'Creating/Duplicating a Certificate Template with Powershell
I want to create a template using powershell but I cannot seem to figure out how to set a Minimum Supported CA for the template. I was never able to figure out how to duplicate a template, just create a new one.
My code is as follows
$temp = ([ADSI]"LDAP://RootDSE".ConfigurationNamingContext
$ADSI = [ADSI]"LDAP://CN=Certificate Templates,CN=Public Key Services, CN=Services,$config"
$temp = $ADSI.Create("pKICertificateTemplate","CN=Web Server 2008-2")
$temp.put("distinguishedName","CN=Web Server 2008-2,CM=Certificate Template,CN=Public Key Services,CN=Services.$Config)
$temp.SetInfo()
This works to create an actual template, but I want the template to be created using Windows Server 2008 Enterprise as the Minimum Supported CAs
Solution 1:[1]
In ADCS, a version 1 cert is Win200, version 2 is 2003, and version 3 is 2008.
I don't have a lab to verify in, but I think you need to set the template schema to 3:
$temp.put("msPKI-Template-Schema-Version","3")
$temp.put("msPKI-Template-Minor-Revision","0") # Not sure if you actually need this.
Solution 2:[2]
As a workaround (not for every scenario), you can duplicate/set a certificate template manually once (on your CA) and export that template using ldifde (on your DC). E. g., you duplicated the Webserver template and called it Webserver Custom:
ldifde -m -d 'CN=WebserverCustom,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=contoso,DC=com' -f .\webservercustom.ldf
Later, in some kind of automation, you can import that template by issuing:
ldifde -i -f .\webservercustom.ldf
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Frode F. |
| Solution 2 | stackprotector |