Skip to content

Microsoft Windows (PowerShell)

Tip

Before you begin, verify that the machine is created in Certificate Manager - SaaS and that you completed the prerequisite configuration steps.

PowerShell script signing requirement

The PowerShell connector requires that you set the execution policy to AllSigned on the target machine. Only signed scripts can run.

If unsigned scripts prevent you from enabling AllSigned globally, set the execution policy to AllSigned for the service account only.

  1. Sign in to Certificate Manager - SaaS.
  2. Select Installations > Machines.
  3. Select the Microsoft Windows (PowerShell) machine that you want to provision a certificate to.
  4. Select Provision a certificate.
  5. In Choose a certificate from the inventory, search for and select the certificate to provision. Review its Subject DN, Validity, and Fingerprint to confirm accuracy.
  6. In CAPI Store, select the certificate store to install the certificate.
  7. Enter a Friendly Name for the certificate.
  8. Optional: To enable export of the certificate's private key, select Allow private key to be exported.
  9. Optional: To automatically run the PowerShell script, select Installation Endpoint.

    Note

    When you enable Installation Endpoint, the PowerShell script runs to bind the provisioned certificate to Windows services. The script runs under the machine's configured service account, which also installs the certificate into the CAPI store.

    Note

    Your PowerShell script must include a bind-certificate function that accepts certificateStore and thumbprint parameters. The function runs automatically when you provision a certificate.

    Script signing requirements

    1. Import the CyberArk code signing certificate to the Trusted Publishers certificate store.
    2. Import your code signing certificate to the Trusted Publishers certificate store.
    3. Sign your PowerShell script with both certificates.
    4. Set the execution policy to AllSigned for the service account.

    CyberArk code signing certificate

    Certificate Manager - SaaS uses PowerShell scripts over WinRM to provision certificates. These scripts are signed with a DigiCert code signing certificate issued to CyberArk Software Ltd. You must import this certificate into the Trusted Publishers certificate store in the machine's CAPI store.

    Typically, your Active Directory administrators manage and distribute trusted publisher certificates through Group Policy.

    The certificate is available in PEM format:

