Microsoft Windows (PowerShell)¶

1. In the TLS Protect Cloud toolbar, click Machines.
2. Click the checkbox next to the Microsoft Windows (PowerShell) machine that you want to provision a certificate to.
3. Click Provision a certificate. The Provision a certificate modal opens.

4. From the Choose a certificate from the inventory field, begin typing the certificate name you want to provision. Click the certificate when you see it listed.

   Verify that you've selected the correct certificate by reviewing the Subject DN, Validity, and Fingerprint.

5. From the CAPI Store drop down, select the certificate store you want the certificate installed in.

6. Enter a Friendly Name for this certificate in the Windows Certificate Store.

7. If you want the private key associated with this certificate to be able to be exported from the Windows certificate store, toggle the Allow private key to be exported option.

8. (Optional) To automatically invoke the PowerShell script function, enable the Installation Endpoint toggle in TLS Protect Cloud.

   Note

   Enabling Installation Endpoint allows you to execute your provided PowerShell script to consume the provisioned certificate to different Windows services. The PowerShell script is executed with the account configured on the TLS Protect Cloud Microsoft Windows (PowerShell) machine. This account is also used to install the certificate into the CAPI store.

   Note

   Ensure that the PowerShell script configured on the Microsoft Windows (PowerShell) machine is managed and written to execute your intended actions, not exhaust system resources, and sign with a trusted certificate on the target system. The script must contain a specific function that would be executed to consume (bind) the certificate from the CAPI store.

   Warning

   You are responsible for managing, writing, and securing your PowerShell script. To minimize exposure and prevent unauthorized access, use a dedicated user account with only the necessary permissions (least privilege) instead of an admin or shared account, as a compromised script with broad access increases security risks. Script signing ensures integrity after deployment but does not gaurantee the security of its source or development environment.

   Refer to the following PowerShell script example:

   <##################
   .NAME
       bind-certificate
   .DESCRIPTION
       consumes a certificate from the CAPI store, mainly used to bind the certificate to a Windows service
   .PARAMETER certificateStore
       The Windows Certificates store location where the certificate is stored
   .PARAMETER thumbprint
       A text string that represents the public key hash of the certificate
   .NOTES
       A successful script execution returns an exit code 0. If the script fails, it returns a non-zero exit code
       and TLS Protect Cloud would show the error message in the UI
   ##################>
   function bind-certificate( [string]$certificateStore, [string]$thumbprint )
   {
       return "Success"
   }
   

   1. In the Script Path box, enter the full path to the PowerShell script.

9. To create the certificate in TLS Protect Cloud without pushing it, set the Push upon saving slider to No.

   With the default Yes, saving pushes the certificate to the Windows certificate store. If the Installation Endpoint is configured (see previous step), it also pushes the certificate to the Microsoft Windows (PowerShell) script specified in the Script Path.

10. Click Save.

    Want to schedule your provisions?

    Schedule your provisions daily, weekly, or monthly. Learn more

    Are you requiring strict enforcement of Powershell script signing?

    Yes, strict enforcement of PowerShell script signing is required. You are responsible for managing, writing, and securing your PowerShell script to execute your intended actions.

    The Microsoft Windows (PowerShell) Server provisioning process is used over WinRM to install certificates on the Windows machine. TLS Protect Cloud PowerShell scripts are signed using Venafi's DigiCert CodeSigning certificate. Your custom PowerShell script must be signed by a Trusted Publisher. Ensure Venafi's CodeSigning certificate is included of the Trusted Publishers location on the machine's CAPI store. The script will not be executed and the certificate will fail to provision if the script is not signed, or if strict signing requirements are not enabled. Typically, this is managed and distributed via Group Policy by your Active Directory administrators.

    Warning

    TLS Protect Cloud ensures the ExecutionPolicy is set to AllSigned, before each execution. Modifications to your custom PowerShell scripts signing requirements will result in a provision failure.

