Hello,
Todays a few words about importing and exporting certificate template data with Active Directory.
This data is stored within Configuration partition of Active Directory and therefore it is common for whole Active Directory Forest.
But there are also situation, when you would like to move them between forest, for example from pre-production environment to your production one.
It can be done on two different ways. First is obvious, but dirty, and sometime can lead to serious problems with moved Items.
But after Windows 2008 R2 was released, there was introduced new feature – Windows AD CS Web Enrollment Services.
It can be used for cross forest CA publication with only External Forest AD Trust enabled.
More details about those protocols can be found here.
On the mentioned site, there are two great scripts written in powershell, what would export and import Certificate Template data to and from xml files in MS-XCEP format.
However, Those scripts have two bugs and one issue within when running on Windows 2012:
- There is some kind of error during using them as normal cmd-lets on Windows 2012. Instead, you should comment out first function declaration and cmd-let binding declaration. After this modification, you can use scripts as normal with additional input, as required.
- Export function in one place tries to figure out, if there is one of attributes. The line:
1$superseded = if ($temp.Settings.SupersededTemplates -eq 0) {
should look as follow:
1$superseded = if ($temp.Settings.SupersededTemplates.Length -eq 0) {Just replace it, and scripts will run very well on W2k12.
- Last thing is those scripts are depending on external powershell module. As far, as I know, it is possible to remove this dependecy, but it will subject of next post.
Mentioned earlier dirty method is old ldifde command with required flags for export:
1 | ldifde -m -v -d cn=%Template1%,%LDAP% -f %Template1%.ldf |
Most important part of this command is -m switch, which will result in “forest free” ldf output.
For import you should use the similar command:
1 | ldifde -i -k -f %Template1%.ldf |
And this should work from the begining, starting from Windows 2000 Version.
Pingback: Eksport/Import szablonów certyfikatów z AD w Windows 2012 – ISCG
If you want to improve your know-how only keep visiting
this web site and be updated with the most up-to-date gossip posted
here.
I am not able to get the Certificate Template export to work on WS19. I would actually like to export the name and key usage of all certificate templates.
PS C:\Windows\system32> Export-CertificateTemplate
cmdlet Export-CertificateTemplate at command pipeline position 1
Supply values for the following parameters:
Template[0]: Web_Server_Internal_SSL_ADLAB_SHA256
Template[1]:
Path:
Export-CertificateTemplate : Cannot process argument transformation on parameter ‘Template’. Cannot convert value “System.Collections.ArrayList” to type
“PKI.CertificateTemplates.CertificateTemplate[]”. Error: “Cannot convert value “Web_Server_Internal_SSL_ADLAB_SHA256” to type “PKI.CertificateTemplates.CertificateTemplate”. Error: “There
is no such object on the server.
“”
At line:1 char:1
+ Export-CertificateTemplate
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Export-CertificateTemplate], ParameterBindingArgumentTransformationException
+ FullyQualifiedErrorId : ParameterArgumentTransformationError,Export-CertificateTemplate
Please advise
You are receiving this error, because you are trying to pass only a name of template, but not the whole object.