ctkirkman/Certificate PowerShell CommandLets

## Certificate PowerShell CommandLets
#https://msdn.microsoft.com/en-us/library/windows/desktop/aa374830.aspx
$AlternativeNameType = @{
    XCN_CERT_ALT_NAME_UNKNOWN              = 0
    XCN_CERT_ALT_NAME_OTHER_NAME           = 1
    XCN_CERT_ALT_NAME_RFC822_NAME          = 2
    XCN_CERT_ALT_NAME_DNS_NAME             = 3
    XCN_CERT_ALT_NAME_DIRECTORY_NAME       = 5
    XCN_CERT_ALT_NAME_URL                  = 7
    XCN_CERT_ALT_NAME_IP_ADDRESS           = 8
    XCN_CERT_ALT_NAME_REGISTERED_ID        = 9
    XCN_CERT_ALT_NAME_GUID                 = 10
    XCN_CERT_ALT_NAME_USER_PRINCIPLE_NAME  = 11
}

#https://msdn.microsoft.com/en-us/library/windows/desktop/aa374827.aspx
$AlgorithmType = @{
    XCN_BCRYPT_UNKNOWN_INTERFACE                = 0
    XCN_BCRYPT_SIGNATURE_INTERFACE              = 0x5
    XCN_BCRYPT_ASYMMETRIC_ENCRYPTION_INTERFACE  = 0x3
    XCN_BCRYPT_CIPHER_INTERFACE                 = 0x1
    XCN_BCRYPT_HASH_INTERFACE                   = 0x2
    XCN_BCRYPT_SECRET_AGREEMENT_INTERFACE       = 0x4
    XCN_BCRYPT_RNG_INTERFACE                    = 0x6
}

#https://msdn.microsoft.com/en-us/library/windows/desktop/aa374936.aspx
$EncodingType = @{
    XCN_CRYPT_STRING_BASE64HEADER         = 0
    XCN_CRYPT_STRING_BASE64               = 0x1
    XCN_CRYPT_STRING_BINARY               = 0x2
    XCN_CRYPT_STRING_BASE64REQUESTHEADER  = 0x3
    XCN_CRYPT_STRING_HEX                  = 0x4
    XCN_CRYPT_STRING_HEXASCII             = 0x5
    XCN_CRYPT_STRING_BASE64_ANY           = 0x6
    XCN_CRYPT_STRING_ANY                  = 0x7
    XCN_CRYPT_STRING_HEX_ANY              = 0x8
    XCN_CRYPT_STRING_BASE64X509CRLHEADER  = 0x9
    XCN_CRYPT_STRING_HEXADDR              = 0xa
    XCN_CRYPT_STRING_HEXASCIIADDR         = 0xb
    XCN_CRYPT_STRING_HEXRAW               = 0xc
    XCN_CRYPT_STRING_NOCRLF               = 0x40000000
    XCN_CRYPT_STRING_NOCR                 = 0x80000000
}

#https://msdn.microsoft.com/en-us/library/windows/desktop/ee338606.aspx
$EnrollmentCAProperty = @{
    CAPropCommonName          = 1
    CAPropDistinguishedName   = 2
    CAPropSanitizedName       = 3
    CAPropSanitizedShortName  = 4
    CAPropDNSName             = 5
    CAPropCertificateTypes    = 6
    CAPropCertificate         = 7
    CAPropDescription         = 8
    CAPropWebServers          = 9
    CAPropSiteName            = 10
    CAPropSecurity            = 11
    CAPropRenewalOnly         = 12
}

#https://msdn.microsoft.com/en-us/library/windows/desktop/aa374960.aspx
$EnrollmentEnrollStatus = @{
    Enrolled                            = 0x00000001
    EnrollPended                        = 0x00000002
    EnrollUIDeferredEnrollmentRequired  = 0x00000004
    EnrollError                         = 0x00000010
    EnrollUnknown                       = 0x00000020
    EnrollSkipped                       = 0x00000040
    EnrollDenied                        = 0x00000100
}

