Microsoft Windows (PowerShell)¶

Tip

Before proceeding, verify that the machine is already created in Certificate Manager - SaaS. Also, ensure that you’ve completed the prerequisite configuration steps for the Microsoft Windows (PowerShell) machine.

Sign in to Certificate Manager - SaaS.
Click Installations > Machines.
Select the Microsoft Windows (PowerShell) machine to provision a certificate to.
Click Provision a certificate.
In Choose a certificate from the inventory, search for and select the certificate to provision, reviewing its Subject DN, Validity, and Fingerprint to confirm accuracy.
In CAPI Store, select the certificate store in which to install the certificate.
Enter a Friendly Name for the certificate.
(Optional) To enable export of the certificate's private key, enable Allow private key to be exported.
(Optional) To automatically invoke the PowerShell script, enable Installation Endpoint.

Note

Enabling Installation Endpoint allows you to execute your provided PowerShell script to consume the provisioned certificate to different Windows services. The PowerShell script is executed with the account configured on the Certificate Manager - SaaS Microsoft Windows (PowerShell) machine. This account is also used to install the certificate into the CAPI store.
Note

Ensure that the PowerShell script configured on the Microsoft Windows (PowerShell) machine is managed and written to execute your intended actions, not exhaust system resources, and sign with a trusted certificate on the target system. The script must contain a specific function that would be executed to consume (bind) the certificate from the CAPI store.

Warning

You are responsible for managing, writing, and securing your PowerShell script. To minimize exposure and prevent unauthorized access, use a dedicated user account with only the necessary permissions (least privilege) instead of an admin or shared account, as a compromised script with broad access increases security risks. Script signing ensures integrity after deployment but does not gaurantee the security of its source or development environment.

Refer to the following PowerShell script example:
```
<##################
.NAME
    bind-certificate
.DESCRIPTION
    consumes a certificate from the CAPI store, mainly used to bind the certificate to a Windows service
.PARAMETER certificateStore
    The Windows Certificates store location where the certificate is stored
.PARAMETER thumbprint
    A text string that represents the public key hash of the certificate
.NOTES
    A successful script execution returns an exit code 0. If the script fails, it returns a non-zero exit code
    and Certificate Manager - SaaS would show the error message in the UI
##################>
function bind-certificate( [string]$certificateStore, [string]$thumbprint )
{
    return "Success"
}
```
In the Script Path box, enter the full path to the PowerShell script.

Tip

If Installation Endpoint is enabled, the certificate is pushed to the script in this path when saved.
(Optional) To create the certificate without pushing it to the Windows certificate store, set Push upon saving to No.
Click Save.

Want to schedule your provisions?

Schedule your provisions daily, weekly, or monthly. Learn more