KB10113 - PS: Export ADDS User Certificate

Function

These two lines of code can be used to export an user certificate from ADDS to a file on the local disc. It has no real checks for problems but it works.

To use it you have to paste it to an Power Shell window with a user account that has access to an AD. Afterwards the "script" asks you for the mailaddress of the user you want to export the certificate and the path where the certificate should be stored.

The next step is to query ADDS for the entered mailaddress and export the certificate to a file called %mailaddress%.cer (the '@' sign gets replaced with a '_')

The second line will ask you for credentials an a domaincontroller to connect to. This on can be used if you have to query a DC from another domain...

Requirements

Tested on (Win7, WinSrv2008R2, WinSrv2012R2, Win10)

you will need the >> Active Directory Power Shell module installed

---

Script code:

	
#Search in current Active Directory
Write-Host -ForegroundColor Green "AD User Certificate exporter..."; $mail = Read-Host "Please enter the SMTP address you are looking for"; $mailsearchstring = "mail -eq '{0}'" -f $mail; $path = Read-Host "Enter the pathname where the certificate should be stored"; $filename = Join-Path -Path $path -childpath (($mail.replace("@", "_"))+".cer"); if (Test-Path -Path $filename) {Remove-Item $filename -Force} Get-ADObject -Filter "$mailsearchstring" -Properties userCertificate | Select-Object -ExpandProperty userCertificate | ForEach-Object {Add-Content -Value $_ -Encoding byte -Path $filename}

#Search in remote Active Directory with specified credentials
Write-Host -ForegroundColor Green "AD User Certificate exporter..."; $cred = Get-Credential; $addsserver = Read-Host "Enter the domaincontroller name (append ':3268') to initiate a GC search:"; $mail = Read-Host "Please enter the SMTP address you are looking for"; $mailsearchstring = "mail -eq '{0}'" -f $mail; $path = Read-Host "Enter the pathname where the certificate should be stored"; $filename = Join-Path -Path $path -childpath (($mail.replace("@", "_"))+".cer"); if (Test-Path -Path $filename) {Remove-Item $filename -Force} Get-ADObject -Filter "$mailsearchstring" -Properties userCertificate -Credential $cred -Server $addsserver | Select-Object -ExpandProperty userCertificate | ForEach-Object {Add-Content -Value $_ -Encoding byte -Path $filename}
	

---

>> syntax highlighting powered by highlight.js