    You can find the Venafi CodeSigning certificate in PEM format for your convenience:

    -----BEGIN CERTIFICATE-----
    MIIHdjCCBV6gAwIBAgIQDDwkVYKmVAV5QwSzZFlFxTANBgkqhkiG9w0BAQsFADBp
    MQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMT
    OERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0
    IDIwMjEgQ0ExMB4XDTI0MDgyMTAwMDAwMFoXDTI1MDkxNjIzNTk1OVowfjELMAkG
    A1UEBhMCVVMxDTALBgNVBAgTBFV0YWgxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5
    MRUwEwYDVQQKEwxWZW5hZmksIEluYy4xGTAXBgNVBAsTEEVuZ2luZWVyaW5nIFZh
    YVMxFTATBgNVBAMTDFZlbmFmaSwgSW5jLjCCAiIwDQYJKoZIhvcNAQEBBQADggIP
    ADCCAgoCggIBAOfGSJIknBGQ0nZ4KVe1qS/581DkYQcIyAePb1suokp7/YY6h2vg
    1OZwdlHHm8aZxb0b1Xq4Pj2h6zf3Egh9rGj/phoUuAaYi4fwxiS67Iy8R66J+kvf
    PxlahO1yF5B74/2AuMGOuea230WUb/C8cPDSqb2iNidqqy3z510+IuzG1EU0oZMT
    +WFMsqAvD7vuNkFRFaXMrZAwNsAKg898PjT4JH6X4NhZypnSV2gWqjNcF/avpr7H
    tbT87xRnzwgyQtKE4+z77hmHrZvyGB335AIrjouf8jHR86sWZWkw/G7b42HV1Uyb
    GUdZTWM6l3hNQV6i0eUNqPNz5rQXkZGyit5PPSJRxnAI0lec0gGGnIJlkc7WeTY8
    5+M0Pqd6RtomlOra7euGR4/w93H073E9EdhBL5mpjF7jkB/sWGgZgYiVeeFE9Ecc
    kSOBtwb+2HoZkg87OBQ6NzXxHyksX0MY9N6XKqQdbtIwTOSjZfils/S8YP/hhkWV
    MEFKIqjQEsL9jH30MpG9bEjCvhO9R4R5E5uQjmTqwQWg5uDQopkmSm0iC2WCWcv1
    dhvMb294vNhw578jEKowyNH5VNwNeuTCpdzMNfdHTY1loorltbIa1dEN1xOjm4ve
    a0JijE+1OvlbPBMWhcB8JnkjFdNYUc1swErV8MvZxv1zns9U8E594/bXAgMBAAGj
    ggIDMIIB/zAfBgNVHSMEGDAWgBRoN+Drtjv4XxGG+/5hewiIZfROQjAdBgNVHQ4E
    FgQUMqZQnX+ejPhr/xdSp/xnOUTkyf0wPgYDVR0gBDcwNTAzBgZngQwBBAEwKTAn
    BggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA4GA1UdDwEB
    /wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzCBtQYDVR0fBIGtMIGqMFOgUaBP
    hk1odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRDb2Rl
    U2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDBToFGgT4ZNaHR0cDovL2Ny
    bDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0
    MDk2U0hBMzg0MjAyMUNBMS5jcmwwgZQGCCsGAQUFBwEBBIGHMIGEMCQGCCsGAQUF
    BzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXAYIKwYBBQUHMAKGUGh0dHA6
    Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWdu
    aW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3J0MAkGA1UdEwQCMAAwDQYJKoZIhvcN
    AQELBQADggIBALfd+IlW7Ucv0KtHZM6AYYIRAJGFqiyBq5l00SeGxhD7HY4LhNeO
    MOwxx7ZIYk7A/vPtMUHBtB6m162QM3RFZOdU6vnp/aKBKOzG4BUYM9oyh3d7w9y0
    vMgENlvl5ITlz7slvbZG9olQTwIS/tNQCdYu3UGgTpFcQma1Inrlma7+RHec0XWo
    DYFgm3Vxw+9zv71Hio0KGpwXfZGQtYxiGeU9ftfebHZ40uxRIvzIIQ3Na1HZTsWx
    2GziDljY+cMaU1bibC76RHIQ/exUO18xDnTd5gjc+Kdreo9iJWzQgEBB/X5IzjmC
    gD+zKpHd+4wGV4y2DyWXr9YzP045N6qtv4vftnr0EWH9UNErlPhqMpRUO3oEf49s
    fXmnBRhYeESbLnGm1+sy1HCRjKo3ExpLO/UButtg67bqq1cHei/ru7ijF8jxOYvm
    Nsgxis2bkWugnxIgfYjvjsLgiYFSbQVP19LtsuNeWp7alfSCfLazoPnk2lsByHNB
    Q5JjZjnmOET1AafDaKI2roay0U/RIFiYanA0bxZxM3lmsXGPbSOEWQUFArlltMAp
    HYuZMQswEfNXUkj/SaTDMj5YNDN4DCqIchV/C2pkRN8NzQRDUm/f1zkO4z11YENF
    OQ7vam82kVOEWSevAXeYGrS4/VR02CujvRnJr0mBduSmQJrz5JvacdUK
    -----END CERTIFICATE-----