#https://msdn.microsoft.com/en-us/library/windows/desktop/ee338609.aspx
$EnrollmentTemplateProperty = @{
    TemplatePropCommonName             = 1
    TemplatePropFriendlyName           = 2
    TemplatePropEKUs                   = 3
    TemplatePropCryptoProviders        = 4
    TemplatePropMajorRevision          = 5
    TemplatePropDescription            = 6
    TemplatePropKeySpec                = 7
    TemplatePropSchemaVersion          = 8
    TemplatePropMinorRevision          = 9
    TemplatePropRASignatureCount       = 10
    TemplatePropMinimumKeySize         = 11
    TemplatePropOID                    = 12
    TemplatePropSupersede              = 13
    TemplatePropRACertificatePolicies  = 14
    TemplatePropRAEKUs                 = 15
    TemplatePropCertificatePolicies    = 16
    TemplatePropV1ApplicationPolicy    = 17
    TemplatePropAsymmetricAlgorithm    = 18
    TemplatePropKeySecurityDescriptor  = 19
    TemplatePropSymmetricAlgorithm     = 20
    TemplatePropSymmetricKeyLength     = 21
    TemplatePropHashAlgorithm          = 22
    TemplatePropEnrollmentFlags        = 23
    TemplatePropSubjectNameFlags       = 24
    TemplatePropPrivateKeyFlags        = 25
    TemplatePropGeneralFlags           = 26
    TemplatePropSecurityDescriptor     = 27
    TemplatePropExtensions             = 28
    TemplatePropValidityPeriod         = 29
    TemplatePropRenewalPeriod          = 30
}

#https://msdn.microsoft.com/en-us/library/windows/desktop/aa379061.aspx
$KeyIdentifierHashAlgorithm = @{
    SKIHashDefault   = 0
    SKIHashSha1      = 1
    SKIHashCapiSha1  = 2
    SKIHashSha256    = 3
}

#https://msdn.microsoft.com/en-us/library/windows/desktop/aa379070.aspx
$ObjectIdGroupId = @{
    XCN_CRYPT_ANY_GROUP_ID                = 0
    XCN_CRYPT_HASH_ALG_OID_GROUP_ID       = 1
    XCN_CRYPT_ENCRYPT_ALG_OID_GROUP_ID    = 2
    XCN_CRYPT_PUBKEY_ALG_OID_GROUP_ID     = 3
    XCN_CRYPT_SIGN_ALG_OID_GROUP_ID       = 4
    XCN_CRYPT_RDN_ATTR_OID_GROUP_ID       = 5
    XCN_CRYPT_EXT_OR_ATTR_OID_GROUP_ID    = 6
    XCN_CRYPT_ENHKEY_USAGE_OID_GROUP_ID   = 7
    XCN_CRYPT_POLICY_OID_GROUP_ID         = 8
    XCN_CRYPT_TEMPLATE_OID_GROUP_ID       = 9
    XCN_CRYPT_LAST_OID_GROUP_ID           = 9
    XCN_CRYPT_FIRST_ALG_OID_GROUP_ID      = 1
    XCN_CRYPT_LAST_ALG_OID_GROUP_ID       = 4
    XCN_CRYPT_OID_DISABLE_SEARCH_DS_FLAG  = 0x80000000
    XCN_CRYPT_KEY_LENGTH_MASK             = 0xffff0000
}

