How to find a list of certificate authorities in your domain using powershell.
Intro
I needed to find a way to get the list of CAs present in my domain to revamp my script that allows you to automatically get a code signing cert, if your CA allows it.
Finding where AD lists known, trusted CAs
You’ll need the Active Directory RSAT tools installed.
# Read the current domain ( https://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectory.domain(v=vs.110).aspx )
$CurrentDomainRootDN=[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().GetDirectoryEntry().distinguishedName
# Construct the EnrollmentDN from the domain root DN
$EnrollmentDN="CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,$CurrentDomainRootDN"
# Force powershell to treat the result as an array - weird things can happen during processing later if there is one result when you expected several.
[array]$EnrollmentServices=Get-ADObject -SearchBase $EnrollmentDN -LDAPFilter "(objectClass=pKIEnrollmentService)" -Properties dNSHostName
# Write the enrollment services to the console
$EnrollmentServices
You can wrap this in a function if you want to use it in your scripts:
function Get-DomainEnrollmentServices () {
# Read the current domain ( https://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectory.domain(v=vs.110).aspx )
$CurrentDomainRootDN=[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().GetDirectoryEntry().distinguishedName
# Construct the EnrollmentDN from the domain root DN
$EnrollmentDN="CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,$CurrentDomainRootDN"
# Force powershell to treat the result as an array - weird things can happen during processing later if there is one result when you expected several.
[array]$EnrollmentServices=Get-ADObject -SearchBase $EnrollmentDN -LDAPFilter "(objectClass=pKIEnrollmentService)" -Properties dNSHostName
$EnrollmentServices
}