Active Directory Publish Certificate

[jeffotterpohl]

ISSUE TITLE:
PublishCert: Add the ability to publish Certificates to the CA or SubCA Containers

ISSUE DESCRIPTION (this template):
Add the ability to publish certificates to Active Directory (AD) RootCA or SubCA containers.

Description

This resource can be used to publish certificates to Active Directory (AD). This uses the thumbprint of the specified certificate to compare items currently in Active Directory to ensure the same certificate is not published multiple times in Active Directory.

Proposed properties

[String] CertificateFullPath (Key): Specifies the full path of the certificate to be published.
[String] Ensure (Write): Ensures that the certificate is Present or Absent. Default setting is Present
[String] PublishLocation (Write): Specify Certificate Authority location where to publish the certificate. Required
parameters are RootCA or SubCA.
[String] Thumbprint (Read): Specifies the thumbprint associated to the certificate being added or removed.

Special considerations or limitations

Currently this only publishes certificates to the RootCA and SubCA (CN=Certification Authorities and CN=AIA containers). All Certificates published to the Certification Authorities is also published to the AIA Container. On the Absent setting the certificate can only be removed from one container at a time even if the certificate is in both areas.

[PlagueHO]

This looks like a great addition. Thanks @jeffotterpohl

I wonder if we can come up with a name for the resource that is clearer around the purpose: e.g. AdcsPublishCertificateInActiveDirectory?

Is the path of the certificate expected to be a file path or a path in one of the local machine stores (using a user store is probably not a good idea)?

What cmdlets are you using to do the publishing? Or are you using [adsi]? Or certutil? Certutil should be able to publish to other containers (not just RootCA and SubCA).

Also, how would you publish or remove the same certificate from multiple containers if the CertificateFullPath is the same? It seems the key would prevent this? I'm wondering if it wouldn't make sense for both CertificateFullPath and PublishLocation to be keys.

Minor nitpick: the PublishLocation parameter name isn't clear that this is a container - it might be clearer if this was named something like "Container" or "PublishContainer"?

[jeffotterpohl]

Thanks for the review.

1. I see what are you saying with the name, yeah we could change it to contain ActiveDirectory .

2. CertificateFullPath is a file path to the certificate that is to be imported to Active directory.

3. Certutil is being used to publish the object. In the Test-TargetResource we are using .net Searcher method to find the object (ResourceHelper function) in ActiveDirectory. Right now I can't remember the exact issue I had with publishing to other ActiveDirectory containers, but I know it had to deal with the Searcher method.

4. Agree adding the additional key value would allow for the same CertificateFullPath and Publishlocation to remove the certificate from both ActiveDirectory locations.

5. I see your point on the name, would be no problem changing to PublishContainer