#https://msdn.microsoft.com/en-us/library/windows/desktop/aa379394.aspx
$X500NameFlags = @{
    XCN_CERT_NAME_STR_NONE                       = 0
    XCN_CERT_SIMPLE_NAME_STR                     = 1
    XCN_CERT_OID_NAME_STR                        = 2
    XCN_CERT_X500_NAME_STR                       = 3
    XCN_CERT_XML_NAME_STR                        = 4
    XCN_CERT_NAME_STR_SEMICOLON_FLAG             = 0x40000000
    XCN_CERT_NAME_STR_NO_PLUS_FLAG               = 0x20000000
    XCN_CERT_NAME_STR_NO_QUOTING_FLAG            = 0x10000000
    XCN_CERT_NAME_STR_CRLF_FLAG                  = 0x8000000
    XCN_CERT_NAME_STR_COMMA_FLAG                 = 0x4000000
    XCN_CERT_NAME_STR_REVERSE_FLAG               = 0x2000000
    XCN_CERT_NAME_STR_FORWARD_FLAG               = 0x1000000
    XCN_CERT_NAME_STR_DISABLE_IE4_UTF8_FLAG      = 0x10000
    XCN_CERT_NAME_STR_ENABLE_T61_UNICODE_FLAG    = 0x20000
    XCN_CERT_NAME_STR_ENABLE_UTF8_UNICODE_FLAG   = 0x40000
    XCN_CERT_NAME_STR_FORCE_UTF8_DIR_STR_FLAG    = 0x80000
    XCN_CERT_NAME_STR_DISABLE_UTF8_DIR_STR_FLAG  = 0x100000
}

#https://msdn.microsoft.com/en-us/library/windows/desktop/aa379399.aspx
$X509CertificateEnrollmentContext = @{
    ContextUser                       = 0x1
    ContextMachine                    = 0x2
    ContextAdministratorForceMachine  = 0x3
}

#https://msdn.microsoft.com/en-us/library/windows/desktop/ee351760.aspx
$X509EnrollmentPolicyLoadOption = @{
    LoadOptionDefault               = 0
    LoadOptionCacheOnly             = 1
    LoadOptionReload                = 2
    LoadOptionRegisterForADChanges  = 4
}

#https://msdn.microsoft.com/en-us/library/windows/desktop/aa379410.aspx
$X509KeyUsageFlags = @{
    XCN_CERT_NO_KEY_USAGE                 = 0
    XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE  = 0x80
    XCN_CERT_NON_REPUDIATION_KEY_USAGE    = 0x40
    XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE   = 0x20
    XCN_CERT_DATA_ENCIPHERMENT_KEY_USAGE  = 0x10
    XCN_CERT_KEY_AGREEMENT_KEY_USAGE      = 0x8
    XCN_CERT_KEY_CERT_SIGN_KEY_USAGE      = 0x4
    XCN_CERT_OFFLINE_CRL_SIGN_KEY_USAGE   = 0x2
    XCN_CERT_CRL_SIGN_KEY_USAGE           = 0x2
    XCN_CERT_ENCIPHER_ONLY_KEY_USAGE      = 0x1
    XCN_CERT_DECIPHER_ONLY_KEY_USAGE      = ( 0x80 -shl 8 )
}

#https://msdn.microsoft.com/en-us/library/windows/desktop/aa379412.aspx
$X509PrivateKeyExportFlags = @{
    XCN_NCRYPT_ALLOW_EXPORT_NONE               = 0
    XCN_NCRYPT_ALLOW_EXPORT_FLAG               = 0x1
    XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG     = 0x2
    XCN_NCRYPT_ALLOW_ARCHIVING_FLAG            = 0x4
    XCN_NCRYPT_ALLOW_PLAINTEXT_ARCHIVING_FLAG  = 0x8
}

#https://msdn.microsoft.com/en-us/library/windows/desktop/aa379417.aspx
$X509PrivateKeyUsageFlags = @{
    XCN_NCRYPT_ALLOW_USAGES_NONE         = 0
    XCN_NCRYPT_ALLOW_DECRYPT_FLAG        = 0x1
    XCN_NCRYPT_ALLOW_SIGNING_FLAG        = 0x2
    XCN_NCRYPT_ALLOW_KEY_AGREEMENT_FLAG  = 0x4
    XCN_NCRYPT_ALLOW_ALL_USAGES          = 0xffffff
}

