Microsoft Windows (PowerShell)¶
Tip
Before you begin, verify that the machine is created in Certificate Manager - SaaS and that you completed the prerequisite configuration steps.
PowerShell script signing requirement
The PowerShell connector requires that you set the execution policy to AllSigned on the target machine. Only signed scripts can run.
If unsigned scripts prevent you from enabling AllSigned globally, set the execution policy to AllSigned for the service account only.
- Sign in to Certificate Manager - SaaS.
- Select Installations > Machines.
- Select the Microsoft Windows (PowerShell) machine that you want to provision a certificate to.
- Select Provision a certificate.
- In Choose a certificate from the inventory, search for and select the certificate to provision. Review its Subject DN, Validity, and Fingerprint to confirm accuracy.
- In CAPI Store, select the certificate store to install the certificate.
- Enter a Friendly Name for the certificate.
- Optional: To enable export of the certificate's private key, select Allow private key to be exported.
-
Optional: To automatically run the PowerShell script, select Installation Endpoint.
Note
When you enable Installation Endpoint, the PowerShell script runs to bind the provisioned certificate to Windows services. The script runs under the machine's configured service account, which also installs the certificate into the CAPI store.
Note
Your PowerShell script must include a
bind-certificatefunction that acceptscertificateStoreandthumbprintparameters. The function runs automatically when you provision a certificate.Script signing requirements
- Import the CyberArk code signing certificate to the Trusted Publishers certificate store.
- Import your code signing certificate to the Trusted Publishers certificate store.
- Sign your PowerShell script with both certificates.
- Set the execution policy to AllSigned for the service account.
CyberArk code signing certificate
Certificate Manager - SaaS uses PowerShell scripts over WinRM to provision certificates. These scripts are signed with a DigiCert code signing certificate issued to CyberArk Software Ltd. You must import this certificate into the Trusted Publishers certificate store in the machine's CAPI store.
Typically, your Active Directory administrators manage and distribute trusted publisher certificates through Group Policy.
The certificate is available in PEM format:
-----BEGIN CERTIFICATE----- MIIHeTCCBWGgAwIBAgIQD5K9ewtirvrfYeVIO+QHIDANBgkqhkiG9w0BAQsFADBp MQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMT OERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0 IDIwMjEgQ0ExMB4XDTI1MTAyMDAwMDAwMFoXDTI2MTAxOTIzNTk1OVowgYAxCzAJ BgNVBAYTAklMMRQwEgYDVQQHEwtQZXRhaCBUaWt2YTEfMB0GA1UEChMWQ3liZXJB cmsgU29mdHdhcmUgTHRkLjEZMBcGA1UECxMQRW5naW5lZXJpbmcgVmFhUzEfMB0G A1UEAxMWQ3liZXJBcmsgU29mdHdhcmUgTHRkLjCCAiIwDQYJKoZIhvcNAQEBBQAD ggIPADCCAgoCggIBAOIAHCC0hdOU4hMlqUKgg+WrOJ64nUVg1z14D2Tw2yOc0VUj 2mdJlQ2prpuPkk7eQ/n8HJdNEDtz9a0ZsoSe6pTBStajjcuQ90vHc5PkZgUFfqmA DUp5HYjzafy7WQg5sDElIuLl6dGkhaGTTVN7ppBTK5b39/OQcDap4+y65jgfrNxe 4kwcWb4+9iBEEgL6fM3l83/XKSxDlpSv9vgPUoKOIRImD2V11hSZ3dQcdigTOS5k qUiFYN1wJ9aJEmUldy9aV6QBs/BBxTO98RpItLcB5nelSz+3sLpEABuAZoxOz2fV