Here’s a script I mangled from Technet
https://social.technet.microsoft.com/Forums/windowsserver/en-US/347acc93-8352-4535-ab1a-23ebd49eea22/duplicate-certificate-template-edit-and-publish-it?forum=winserverpowershell
I’m having trouble on the last part where I call ‘Add-CATemplate’ If I run the script as is, the template get’s created, but will not publish. I have to got to the templates MMC and refresh for the add-template command to work.
Add-CATemplate : The "deploy-WebServer" template does not exist in the domain. At I:\scripts\WebServer-Template.ps1:79 char:1 + Add-CATemplate -Name 'deploy-WebServer' -force + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (deploy-WebServer:String) [Add-CATemplate], InvalidTemplateException + FullyQualifiedErrorId : InvalidTemplate,Microsoft.CertificateServices.Administration.Commands.CA.AddCATemplateCommand
Is there a way to refresh the list powershell-magically?
$ConfigContext = ([ADSI]"LDAP://RootDSE").ConfigurationNamingContext $ADSI = [ADSI]"LDAP://CN=Certificate Templates,CN=Public Key Services,CN=Services,$ConfigContext" $NewTempl = $ADSI.Create("pKICertificateTemplate", "CN=deploy-WebServer") $NewTempl.put("distinguishedName","CN=deploy-WebServer,CN=Certificate Templates,CN=Public Key Services,CN=Services,$ConfigContext") # and put other atributes that you need $NewTempl.put("flags","131649") $NewTempl.put("displayName","deploy-WebServer") $NewTempl.put("revision","100") $NewTempl.put("pKIDefaultKeySpec","1") $NewTempl.SetInfo() $NewTempl.put("pKIMaxIssuingDepth","0") $NewTempl.put("pKICriticalExtensions","2.5.29.15") $NewTempl.put("pKIExtendedKeyUsage","1.3.6.1.5.5.7.3.1") $NewTempl.put("pKIDefaultCSPs","1,Microsoft RSA SChannel Cryptographic Provider") $NewTempl.put("msPKI-RA-Signature","0") $NewTempl.put("msPKI-Enrollment-Flag","8") $NewTempl.put("msPKI-Private-Key-Flag","16842768") $NewTempl.put("msPKI-Certificate-Name-Flag","1") $NewTempl.put("msPKI-Minimal-Key-Size","2048") $NewTempl.put("msPKI-Template-Schema-Version","2") $NewTempl.put("msPKI-Template-Minor-Revision","2") $NewTempl.put("msPKI-Cert-Template-OID","1.3.6.1.4.1.311.21.8.7183632.6046387.16009101.13536898.4471759.164.5869043.12046343") $NewTempl.put("msPKI-Certificate-Application-Policy","1.3.6.1.5.5.7.3.1") $NewTempl.SetInfo() $WATempl = $ADSI.psbase.children | where {$_.displayName -match "Subordinate Certification Authority"} #before $NewTempl.pKIExpirationPeriod = $WATempl.pKIExpirationPeriod $NewTempl.pKIOverlapPeriod = $WATempl.pKIOverlapPeriod $NewTempl.SetInfo() $WATempl2 = $ADSI.psbase.children | where {$_.displayName -match "Web Server"} $NewTempl.pKIKeyUsage = $WATempl2.pKIKeyUsage $NewTempl.SetInfo() $NewTempl | select * $acl = $NewTempl.psbase.ObjectSecurity $acl | select -ExpandProperty Access #Set new $AdObj = New-Object System.Security.Principal.NTAccount("Authenticated Users") $identity = $AdObj.Translate([System.Security.Principal.SecurityIdentifier]) $adRights = "ReadProperty, ExtendedRight, GenericExecute" $type = "Allow" $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($identity,$adRights,$type) $NewTempl.psbase.ObjectSecurity.SetAccessRule($ACE) $NewTempl.psbase.commitchanges() $AdObj = New-Object System.Security.Principal.NTAccount("deploy\Administrator") $identity = $AdObj.Translate([System.Security.Principal.SecurityIdentifier]) $adRights = "GenericAll" $type = "Allow" $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($identity,$adRights,$type) $NewTempl.psbase.ObjectSecurity.SetAccessRule($ACE) $NewTempl.psbase.commitchanges() sleep 5 Stop-Service CertSvc sleep 5 Start-Service CertSvc sleep 5 Get-CATemplate Add-CATemplate -Name 'deploy-WebServer' -force