PKI Export .cer-files

Go to Automation :materialformkdocs: Go to Automation Hub Docs

View in GitLab

Description

This automation playbook exports Entra ID user certificates from the Certificate Authority database to a centralized backup location. The playbook uses modern CertUtil commands with incremental processing to efficiently export certificates where the Common Name contains an '@' symbol (email format). It includes Subject Alternative Name (SAN) extraction for proper filename generation and implements state tracking to only process new certificates on subsequent runs, making it ideal for scheduled exports.

Credentials

• sys_srvaapwin_pki (PKI service account credentials for CA access)

Target Hosts

• srvaapwinpr01.gentgrp.gent.be (execution host with CA access)

Input Variables

Output (Ansible facts)

Process Flow

1. Retrieve PKI Credentials: Gets service account credentials from Passwordstate for CA access
2. Initialize Export Environment: Creates output directory and determines CA configuration
3. Incremental Processing: Checks for lastid.key file to determine last processed Request ID
4. Database Query: Uses CertUtil with filters for:
5. Request Disposition = 20 (Issued)
6. Certificate Template = Specified OID
7. Request Organization Unit = EntraID
8. Request ID > last processed ID (incremental mode)
9. Certificate Filtering: Filters for certificates with '@' in Common Name (email format)
10. SAN Extraction: Extracts Subject Alternative Names to get DNS names (computer identifiers)
11. Certificate Export: Exports certificates with descriptive filenames including SAN data
12. State Management: Updates lastid.key with highest processed Request ID
13. Cleanup: Removes temporary files and provides export statistics

Certificate Filename Format

• With SAN DNS: [email protected]_CP000001.cer
• Without SAN: [email protected]

Incremental Export Logic

• First Run: Exports all matching certificates and saves highest Request ID
• Subsequent Runs: Only processes certificates with Request ID greater than last saved ID
• Performance: Dramatically reduces processing time for scheduled runs

Security Features

• Credential Management: Uses Passwordstate for secure credential retrieval
• Privilege Escalation: Runs with PKI service account permissions
• Network Storage: Exports directly to secured network backup location
• Audit Trail: Maintains processing logs and state files

Monitoring & Troubleshooting

The playbook provides comprehensive output including: - Number of certificates found and processed - SAN extraction results for each certificate - Export success/failure status - Incremental processing statistics - File system feedback

Scheduling Considerations

This playbook is optimized for scheduled execution: - Daily: Recommended for regular certificate backup - Hourly: Possible with incremental processing efficiency - State Persistence: lastid.key ensures no duplicate processing - Error Recovery: Graceful handling of temporary failures

Dependencies

• Windows PowerShell: Target host must support PowerShell execution
• CertUtil: Certificate Services utilities must be available
• Network Access: Connectivity to CA server and backup storage location
• Passwordstate: Integration for secure credential management

Performance Metrics

• Initial Run: Processes all historical certificates (may take several minutes)
• Incremental Runs: Typically processes only new certificates (seconds to minutes)
• Memory Efficiency: Processes certificates individually to minimize memory usage
• Network Optimization: Direct export to network storage reduces transfer overhead