更新Active Directory用户配置文件上的证书(userCertificate)

时间:2019-03-27 10:45:54

标签: powershell active-directory

我需要更新存储在用户AD帐户中的一系列证书。

我有这个:

$allProfileRawCerts = Get-ADUser -Server example.com -Filter {EmailAddress -eq $Mail} -Property Certificates

哪个给

Certificates      : {System.Security.Cryptography.X509Certificates.X509Certificate, System.Security.Cryptography.X509Certificates.X509Certificate, 
                    System.Security.Cryptography.X509Certificates.X509Certificate}
DistinguishedName : <>
Enabled           : True
GivenName         : <>
Name              : <>
ObjectClass       : user
ObjectGUID        : <>
SamAccountName    : <>
SID               : <>
Surname           : <>
UserPrincipalName : <>

我发现Powershell Set-ADUser userCertificate parameter type error,它提供“添加”操作:

$certUser.Usercertificate | ForEach-Object{
    Set-ADUser "ME" -certificate @{Add=[System.Security.Cryptography.X509Certificates.X509Certificate]$_}
}

但是,我不需要的是 add ,而是 update -根据条件删除一些证书,然后添加新证书。

一种方法(我认为)是从用户配置文件中删除所有证书,创建新数组并更新-但是我真的很不喜欢通过非原子操作删除有效数据。

另外,问题(至少对我来说)是我无法使用(基本的)X509Certificate进行过滤,但是我必须先转换为X509Certificate2:

$allProfileSMIMECerts = $allProfileRawCerts.Certificates |
    foreach {New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $_} |
    Where-Object { $_.EnhancedKeyUsageList.FriendlyName -eq "Secure Email" }

我需要的是

  1. 获取所有证书的列表。
  2. 删除所有$_.EnhancedKeyUsageList.FriendlyName -eq "Secure Email"为真的。
  3. 添加新证书。

如何以一种不错的方式做到这一点?

1 个答案:

答案 0 :(得分:0)

使用以下代码解决:

try {
    $allProfileRawCerts = (Get-ADUser -Server example.com -Filter {EmailAddress -eq $Mail} -Property Certificates).Certificates
}
catch {
    Write-Log -ERROR "Can't contact Global AD directory, exiting..."
    exit 100
}

$handlesToRemove = ($allProfileRawCerts |
    foreach {New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $_} |
    Where-Object { $_.EnhancedKeyUsageList.FriendlyName -eq "Secure Email" }).Handle

$objectToRemove = $allProfileRawCerts | Where-Object Handle -in $handlesToRemove

# first add the new cert
Write-Log -INFO "Adding newly minted certificate to user's AD profile."
$newCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate

try {
    $newCert.Import("$workdir\$ticket.cer")
}
catch {
    Write-Log -ERROR "Can't import new certificate from file, exiting..."
    Write-Log -ERROR "$($PSItem.ToString())"
    exit 103
}

try {
    Get-ADUser -Server example.com -Filter {EmailAddress -eq $Mail} | 
        Set-ADUser -Credential $CACredential -Certificates @{Add=$newCert};@{Remove=$objectToRemove}
}
catch {
    Write-Log -ERROR "Can't add the new certificate to user profile, exiting..."
    Write-Log -ERROR "$($PSItem.ToString())"
    exit 104
}
Write-Log -INFO "New certificate successfully added to user's AD profile."

# now remove old certs
foreach ( $object in $objectToRemove ) { 
    Write-Log -INFO "Certificate with handle $($object.Handle) will be removed, saving to work directory."

    try {
        $null = Export-Certificate -Type CERT -Cert $cert -FilePath "$workdir\$($object.Handle).cer"
    }
    catch {
        Write-Log -FATAL "Can't save certificate to be deleted, exiting!"
        exit 101
    }

    try {
        Get-ADUser -Server example.com -Filter {EmailAddress -eq $Mail} | 
            Set-ADUser -Credential $CACredential -Certificates @{Remove=$object}
    }
    catch {
        Write-Log -ERROR "Problems contacting AD for certificate removal, exiting..."
        Write-Log -ERROR "$($PSItem.ToString())"
        exit 102
    }

    Write-Log -INFO "Certificate has been saved and removed from AD profile."
}

欢迎任何意见,因为我仍然是Powershell n00b。

相关问题
最新问题