Export/Import ADCS Certificate Templates in Windows 2012

Hello,

Todays a few words about importing and exporting certificate template data with Active Directory.
This data is stored within Configuration partition of Active Directory and therefore it is common for whole Active Directory Forest.
But there are also situation, when you would like to move them between forest, for example from pre-production environment to your production one.
It can be done on two different ways. First is obvious, but dirty, and sometime can lead to serious problems with moved Items.
But after Windows 2008 R2 was released, there was introduced new feature – Windows AD CS Web Enrollment Services.
It can be used for cross forest CA publication with only External Forest AD Trust enabled.
More details about those protocols can be found here.
On the mentioned site, there are two great scripts written in powershell, what would export and import Certificate Template data to and from xml files in MS-XCEP format.
However, Those scripts have two bugs and one issue within when running on Windows 2012:

  1. There is some kind of error during using them as normal cmd-lets on Windows 2012. Instead, you should comment out first function declaration and cmd-let binding declaration. After this modification, you can use scripts as normal with additional input, as required.
  2. Export function in one place tries to figure out, if there is one of attributes. The line:
    1
    $superseded = if ($temp.Settings.SupersededTemplates -eq 0) {

    should look as follow:

    1
    $superseded = if ($temp.Settings.SupersededTemplates.Length -eq 0) {

    Just replace it, and scripts will run very well on W2k12.

  3. Last thing is those scripts are depending on external powershell module. As far, as I know, it is possible to remove this dependecy, but it will subject of next post.

Mentioned earlier dirty method is old ldifde command with required flags for export:

1
ldifde -m -v -d cn=%Template1%,%LDAP% -f %Template1%.ldf

Most important part of this command is -m switch, which will result in “forest free” ldf output.
For import you should use the similar command:

1
 ldifde -i -k -f %Template1%.ldf

And this should work from the begining, starting from Windows 2000 Version.

4 thoughts on “Export/Import ADCS Certificate Templates in Windows 2012

  1. Pingback: Eksport/Import szablonów certyfikatów z AD w Windows 2012 – ISCG

  2. I am not able to get the Certificate Template export to work on WS19. I would actually like to export the name and key usage of all certificate templates.
    PS C:\Windows\system32> Export-CertificateTemplate
    cmdlet Export-CertificateTemplate at command pipeline position 1
    Supply values for the following parameters:
    Template[0]: Web_Server_Internal_SSL_ADLAB_SHA256
    Template[1]:
    Path:
    Export-CertificateTemplate : Cannot process argument transformation on parameter ‘Template’. Cannot convert value “System.Collections.ArrayList” to type
    “PKI.CertificateTemplates.CertificateTemplate[]”. Error: “Cannot convert value “Web_Server_Internal_SSL_ADLAB_SHA256” to type “PKI.CertificateTemplates.CertificateTemplate”. Error: “There
    is no such object on the server.
    “”
    At line:1 char:1
    + Export-CertificateTemplate
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidData: (:) [Export-CertificateTemplate], ParameterBindingArgumentTransformationException
    + FullyQualifiedErrorId : ParameterArgumentTransformationError,Export-CertificateTemplate

    Please advise

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.