Powershell script to request and export Certificates with Private Key (PFX)

At last I have made my mind to share MY IT experience through my blogs.

I have started blogging 4 years back and idle for some time.. Now the time to start share my experience with this world... :)

Here you may find simple (may be every one knows it) self-opinionated (You may found this on other source too) sometime complex solutions for Technical issues as an IT engineer.

All solutions and script you may find here is ready to use, BUT RUN IT ON YOUR OWN RISK!!!!

I WANT TO START WITH MY LATEST SCRIPT ON USING Powershel script to do an offline request and download certificate (computer) with private key.

Situation is, Our organization decided to implement a solution to implement certificate level authentication for a system used in-house  We have had almost around 2000+ roaming laptop users who never connect to intranet but need certificate to be downloaded. We have no option left but to create an offline request for them on behalf and send across to them for installing it.

Here is the solution I found to request for computer certificate using list of computers in text (Compt.txt)

----------------------------- SCRPT START HERE --------------------------------------------------

$import= "C:\Users\USER\Desktop\Comp.txt"

get-content $import |foreach{

$comp= $_

$comp1 ="CN="+$comp+".DOMAIN.com"

$d = '"USTComputers"'

$b = "[NewRequest]

Subject=$comp1

KeySpec=1

KeyUsage=0xf0

MachineKeySet=TRUE

Exportable=TRUE

[RequestAttributes]

CertificateTemplate=$d

"

$path = "C:\Users\USER\Desktop\"+$comp+".inf"

$pat = "C:\Users\USER\Desktop\"+$comp+"_.inf"

$path1 = "C:\Users\USER\Desktop\"+$comp+".req"

$path2 = "C:\Users\USER\Desktop\"+$comp+".cer"

$path3 = "C:\Users\USER\Desktop\"+$comp+".log"

$cername = "Cert"+$comp+".cer"

clear-content $path -force

add-content $pat $b

$aa = get-content $pat

$bb = $aa -replace 'CN','"CN' 

$cc = $bb -replace 'DOMAIN.com','DOMAIN.com"'

clear-content $pat -force

add-content $path $cc

certreq -new $path $path1

certreq -submit -config “CASERVER\CANAME” $path1 $path2 |out-file $path3

$certid = Get-content $path3 |Select-String -Pattern 'Requestid: "' 

$certid = $certid -replace 'Requestid: "' -replace '"'

certreq -retrieve -f -config "CASERVER.DOMAIN.com\CANAME" $certid $cername

certreq –accept $cername

}

----------------------------- SCRPT END HERE --------------------------------------------------

This will download all required certificate in to requester computer store, Now we need to export these certificate with private key (in PFX format) and share it with external user

----------------------------- SCRPT START HERE --------------------------------------------------

cd cert:

cd localmachine

cd my

Get-ChildItem |select Thumbprint,Subject | Export-Csv C:\temp\certificate.csv -NoTypeInformation

$import= import-csv "C:\temp\certificate.csv"

foreach($line in $import)

{

$thumb = $line.Thumbprint

$sub = $line.Subject

$subj = $sub -replace ".domain.com"

$subje = $subj -replace "CN="

$FilePath = "C:\temp\"+$subje+".pfx"

certutil -exportPFX -p "Password" my $thumb $FilePath

}

----------------------------- SCRPT END HERE --------------------------------------------------

Copy and paste both script in notepad and save as 'Filename.PS1' and execute on need basis. Make sure that you have set your execution policy to execute this Script.