Prerequisites : Powershell Version 5 &  Ssl WinRM

We can use this module where we dont have the local certificate server in the same domain or we dont have the ADDS trust with that domain where we have Certificate server for Certificate Auto-Enrollmemt. We have to run this module at the same domain where Certificate server is present. Import PKIMGMT module in any member server. Please note PKIMgmt Module will not work without having Powershell version 5. .Inf , .Req & .Cer files are copied by SSL WinRM & that feather is availabale on Powershell version 5 & onwards. Adjust Global varriables as per your environment. Also you can use WinRM instead of SSL WINRM (Need to remove -usessl switch from that module). Secutiry is completely taken care within this module. There is no use of port 445. Only 5985 & 5986 communications are required . 

Note: Change the CA server name & Template name according your environment.

We will get similar output if Renewal is successful.


You need to change the Below Global varriables as per your environmnt & need to download the Zip file for get the complete code.

$Global:securepass = ConvertTo-SecureString -AsPlainText $Global:passpass -Force 
$Global:Username = Read-Host -Prompt "Input UserID as UPN Format" 
$Global:mycred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $Global:Username,$Global:securepass 
$Global:Hostname = Read-Host -Prompt 'Input Server FQDN' 
$Global:PSLocation = "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PKIMgmt\PKIMgmt.ps1" 
$Global:SecureWinRMSession = New-PSSession -ComputerName $Global:Hostname -Credential $Global:mycred -UseSSL 
$Global:PKIServer = "\ContosoIssuingCA" 
$Global:Tmpl3 = "KerberosAuthentication"
There are seven cmdlets are present into that Module.
PS C:\Output> gcm -Module PKIMgmt 
CommandType     Name                                               Version    Source 
-----------     ----                                               -------    ------ 
Function        Export-CertificateStore                            0.0        PKIMgmt 
Function        Get-Pax                                            0.0        PKIMgmt 
Function        Get-RDPSslBind                                     0.0        PKIMgmt 
Function        Import-CertificateStore                            0.0        PKIMgmt 
Function        Recover-Certificate                                0.0        PKIMgmt 
Function        Set-DCCert-Tmpl3                                   0.0        PKIMgmt 
Function        Test-SslWinRM-DCs                                  0.0        PKIMgmt 
Description :
1) Export-CertificateStore : It will export the entire C:\Local machine\My store in C:\Output as SST format.
2) Import-CertificateStore : It will Import the entire C:\Local machine\My store from C:\Output\SST .
3) Get-pax : Supporting Function for credentials management & SSL WinRM session (Dont need to run that manually)
4) Get-RDPSslBind : Check the RDP SSL bind status.
5) Set-DCCert-Tmpl3 : Offline Certificate Renewal.
6) Test-SslWinRM-DCs : Check the SSL WinRM status of bulk servers.
7) Recover-Certificate : Retrive Certificate from CA using Request ID that you will get C:\Cert.log

SST : Microsoft serialized certificate store

Biswajit Biswas a.k.a bshwjt
Infrastructure Engineer – Active Directory, Microsoft PKI, ADFS
Windows PowerShell
MSDN Script Gallery | Microsoft Community Contributor

Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.