EHdRG8BfIcfa+9xR440oyx9q55m92tjAdzIKHcje2ihEQ9ne4T7Ru8Wim/gyBCrm OoXN19B95WK9eh7Ry+UD+tlWaMVUaIKq34lXgKon4pazTvmOV6AoUToMsYNcbPj8 xcp1AnKnMnKSxsQDPE/ltQOGDkbJS3Pw27SMZn424FhLq/aUb0W+rIvzE+nBal8+ PTND2x2ioQ0IDpnXqPofZFb2Ug3vsFeoTgfeU5694/BzQijsI6vLbdgw+j/0T9YK iOleajjnyTOSxnKbMPksCShCM049+S5nrf58MRp04RIBXtOyvE5OZeDMiSQSDJs6 GDZv8ZuIXgd5xWEgbtPZa8LmcH5BggEETDGFQvAGXNFWS6qfKOWUA66RAM/BAgMB AAGjggIDMIIB/zAfBgNVHSMEGDAWgBRoN+Drtjv4XxGG+/5hewiIZfROQjAdBgNV HQ4EFgQU9mdEHZSW9O1DrKY6HJ+xhh1sRAMwPgYDVR0gBDcwNTAzBgZngQwBBAEw KTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA4GA1Ud DwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzCBtQYDVR0fBIGtMIGqMFOg UaBPhk1odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRD b2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDBToFGgT4ZNaHR0cDov L2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdS U0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwgZQGCCsGAQUFBwEBBIGHMIGEMCQGCCsG AQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXAYIKwYBBQUHMAKGUGh0 dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVT aWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3J0MAkGA1UdEwQCMAAwDQYJKoZI hvcNAQELBQADggIBAJsLHgoTvlHafPU8cbyLtV6+yp6a+2Ddk6ZohJVIq1syn+d6 zr+4Bsd59Dmtdu4SVx7HGkminNhBslheXBUHy8tt/2VWKV1LJ314hziO/24Fpzmu msd7DzVRXSsh5Y9/xp3CWNH1327vhIEo7hawm1cE62vUW0ZHDEuF3kGzlVubGCTK OYZB+sBD2qMkADcHJ23/M6AYEp5Sxhyn+YcHejw9MArBde+hqI6L4e9AsNFuul+5 Il79suYtn9BHdpM5Y4Ftm3pVzE5BBbvptFwHz0rLzOPpCQVawohVnBRilNBfxUdY +30Kxvcygrom0HqsH1LEbwFHwG3IU7VqOjwWCoLxOPFPj99XQ/DVPG6bvpymFtiB twY40mAV4mZHbYGyKMtGLSoKnjmwm+QsORD+rEs+M6qNZdz2ywqdNOrKc8/WjUaq TTFsjd/40KAUTDveqp9KS3OAaiqyxvRKlaFUgW6IxWRf2BzUtFi1EeJ9I3jSRi93 XuFYnutB9ngiC6mXUh9cg1ogMH7ZzWFzWDIp+YAwIbnnj/8tof3EH0Cry3869Syi K6TOacAdQhB/oU+5z1KjnOjz/pkjOr7E05eO7+dioy5he54wH7bqHmYbJSrxrXcG 2p04bRPUimKrNqaJywzTXHABzs1AOKWiNcWK6prv0pU+Myi9Z90VWLLflPlz -----END CERTIFICATE-----Warning
You're responsible for securing your PowerShell script. Use a dedicated service account with the minimum required permissions. Don't use an admin or shared account. Script signing ensures integrity after deployment but doesn't guarantee source security.
Example
<################## .NAME bind-certificate .DESCRIPTION Consumes a certificate from the CAPI store to bind the certificate to a Windows service .PARAMETER certificateStore The Windows certificate store location where the certificate is stored .PARAMETER thumbprint The public key hash of the certificate .NOTES Successful script execution returns exit code 0. If the script fails, it returns a non-zero exit code, and Certificate Manager - SaaS displays the error message in the UI. ##################> function bind-certificate( [string]$certificateStore, [string]$thumbprint ) { return "Success" } -
In Script Path, enter the full path to the PowerShell script.
Tip
When you enable Installation Endpoint, the certificate is pushed to the script at this path when you save.
-
Optional: To create the certificate without pushing it to the Windows certificate store, set Push upon saving to No.
-
Select Save.
Want to schedule your provisions?
Schedule your provisions daily, weekly, or monthly. Learn more