    -----BEGIN CERTIFICATE-----
    MIIHeTCCBWGgAwIBAgIQD5K9ewtirvrfYeVIO+QHIDANBgkqhkiG9w0BAQsFADBp
    MQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMT
    OERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0
    IDIwMjEgQ0ExMB4XDTI1MTAyMDAwMDAwMFoXDTI2MTAxOTIzNTk1OVowgYAxCzAJ
    BgNVBAYTAklMMRQwEgYDVQQHEwtQZXRhaCBUaWt2YTEfMB0GA1UEChMWQ3liZXJB
    cmsgU29mdHdhcmUgTHRkLjEZMBcGA1UECxMQRW5naW5lZXJpbmcgVmFhUzEfMB0G
    A1UEAxMWQ3liZXJBcmsgU29mdHdhcmUgTHRkLjCCAiIwDQYJKoZIhvcNAQEBBQAD
    ggIPADCCAgoCggIBAOIAHCC0hdOU4hMlqUKgg+WrOJ64nUVg1z14D2Tw2yOc0VUj
    2mdJlQ2prpuPkk7eQ/n8HJdNEDtz9a0ZsoSe6pTBStajjcuQ90vHc5PkZgUFfqmA
    DUp5HYjzafy7WQg5sDElIuLl6dGkhaGTTVN7ppBTK5b39/OQcDap4+y65jgfrNxe
    4kwcWb4+9iBEEgL6fM3l83/XKSxDlpSv9vgPUoKOIRImD2V11hSZ3dQcdigTOS5k
    qUiFYN1wJ9aJEmUldy9aV6QBs/BBxTO98RpItLcB5nelSz+3sLpEABuAZoxOz2fV
    EHdRG8BfIcfa+9xR440oyx9q55m92tjAdzIKHcje2ihEQ9ne4T7Ru8Wim/gyBCrm
    OoXN19B95WK9eh7Ry+UD+tlWaMVUaIKq34lXgKon4pazTvmOV6AoUToMsYNcbPj8
    xcp1AnKnMnKSxsQDPE/ltQOGDkbJS3Pw27SMZn424FhLq/aUb0W+rIvzE+nBal8+
    PTND2x2ioQ0IDpnXqPofZFb2Ug3vsFeoTgfeU5694/BzQijsI6vLbdgw+j/0T9YK
    iOleajjnyTOSxnKbMPksCShCM049+S5nrf58MRp04RIBXtOyvE5OZeDMiSQSDJs6
    GDZv8ZuIXgd5xWEgbtPZa8LmcH5BggEETDGFQvAGXNFWS6qfKOWUA66RAM/BAgMB
    AAGjggIDMIIB/zAfBgNVHSMEGDAWgBRoN+Drtjv4XxGG+/5hewiIZfROQjAdBgNV
    HQ4EFgQU9mdEHZSW9O1DrKY6HJ+xhh1sRAMwPgYDVR0gBDcwNTAzBgZngQwBBAEw
    KTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA4GA1Ud
    DwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzCBtQYDVR0fBIGtMIGqMFOg
    UaBPhk1odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRD
    b2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNybDBToFGgT4ZNaHR0cDov
    L2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdS
    U0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwgZQGCCsGAQUFBwEBBIGHMIGEMCQGCCsG
    AQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXAYIKwYBBQUHMAKGUGh0
    dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVT
    aWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3J0MAkGA1UdEwQCMAAwDQYJKoZI
    hvcNAQELBQADggIBAJsLHgoTvlHafPU8cbyLtV6+yp6a+2Ddk6ZohJVIq1syn+d6
    zr+4Bsd59Dmtdu4SVx7HGkminNhBslheXBUHy8tt/2VWKV1LJ314hziO/24Fpzmu
    msd7DzVRXSsh5Y9/xp3CWNH1327vhIEo7hawm1cE62vUW0ZHDEuF3kGzlVubGCTK
    OYZB+sBD2qMkADcHJ23/M6AYEp5Sxhyn+YcHejw9MArBde+hqI6L4e9AsNFuul+5
    Il79suYtn9BHdpM5Y4Ftm3pVzE5BBbvptFwHz0rLzOPpCQVawohVnBRilNBfxUdY
    +30Kxvcygrom0HqsH1LEbwFHwG3IU7VqOjwWCoLxOPFPj99XQ/DVPG6bvpymFtiB
    twY40mAV4mZHbYGyKMtGLSoKnjmwm+QsORD+rEs+M6qNZdz2ywqdNOrKc8/WjUaq
    TTFsjd/40KAUTDveqp9KS3OAaiqyxvRKlaFUgW6IxWRf2BzUtFi1EeJ9I3jSRi93
    XuFYnutB9ngiC6mXUh9cg1ogMH7ZzWFzWDIp+YAwIbnnj/8tof3EH0Cry3869Syi
    K6TOacAdQhB/oU+5z1KjnOjz/pkjOr7E05eO7+dioy5he54wH7bqHmYbJSrxrXcG
    2p04bRPUimKrNqaJywzTXHABzs1AOKWiNcWK6prv0pU+Myi9Z90VWLLflPlz
    -----END CERTIFICATE-----
    

    Warning

    You're responsible for securing your PowerShell script. Use a dedicated service account with the minimum required permissions. Don't use an admin or shared account. Script signing ensures integrity after deployment but doesn't guarantee source security.

    Example

    <##################
    .NAME
        bind-certificate
    .DESCRIPTION
        Consumes a certificate from the CAPI store to bind the certificate to a Windows service
    .PARAMETER certificateStore
        The Windows certificate store location where the certificate is stored
    .PARAMETER thumbprint
        The public key hash of the certificate
    .NOTES
        Successful script execution returns exit code 0. If the script fails, it returns a non-zero exit code,
        and Certificate Manager - SaaS displays the error message in the UI.
    ##################>
    function bind-certificate( [string]$certificateStore, [string]$thumbprint )
    {
        return "Success"
    }
    

  10. In Script Path, enter the full path to the PowerShell script.

    Tip

    When you enable Installation Endpoint, the certificate is pushed to the script at this path when you save.

  11. Optional: To create the certificate without pushing it to the Windows certificate store, set Push upon saving to No.

  12. Select Save.

    Want to schedule your provisions?

    Schedule your provisions daily, weekly, or monthly. Learn more