PowerShell PKI Module Documentation
Documentation HomeImport-LostCertificate
Synopsis
Imports previously issued certificate to a Certification Authority (CA) database
Syntax
Import-LostCertificate -CertificationAuthority <CertificateAuthority> -Path <String> [<CommonParameters>] Import-LostCertificate -CertificationAuthority <CertificateAuthority> -Certificate <X509Certificate2> [<CommonParameters>] Import-LostCertificate -CertificationAuthority <CertificateAuthority> -RawData <Byte[]> [<CommonParameters>]
Description
Imports previously issued certificate to a Certification Authority (CA) database.
In the case when CA server fails and you have backup taken certain time prior, CA server may issue certificates that are not included in the most recent backup tape. If a certificate is not on the backup tapes used to restore the certification authority but exists in a file, the certificate can be imported by means of this command.
Note: the certificate being imported must have been previously issued by the certification authority specified in CA parameter. The restored certification authority will validate the certificate's signature, and if the signature is not valid, the command will throw error.
Note: you cannot import a certificate if it already exists in the database. Each certificate in the database must be unique. The database ensures uniqueness by checking the certificate's serial number.
Parameters
-CertificationAuthority <CertificateAuthority>
Specifies the Certification Authority object. This object can be retrieved by running Get-CertificationAuthority command.
Required? | True |
Position? | named |
Default value | |
Accept pipeline input? | true (ByValue, ByPropertyName) |
Accept wildcard characters? | False |
-Path <String>
Specifies the path to a certificate file. This parameter accepts only certificates saved in a DER or Base64 encoding without private key (with CER extension).
Required? | True |
Position? | named |
Default value | |
Accept pipeline input? | false |
Accept wildcard characters? | False |
-Certificate <X509Certificate2>
Specifies an existing X509Certificate2 object. This object can be retrieved from local store by searching through local store (Get-ChilItem cert:\CurrentUser\My) or obtained through other means as an X509Certificate2 object.
Required? | True |
Position? | named |
Default value | |
Accept pipeline input? | false |
Accept wildcard characters? | False |
-RawData <Byte[]>
Specifies a DER-encoded byte array of a target certificate. This byte array can be retrieved by searching through Active Directory user account published certificates stored in userCertificates attribute.
Required? | True |
Position? | named |
Default value | |
Accept pipeline input? | false |
Accept wildcard characters? | False |
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
Inputs
PKI.CertificateServices.CertificateAuthority
Outputs
Return value specifies the row number in the database which holds imported certificate.
Notes
Examples
Example 1
PS C:\> Get-CertificationAuthority -Name MyCA | Import-LostCertificate -Path C:\lostcert.cer
Imports certificate from a file and adds it to a CA database.
Example 2
PS C:\> $IssuedWhen = (Get-Date).AddDays(-1) C:\PS>$cert = Get-ChildItem cert:\CurrentUser\My | Where-Object {$_.NotBefore -gt $IssuedWhen} C:\PS>$cert | Foreach-Object {Get-CertificationAuthority ca01.company.com | Import-LostCertificate -Certificate $_}
In this example we set a date when the last backup was taken. In the second line we search through current user Personal certificate store and select certificates was issued after the last backup was taken. The last command will import these certificates to a CA database by using Foreach-Object loop.
Example 3
PS C:\> Import-Module ActiveDirectory C:\PS>$user = Get-ADUser vpodans -Properties "userCertificate" C:\PS>Get-CertificationAuthority MyCA | Import-LostCertificate -RawData @(,$user.userCertificate[0])
In this example first command imports ActiveDirectory PowerShell module (available on domain controllers running Windows Server 2008 R2 or Windows 7 with installed RSAT). The second command retrieves specified user (vpodans) account with populated userCertificate property. The last command will import first published certificate to a CA database.
Related links
Get-CertificationAuthority
Connect-CertificationAuthority
Minimum PowerShell version support
- Windows PowerShell 3.0
Operating System Support
- Windows 7
- Windows 8
- Windows 8.1
- Windows 10
- Windows 11
- Windows Server 2008 R2 all editions
- Windows Server 2012 all editions
- Windows Server 2012 R2 all editions
- Windows Server 2016 all editions
- Windows Server 2019 all editions
- Windows Server 2022 all editions