Beginning with version 5, PowerShell supports the IETF standard Cryptographic Message Syntax (CMS) to encrypt data or log entries. It requires a certificate that has been issued specifically for this purpose. If you want to request the certificate from a Windows CA, you must first set up a template for it.

Wolfgang Sommergut

Wolfgang Sommergut has over 20 years of experience in IT journalism. He has also worked as a system administrator and as a tech consultant. Today he runs the German publication WindowsPro.de.

Microsoft's instructions, for example, for Protect-CmsMessage, always describe the procedure for issuing a self-signed certificate with certreq.exe for document encryption. You pack the data for requesting the certificate into an .inf file according to the following pattern:

To request the certificate, use the command:

The certificate is automatically copied to the local certificate store of the logged-on user. If needed, you can export it and transfer it via GPO to the computers on which you want to encrypt data.

Creating a template for enterprise CA ^

If you prefer a certificate issued by an internal Windows CA instead of a self-signed certificate, the required template is missing by default. If you want to create one, you can follow the settings of the above .inf file.

First, open the Certificate Templates Console, certtmpl.msc, and duplicate a suitable existing template. In our example, we will use the template User.

Duplicate an existing template as a basis for the new template for document encryption

Duplicate an existing template as a basis for the new template for document encryption

Then assign the name for the new template under the General tab and determine the template's period of validity.

Change the purpose of the certificate template to Encryption.

Change the purpose of the certificate template to Encryption.

Next, change the purpose on the Request Handling tab to Encryption. Here, you can also allow the private key to be exported if certificates for document encryption are needed on several computers to decrypt documents.

As with the .inf file shown above, the key length should be at least 2048 bits; the corresponding setting is found on the Cryptography tab.

Configure the necessary settings on the Extensions tab. Here, we edit the Application Policies and remove all existing entries. Instead, we add Document Encryption.

By default, the new certificate is used to encrypt the CERT_KEY_ENCIPHER¬MENT_KEY_USAGE certificates in the .inf file, which is sufficient for the task described here. If you want to add CERT_DATA_ENCI­PHER­MENT_KEY_USAGE, then edit the Key Usage entry and select the Allow encryption of user data option in the next dialog box.

Enable encryption of user data when using keys

Enable encryption of user data when using keys

Finally, use the Security tab to make sure all users who request a certificate based on this template have the Register permission.

Requesting a certificate ^

Now you can request your certificate using certmgr.msc. If you can't find your new template in the list or it has a status of Unavailable in the extended view, then try this troubleshooting tip.

In the details, enter the subject name in the format specified in the template. Under Private key > Key options, make sure it is exportable, if required.

Request a certificate based on the new template

Request a certificate based on the new template

After you click Enroll, the new certificate should appear in the store of the Current User.

Are you an IT pro? Apply for membership!

Your question was not answered? Ask in the forum!

0
Share
0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account