这是我在Windows 2012 R2和更高版本上使用的过程。所有PowerShell代码都是从提升的PowerShell提示符运行的。完全自动化留给用户练习。
先决条件
确保您的证书服务器上有一个模板,并且在“主题”选项卡中选中了“在请求中提供”单选按钮。因为这不是AD机器,所以证书服务器无法充分查询Active Directory中的信息。
导出根
在证书服务器上导出受信任的根证书颁发机构证书,然后将该证书文件复制到目标服务器
certutil --% -ca.cert <name of certificate file>
信任根
将该证书导入到目标服务器上的受信任的根证书颁发机构
$PathToCertificate=<name of certificate file>
$RootCertificate=Get-PfxCertificate -FilePath $PathToCertificate
$AlreadyExists=Get-ChildItem -Path "Cert:\LocalMachine\Root" | Where-Object { $_.Thumbprint -eq $RootCertificate.Thumbprint }
if ($AlreadyExists -eq $null) { Import-Certificate -CertStoreLocation "Cert:\LocalMachine\Root" -FilePath $PathToCertificate }
else { Write-Warning "Root certificate already installed" }
Active Directory策略提供者
确定Active Directory策略提供程序的URL
# Get AD Configuration Context
$RootDSE=[System.DirectoryServices.DirectoryEntry]::new("LDAP://RootDSE")
$ConfigContext="CN=Enrollment Services,CN=Public Key Services,CN=Services,"+$RootDSE.configurationNamingContext
# Get name of Enterprise Root Certificate Autority server
$Server=Get-ADObject -SearchBase $ConfigContext -Filter "*"
if ($Server.Count -eq 1) { throw "No Enterprise Root Certificate Autority server exists" }
else { $Server=$Server[1].Name }
# Get Enrollment URL
$ConfigContext="CN=$Server,"+$ConfigContext
$EnrollmentURL=(Get-ADObject -SearchBase $ConfigContext -Filter "*" -Properties "msPKI-Enrollment-Servers" | Select-Object -ExpandProperty "msPKI-Enrollment-Servers").Split("`n") | Where-Object { $_ -like "http*" }
if ($EnrollmentURL -eq $null) { $EnrollmentURL="" }
# Get AD Enrollment Policy URL
$Server=$Server+$RootDSE.configurationNamingContext.Value.Replace("CN=Configuration","").Replace(",DC=",".")
$WMI=Get-WmiObject -ComputerName $Server -Namespace "root\WebAdministration" -Class Application | Where-Object { $_.Path -eq "/ADPolicyProvider_CEP_UsernamePassword" }
if ($WMI -ne $null) { $PolicyURL="https://"+$Server+$WMI.Path+"/service.svc/CEP" }
else { $PolicyURL="" }
Write-Output "Enrollment URL = $EnrollmentURL"
Write-Output "Policy URL = $PolicyURL"
招生政策
将注册策略添加到目标服务器(仅适用于Windows 2012及更高版本。有关GUI的说明,请参见下文)。确保在创建非域模板之后添加了策略,否则将不会显示该策略,因为它不会刷新。
$User="<your domain name>\<your domain user name>"
$Pass="<Your domain password>"
$SecPass=ConvertTo-SecureString -String $Pass -AsPlainText -Force
$Cred=[System.Management.Automation.PSCredential]::new($User,$SecPass)
Add-CertificateEnrollmentPolicyServer -Url $PolicyURL -context Machine -NoClobber -AutoEnrollmentEnabled -Credential $Cred
取得证书
现在,您应该可以使用所需的模板注册证书
$DNS="<FQDN of your server>"
$URL=Get-CertificateEnrollmentPolicyServer -Scope All -Context Machine | Select-Object -ExpandProperty Url | Select-Object -ExpandProperty AbsoluteUri
$Enrollment=Get-Certificate -Url $URL -Template "<Template name (not display name)>" -SubjectName "CN=$DNS" -DnsName $DNS -Credential $Cred -CertStoreLocation cert:\LocalMachine\My
$Enrollment.Certificate.FriendlyName=$DNS
Windows 2012 R2之前的注册策略
- 打开证书MMC
- 深入到个人证书存储
- 右键单击“证书”,然后选择“所有任务/高级操作/管理”
- 上下文菜单中的注册策略
- 点击“添加”按钮
- 粘贴注册政策的网址
- 选择用户名/密码作为身份验证类型
- 单击“验证服务器”按钮,然后输入您的域凭据,包括域
- 假设您已经能够成功验证,请单击“添加”按钮
- 选择注册策略,然后单击“属性”按钮
- 确保选中“启用自动注册和续订”框
- 我从未检查过“在注册过程中需要强力验证”,所以我不知道它的作用