更新 Active Directory 用户配置文件 (userCertificate) 上的证书

Question

我需要更新存储在用户 AD 帐户中的一组证书。

我有这个：

$allProfileRawCerts = Get-ADUser -Server example.com -Filter {EmailAddress -eq $Mail} -Property Certificates

这给了

Certificates      : {System.Security.Cryptography.X509Certificates.X509Certificate, System.Security.Cryptography.X509Certificates.X509Certificate, 
                    System.Security.Cryptography.X509Certificates.X509Certificate}
DistinguishedName : <>
Enabled           : True
GivenName         : <>
Name              : <>
ObjectClass       : user
ObjectGUID        : <>
SamAccountName    : <>
SID               : <>
Surname           : <>
UserPrincipalName : <>

我找到了Powershell Set-ADUser userCertificate parameter type error，它提供了“添加”操作：

$certUser.Usercertificate | ForEach-Object{
    Set-ADUser "ME" -certificate @{Add=[System.Security.Cryptography.X509Certificates.X509Certificate]$_}
}

但是，我需要的不是添加，而是更新 - 根据条件删除一些证书，然后添加新证书。

一种方法（我认为）是从用户配置文件中删除所有证书，创建新数组并更新 - 但我真的非常不喜欢在非原子操作中删除有效数据。

另外，问题（至少对我而言）是我无法过滤（相当基本的）X509Certificate，但我必须先转换为 X509Certificate2：

$allProfileSMIMECerts = $allProfileRawCerts.Certificates |
    foreach {New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $_} |
    Where-Object { $_.EnhancedKeyUsageList.FriendlyName -eq "Secure Email" }

我需要的是：

1. 获取所有证书的列表。
2. 删除所有$_.EnhancedKeyUsageList.FriendlyName -eq "Secure Email" 为真的。
3. 添加新证书。

如何以一种好的方式做到这一点？

Answer 1

使用以下代码解决：

try {
    $allProfileRawCerts = (Get-ADUser -Server example.com -Filter {EmailAddress -eq $Mail} -Property Certificates).Certificates
}
catch {
    Write-Log -ERROR "Can't contact Global AD directory, exiting..."
    exit 100
}

$handlesToRemove = ($allProfileRawCerts |
    foreach {New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $_} |
    Where-Object { $_.EnhancedKeyUsageList.FriendlyName -eq "Secure Email" }).Handle

$objectToRemove = $allProfileRawCerts | Where-Object Handle -in $handlesToRemove

# first add the new cert
Write-Log -INFO "Adding newly minted certificate to user's AD profile."
$newCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate

try {
    $newCert.Import("$workdir\$ticket.cer")
}
catch {
    Write-Log -ERROR "Can't import new certificate from file, exiting..."
    Write-Log -ERROR "$($PSItem.ToString())"
    exit 103
}

try {
    Get-ADUser -Server example.com -Filter {EmailAddress -eq $Mail} | 
        Set-ADUser -Credential $CACredential -Certificates @{Add=$newCert};@{Remove=$objectToRemove}
}
catch {
    Write-Log -ERROR "Can't add the new certificate to user profile, exiting..."
    Write-Log -ERROR "$($PSItem.ToString())"
    exit 104
}
Write-Log -INFO "New certificate successfully added to user's AD profile."

# now remove old certs
foreach ( $object in $objectToRemove ) { 
    Write-Log -INFO "Certificate with handle $($object.Handle) will be removed, saving to work directory."

    try {
        $null = Export-Certificate -Type CERT -Cert $cert -FilePath "$workdir\$($object.Handle).cer"
    }
    catch {
        Write-Log -FATAL "Can't save certificate to be deleted, exiting!"
        exit 101
    }

    try {
        Get-ADUser -Server example.com -Filter {EmailAddress -eq $Mail} | 
            Set-ADUser -Credential $CACredential -Certificates @{Remove=$object}
    }
    catch {
        Write-Log -ERROR "Problems contacting AD for certificate removal, exiting..."
        Write-Log -ERROR "$($PSItem.ToString())"
        exit 102
    }

    Write-Log -INFO "Certificate has been saved and removed from AD profile."
}

欢迎所有 cmets，因为我仍然是 Powershell n00b。