema-instance"/>
<algorithmOIDReference a:nil="true" xmlns:a="http://www.w3.org/2001/XMLSchema-instance"/>
<cryptoProviders>
<provider>Microsoft Enhanced RSA and AES Cryptographic Provider</provider>
</cryptoProviders>
</privateKeyAttributes>
<revision>
<majorRevision>100</majorRevision>
<minorRevision>2</minorRevision>
</revision>
<supersededPolicies a:nil="true" xmlns:a="http://www.w3.org/2001/XMLSchema-instance"/>
<privateKeyFlags>16</privateKeyFlags>
<subjectNameFlags>9</subjectNameFlags>
<enrollmentFlags>8</enrollmentFlags>
<generalFlags>131649</generalFlags>
<hashAlgorithmOIDReference a:nil="true" xmlns:a="http://www.w3.org/2001/XMLSchema-instance"/>
<rARequirements a:nil="true" xmlns:a="http://www.w3.org/2001/XMLSchema-instance"/>
<keyArchivalAttributes a:nil="true" xmlns:a="http://www.w3.org/2001/XMLSchema-instance"/>
<extensions>
<extension>
<oIDReference>7</oIDReference>
<critical>false</critical>
<value>MC0GJSsGAQQBgjcVCISYgHiBgJAMgYmLLOeTW4GirGZohtKkE4SgyncCAWQCAQM=</value>
</extension>
<extension>
<oIDReference>8</oIDReference>
<critical>false</critical>
<value>MAwGCisGAQQBgjcUAgE=</value>
</extension>
<extension>
<oIDReference>9</oIDReference>
<critical>true</critical>
<value>AwIFIA==</value>
</extension>
<extension>
<oIDReference>10</oIDReference>
<critical>false</critical>
<value>MA4wDAYKKwYBBAGCNxQCAQ==</value>
</extension>
</extensions>
</attributes>
</policy>
I'm DREADFUL at asking these questions so will have invariably missed something, please shout at me when you need more info.
Thanks a million in advance.