Microsoft Windows (PowerShell)¶

1. In the Certificate Manager - SaaS toolbar, click Machines.
2. Click the checkbox next to the Microsoft Windows (PowerShell) machine that you want to provision a certificate to.
3. Click Provision a certificate. The Provision a certificate modal opens.

4. From the Choose a certificate from the inventory field, begin typing the certificate name you want to provision. Click the certificate when you see it listed.

   Verify that you've selected the correct certificate by reviewing the Subject DN, Validity, and Fingerprint.

5. From the CAPI Store drop down, select the certificate store you want the certificate installed in.

6. Enter a Friendly Name for this certificate in the Windows Certificate Store.

7. If you want the private key associated with this certificate to be able to be exported from the Windows certificate store, toggle the Allow private key to be exported option.

8. (Optional) To automatically invoke the PowerShell script function, enable the Installation Endpoint toggle in Certificate Manager - SaaS.

   Note

   Enabling Installation Endpoint allows you to execute your provided PowerShell script to consume the provisioned certificate to different Windows services. The PowerShell script is executed with the account configured on the Certificate Manager - SaaS Microsoft Windows (PowerShell) machine. This account is also used to install the certificate into the CAPI store.

   Note

   Ensure that the PowerShell script configured on the Microsoft Windows (PowerShell) machine is managed and written to execute your intended actions, not exhaust system resources, and sign with a trusted certificate on the target system. The script must contain a specific function that would be executed to consume (bind) the certificate from the CAPI store.

   Warning

   You are responsible for managing, writing, and securing your PowerShell script. To minimize exposure and prevent unauthorized access, use a dedicated user account with only the necessary permissions (least privilege) instead of an admin or shared account, as a compromised script with broad access increases security risks. Script signing ensures integrity after deployment but does not gaurantee the security of its source or development environment.

   Refer to the following PowerShell script example:

   <##################
   .NAME
       bind-certificate
   .DESCRIPTION
       consumes a certificate from the CAPI store, mainly used to bind the certificate to a Windows service
   .PARAMETER certificateStore
       The Windows Certificates store location where the certificate is stored
   .PARAMETER thumbprint
       A text string that represents the public key hash of the certificate
   .NOTES
       A successful script execution returns an exit code 0. If the script fails, it returns a non-zero exit code
       and Certificate Manager - SaaS would show the error message in the UI
   ##################>
   function bind-certificate( [string]$certificateStore, [string]$thumbprint )
   {
       return "Success"
   }
   

   1. In the Script Path box, enter the full path to the PowerShell script.

9. To create the certificate in Certificate Manager - SaaS without pushing it, set the Push upon saving slider to No.

   With the default Yes, saving pushes the certificate to the Windows certificate store. If the Installation Endpoint is configured (see previous step), it also pushes the certificate to the Microsoft Windows (PowerShell) script specified in the Script Path.

10. Click Save.

    Want to schedule your provisions?

    Schedule your provisions daily, weekly, or monthly. Learn more

    Are you requiring strict enforcement of Powershell script signing?

    Yes, strict enforcement of PowerShell script signing is required. You are responsible for managing, writing, and securing your PowerShell script to execute your intended actions.

    The Microsoft Windows (PowerShell) Server provisioning process is used over WinRM to install certificates on the Windows machine. Certificate Manager - SaaS PowerShell scripts are signed using Venafi's DigiCert CodeSigning certificate. Your custom PowerShell script must be signed by a Trusted Publisher. Ensure Venafi's CodeSigning certificate is included of the Trusted Publishers location on the machine's CAPI store. The script will not be executed and the certificate will fail to provision if the script is not signed, or if strict signing requirements are not enabled. Typically, this is managed and distributed via Group Policy by your Active Directory administrators.

    Warning

    Certificate Manager - SaaS ensures the ExecutionPolicy is set to AllSigned, before each execution. Modifications to your custom PowerShell scripts signing requirements will result in a provision failure.

