AD Powershell uses .NET class X509Certificate to represent a certificate. Let's see how you can manage the certificates for a user.
Update User Certificates
You can create a X509Certificate (or X509Certificate2) object using the certificate file.PS C:\> $cert1 = New-Object System.Security.Cryptography.X509Certificates.X509Certificate "C:\Certs\Test1.cer"PS C:\> $cert2 = New-Object System.Security.Cryptography.X509Certificates.X509Certificate "C:\Certs\Test2.cer"
PS C:\> $cert1 = New-Object System.Security.Cryptography.X509Certificates.X509Certificate "C:\Certs\Test1.cer"PS C:\> $cert2 = New-Object System.Security.Cryptography.X509Certificates.X509Certificate "C:\Certs\Test2.cer"
Then assign the certificates to a user account while creating it.PS C:\> $certs = $cert1,$cert2 #create certificate arrayPS C:\> New-ADUser -Name TestUser1 -SamAccountName TestUser1 -Certificates $certs
PS C:\> $certs = $cert1,$cert2 #create certificate arrayPS C:\> New-ADUser -Name TestUser1 -SamAccountName TestUser1 -Certificates $certs
Note: Parameter Certificates updates the LDAP attribute userCertificate.
You can also assign the certificates to an existing user account.PS C:\> Set-ADUser TestUser1 -Certificates @{Replace=$cert1,$cert2}
PS C:\> Set-ADUser TestUser1 -Certificates @{Replace=$cert1,$cert2}
View User Certificates
You can fetch the certificates of an existing user.PS C:\> $user1 = Get-ADUser TestUser1 -Properties "Certificates"
PS C:\> $user1 = Get-ADUser TestUser1 -Properties "Certificates"
And then view the basic details of certificates as shown below:PS C:\> $user1.Certificates | fl * -f
PS C:\> $user1.Certificates | fl * -f
Handle : 456139856Issuer : OU=EFS File Encryption Certificate, L=EFS, CN=AdministratorSubject : OU=EFS File Encryption Certificate, L=EFS, CN=Administrator...
X509Certificate2 can be used to view more details of certificates.PS C:\> $user1.Certificates | foreach {New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $_} | fl * -f
PS C:\> $user1.Certificates | foreach {New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $_} | fl * -f
...FriendlyName :IssuerName : System.Security.Cryptography.X509Certificates.X500DistinguishedNameNotAfter : 2/24/2109 8:35:26 AMNotBefore : 3/20/2009 9:35:26 AMHasPrivateKey : FalsePrivateKey :PublicKey : System.Security.Cryptography.X509Certificates.PublicKeyRawData : {48, 130, 3, 139...}SerialNumber : …SubjectName : System.Security.Cryptography.X509Certificates.X500DistinguishedNameSignatureAlgorithm : System.Security.Cryptography.OidThumbprint : …Version : 3Handle : 456139856Issuer : OU=EFS File Encryption Certificate, L=EFS, CN=AdministratorSubject : OU=EFS File Encryption Certificate, L=EFS, CN=Administrator
Also you can assign an existing user certificates to a new user.PS C:\> $user1 = Get-ADUser TestUser1 -Properties "Certificates"PS C:\> New-ADUser -Name TestUser2 -SamAccountName TestUser2 -Certificates $user1.Certificates
PS C:\> $user1 = Get-ADUser TestUser1 -Properties "Certificates"PS C:\> New-ADUser -Name TestUser2 -SamAccountName TestUser2 -Certificates $user1.Certificates
Tips: Certificates are also applicable to Computer/ServiceAccount and can be managed as mentioned here.
Hope this will help.
Cheers!Ashish
--Ashish Sharma [MSFT]Developer – Active Directory Powershell Team