PowerShell PKI Module Documentation
Documentation HomeAdd-AdCertificate
Synopsis
Adds certificate to a specified AD-based certificate PKI container.
Syntax
Add-AdCertificate [-AdContainer] <DsPkiCertContainer> [-Certificate] <X509Certificate2[]> [-CrossCA] [-Dispose] [<CommonParameters>]
Description
Adds certificate to a specified AD-based certificate PKI container.
AD PKI container managements require Enterprise Admins permissions or explicitly delegated permissions to Public Key Services container in Active Directory.
Parameters
-AdContainer <DsPkiCertContainer>
Specifies the AD-based PKI certificate container the certificate is added to. Input object is retrieved by calling a Get-AdPkiContainer cmdlet with NTAuth, AIA, RootCA or KRA container type.
Required? | True |
Position? | 0 |
Default value | |
Accept pipeline input? | true (ByValue, ByPropertyName) |
Accept wildcard characters? | False |
-Certificate <X509Certificate2[]>
Specifies a collection of certificates to add to AD certificate store.
If input AD container is of DsKraContainer type, a certificate is expected to be a key recovery agent (KRA) certificate and must be valid for key recovery operation (OID=1.3.6.1.4.1.311.21.6). In other cases, the certificate is expected to be a CA certificate.
Required? | True |
Position? | 1 |
Default value | |
Accept pipeline input? | false |
Accept wildcard characters? | False |
-CrossCA <SwitchParameter>
Specifies whether the certificate is published as cross-certificate. This switch parameter makes sense only when input AD container is of DsAiaContainer type. For other containers, this parameter is ignored.
Required? | False |
Position? | named |
Default value | |
Accept pipeline input? | false |
Accept wildcard characters? | False |
-Dispose <SwitchParameter>
Disposes input AD container object. AD container object contains active reference to LDAP object and it is recommended to release object when it is no longer necessary to avoid memory leaks.
Required? | False |
Position? | named |
Default value | |
Accept pipeline input? | false |
Accept wildcard characters? | False |
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
Inputs
Outputs
SysadminsLV.PKI.Management.ActiveDirectory.DsPkiContainer
Notes
Examples
Example 1
PS C:\> $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 "c:\pki\root_cacert.crt" PS C:\> Get-AdPkiContainer -ContainerType RootCA | Add-AdCertificate -Certificate $cert -Dispose
This example gets certificate from a file, retrieves RootCA (trusted root CAs) AD container and publishes certificate to RootCA container. After operation completion, input object (RootCA container) is disposed. After autoenrollment trigger, domain members will get new trusted root CA.
Example 2
PS C:\> $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 "c:\pki\cross.cer" PS C:\> Get-AdPkiContainer -ContainerType AIA | Add-AdCertificate -Certificate $cert -CrossCertificate -Dispose
This example gets certificate from a file, retrieves AIA (intermediate CA) AD container and publishes certificate to AIA container as cross-certificate. After operation completion, input object (AIA container) is disposed. After autoenrollment trigger, domain members will get new certificate in Intermediate CAs local store.
Related links
Get-AdPkiContainer
Remove-AdCertificate
Add-AdCertificateRevocationList
Remove-AdCertificateRevocationList
Minimum PowerShell version support
- Windows PowerShell 3.0
Operating System Support
- Windows 7
- Windows 8
- Windows 8.1
- Windows 10
- Windows 11
- Windows Server 2008 R2 all editions
- Windows Server 2012 all editions
- Windows Server 2012 R2 all editions
- Windows Server 2016 all editions
- Windows Server 2019 all editions
- Windows Server 2022 all editions