    You can find the Venafi CodeSigning certificate in PEM format for your convenience:

    -----BEGIN CERTIFICATE-----
    MIIHeTCCBWGgAwIBAgIQD5K9ewtirvrfYeVIO+QHIDANBgkqhkiG9w0BAQsFADBp
    MQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMT
    OERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0
    IDIwMjEgQ0ExMB4XDTI1MTAyMDAwMDAwMFoXDTI2MTAxOTIzNTk1OVowgYAxCzAJ
    BgNVBAYTAklMMRQwEgYDVQQHEwtQZXRhaCBUaWt2YTEfMB0GA1UEChMWQ3liZXJB
    cmsgU29mdHdhcmUgTHRkLjEZMBcGA1UECxMQRW5naW5lZXJpbmcgVmFhUzEfMB0G
    A1UEAxMWQ3liZXJBcmsgU29mdHdhcmUgTHRkLjCCAiIwDQYJKoZIhvcNAQEBBQAD
    ggIPADCCAgoCggIBAOIAHCC0hdOU4hMlqUKgg+WrOJ64nUVg1z14D2Tw2yOc0VUj
    2mdJlQ2prpuPkk7eQ/n8HJdNEDtz9a0ZsoSe6pTBStajjcuQ90vHc5PkZgUFfqmA
    DUp5HYjzafy7WQg5sDElIuLl6dGkhaGTTVN7ppBTK5b39/OQcDap4+y65jgfrNxe
    4kwcWb4+9iBEEgL6fM3l83/XKSxDlpSv9vgPUoKOIRImD2V11hSZ3dQcdigTOS5k
    qUiFYN1wJ9aJEmUldy9aV6QBs/BBxTO98RpItLcB5nelSz+3sLpEABuAZoxOz2fV
    EHdRG8BfIcfa+9xR440oyx9q55m92tjAdzIKHcje2ihEQ9ne4T7Ru8Wim/gyBCrm
    OoXN19B95WK9eh7Ry+UD+tlWaMVUaIKq34lXgKon4pazTvmOV6AoUToMsYNcbPj8
    xcp1AnKnMnKSxsQDPE/ltQOGDkbJS3Pw27SMZn424FhLq/aUb0W+rIvzE+nBal8+
    PTND2x2ioQ0IDpnXqPofZFb2Ug3vsFeoTgfeU5694/BzQijsI6vLbdgw+j/0T9YK
    iOleajjnyTOSxnKbMPksCShCM049+S5nrf58MRp04RIBXtOyvE5OZeDMiSQSDJs6
    GDZv8ZuIXgd5xWEgbtPZa8LmcH5BggEETDGFQvAGXNFWS6qfKOWUA66RAM/BAgMB
    AAGjggIDMIIB/zAfBgNVHSMEGDAWgBRoN+Drtjv4XxGG+/5hewiIZfROQjAdBgNV
    HQ4EFgQU9mdEHZSW9O1DrKY6HJ+xhh1sRAMwPgYDVR0gBDcwNTAzBgZngQwBBAEw
    KTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA4GA1Ud
    DwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzCBtQYDVR0fBIGtMIGqMFOg
    UaBPhk1odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRD
    b2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDBToFGgT4ZNaHR0cDov
    L2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdS
    U0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwgZQGCCsGAQUFBwEBBIGHMIGEMCQGCCsG
    AQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXAYIKwYBBQUHMAKGUGh0
    dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVT
    aWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3J0MAkGA1UdEwQCMAAwDQYJKoZI
    hvcNAQELBQADggIBAJsLHgoTvlHafPU8cbyLtV6+yp6a+2Ddk6ZohJVIq1syn+d6
    zr+4Bsd59Dmtdu4SVx7HGkminNhBslheXBUHy8tt/2VWKV1LJ314hziO/24Fpzmu
    msd7DzVRXSsh5Y9/xp3CWNH1327vhIEo7hawm1cE62vUW0ZHDEuF3kGzlVubGCTK
    OYZB+sBD2qMkADcHJ23/M6AYEp5Sxhyn+YcHejw9MArBde+hqI6L4e9AsNFuul+5
    Il79suYtn9BHdpM5Y4Ftm3pVzE5BBbvptFwHz0rLzOPpCQVawohVnBRilNBfxUdY
    +30Kxvcygrom0HqsH1LEbwFHwG3IU7VqOjwWCoLxOPFPj99XQ/DVPG6bvpymFtiB
    twY40mAV4mZHbYGyKMtGLSoKnjmwm+QsORD+rEs+M6qNZdz2ywqdNOrKc8/WjUaq
    TTFsjd/40KAUTDveqp9KS3OAaiqyxvRKlaFUgW6IxWRf2BzUtFi1EeJ9I3jSRi93
    XuFYnutB9ngiC6mXUh9cg1ogMH7ZzWFzWDIp+YAwIbnnj/8tof3EH0Cry3869Syi
    K6TOacAdQhB/oU+5z1KjnOjz/pkjOr7E05eO7+dioy5he54wH7bqHmYbJSrxrXcG
    2p04bRPUimKrNqaJywzTXHABzs1AOKWiNcWK6prv0pU+Myi9Z90VWLLflPlz
    -----END CERTIFICATE-----