Aaron

H! I’m Aaron. I keep things here that I want to remember or that I think you might find useful.

Finding Windows Enterprise Certificate Authorities Using Powershell

How to find a list of certificate authorities in your domain using powershell.

Intro

I needed to find a way to get the list of CAs present in my domain to revamp my script that allows you to automatically get a code signing cert, if your CA allows it.

Finding where AD lists known, trusted CAs

You’ll need the Active Directory RSAT tools installed.

# Read the current domain ( https://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectory.domain(v=vs.110).aspx )
$CurrentDomainRootDN=[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().GetDirectoryEntry().distinguishedName
# Construct the EnrollmentDN from the domain root DN
$EnrollmentDN="CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,$CurrentDomainRootDN"
# Force powershell to treat the result as an array - weird things can happen during processing later if there is one result when you expected several.
[array]$EnrollmentServices=Get-ADObject -SearchBase $EnrollmentDN -LDAPFilter "(objectClass=pKIEnrollmentService)" -Properties dNSHostName
# Write the enrollment services to the console
$EnrollmentServices

You can wrap this in a function if you want to use it in your scripts:

function Get-DomainEnrollmentServices () {
    # Read the current domain ( https://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectory.domain(v=vs.110).aspx )
    $CurrentDomainRootDN=[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().GetDirectoryEntry().distinguishedName
    # Construct the EnrollmentDN from the domain root DN
    $EnrollmentDN="CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,$CurrentDomainRootDN"
    # Force powershell to treat the result as an array - weird things can happen during processing later if there is one result when you expected several.
    [array]$EnrollmentServices=Get-ADObject -SearchBase $EnrollmentDN -LDAPFilter "(objectClass=pKIEnrollmentService)" -Properties dNSHostName
    $EnrollmentServices
}