AD Powershell uses .NET class X509Certificate to represent a certificate. Let's see how you can manage the certificates for a user.

Update User Certificates

You can create a X509Certificate (or X509Certificate2) object using the certificate file.
PS C:\> $cert1 = New-Object System.Security.Cryptography.X509Certificates.X509Certificate "C:\Certs\Test1.cer"
PS C:\> $cert2 = New-Object System.Security.Cryptography.X509Certificates.X509Certificate "C:\Certs\Test2.cer"

Then assign the certificates to a user account while creating it.
PS C:\> $certs = $cert1,$cert2 #create certificate array
PS C:\> New-ADUser -Name TestUser1 -SamAccountName TestUser1 -Certificates $certs

Note: Parameter Certificates updates the LDAP attribute userCertificate.

You can also assign the certificates to an existing user account.
PS C:\> Set-ADUser TestUser1 -Certificates @{Replace=$cert1,$cert2}


View User Certificates

You can fetch the certificates of an existing user.
PS C:\> $user1 = Get-ADUser TestUser1 -Properties "Certificates"

And then view the basic details of certificates as shown below:
PS C:\> $user1.Certificates | fl * -f

Handle  : 456139856
Issuer  : OU=EFS File Encryption Certificate, L=EFS, CN=Administrator
Subject : OU=EFS File Encryption Certificate, L=EFS, CN=Administrator

X509Certificate2 can be used to view more details of certificates.
PS C:\> $user1.Certificates | foreach {New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $_} | fl * -f

FriendlyName       :
IssuerName         : System.Security.Cryptography.X509Certificates.X500DistinguishedName
NotAfter           : 2/24/2109 8:35:26 AM
NotBefore          : 3/20/2009 9:35:26 AM
HasPrivateKey      : False
PrivateKey         :
PublicKey          : System.Security.Cryptography.X509Certificates.PublicKey
RawData            : {48, 130, 3, 139...}
SerialNumber       : …
SubjectName        : System.Security.Cryptography.X509Certificates.X500DistinguishedName
SignatureAlgorithm : System.Security.Cryptography.Oid
Thumbprint         : …
Version            : 3
Handle             : 456139856
Issuer             : OU=EFS File Encryption Certificate, L=EFS, CN=Administrator
Subject            : OU=EFS File Encryption Certificate, L=EFS, CN=Administrator


Also you can assign an existing user certificates to a new user.
PS C:\> $user1 = Get-ADUser TestUser1 -Properties "Certificates"
PS C:\> New-ADUser -Name TestUser2 -SamAccountName TestUser2 -Certificates $user1.Certificates


Tips: Certificates are also applicable to Computer/ServiceAccount and can be managed as mentioned here.

Hope this will help.


Ashish Sharma [MSFT]
Developer – Active Directory Powershell Team