#https://msdn.microsoft.com/en-us/library/windows/desktop/aa378132.aspx
$X509ExtensionEnhancedKeyUsage = @{
    XCN_OID_ANY_APPLICATION_POLICY = "1.3.6.1.4.1.311.10.12.1"
    XCN_OID_AUTO_ENROLL_CTL_USAGE = "1.3.6.1.4.1.311.20.1"
    XCN_OID_DRM = "1.3.6.1.4.1.311.10.5.1"
    XCN_OID_DS_EMAIL_REPLICATION = "1.3.6.1.4.1.311.21.19"
    XCN_OID_EFS_RECOVERY = "1.3.6.1.4.1.311.10.3.4.1"
    XCN_OID_EMBEDDED_NT_CRYPTO = "1.3.6.1.4.1.311.10.3.8"
    XCN_OID_ENROLLMENT_AGENT = "1.3.6.1.4.1.311.20.2.1"
    XCN_OID_IPSEC_KP_IKE_INTERMEDIATE = "1.3.6.1.5.5.8.2.2"
    XCN_OID_KP_CA_EXCHANGE = "1.3.6.1.4.1.311.21.5"
    XCN_OID_KP_CTL_USAGE_SIGNING = "1.3.6.1.4.1.311.10.3.1"
    XCN_OID_KP_DOCUMENT_SIGNING = "1.3.6.1.4.1.311.10.3.12"
    XCN_OID_KP_EFS = "1.3.6.1.4.1.311.10.3.4"
    XCN_OID_KP_KEY_RECOVERY = "1.3.6.1.4.1.311.10.3.11"
    XCN_OID_KP_KEY_RECOVERY_AGENT = "1.3.6.1.4.1.311.21.6"
    XCN_OID_KP_LIFETIME_SIGNING = "1.3.6.1.4.1.311.10.3.13"
    XCN_OID_KP_QUALIFIED_SUBORDINATION = "1.3.6.1.4.1.311.10.3.10"
    XCN_OID_KP_SMARTCARD_LOGON = "1.3.6.1.4.1.311.20.2.2"
    XCN_OID_KP_TIME_STAMP_SIGNING = "1.3.6.1.4.1.311.10.3.2"
    XCN_OID_LICENSE_SERVER = "1.3.6.1.4.1.311.10.6.2"
    XCN_OID_LICENSES = "1.3.6.1.4.1.311.10.6.1"
    XCN_OID_NT5_CRYPTO = "1.3.6.1.4.1.311.10.3.7"
    XCN_OID_OEM_WHQL_CRYPTO = "1.3.6.1.4.1.311.10.3.7"
    XCN_OID_PKIX_KP_CLIENT_AUTH = "1.3.6.1.5.5.7.3.2"
    XCN_OID_PKIX_KP_CODE_SIGNING = "1.3.6.1.5.5.7.3.3"
    XCN_OID_PKIX_KP_EMAIL_PROTECTION = "1.3.6.1.5.5.7.3.4"
    XCN_OID_PKIX_KP_IPSEC_END_SYSTEM = "1.3.6.1.5.5.7.3.5"
    XCN_OID_PKIX_KP_IPSEC_TUNNEL = "1.3.6.1.5.5.7.3.6"
    XCN_OID_PKIX_KP_IPSEC_USER = "1.3.6.1.5.5.7.3.7"
    XCN_OID_PKIX_KP_OCSP_SIGNING = "1.3.6.1.5.5.7.3.9"
    XCN_OID_PKIX_KP_SERVER_AUTH = "1.3.6.1.5.5.7.3.1"
    XCN_OID_PKIX_KP_TIMESTAMP_SIGNING = "1.3.6.1.5.5.7.3.8"
    XCN_OID_ROOT_LIST_SIGNER = "1.3.6.1.4.1.311.10.3.9"
    XCN_OID_WHQL_CRYPTO = "1.3.6.1.4.1.311.10.3.5"
}

#https://msdn.microsoft.com/en-us/library/windows/desktop/aa379409.aspx
$X509KeySpec = @{
  XCN_AT_NONE         = 0
  XCN_AT_KEYEXCHANGE  = 1
  XCN_AT_SIGNATURE    = 2
}

#https://msdn.microsoft.com/en-us/library/windows/desktop/aa376782.aspx
$InstallResponseRestrictionFlags = @{
  AllowNone                  = 0x00000000
  AllowNoOutstandingRequest  = 0x00000001
  AllowUntrustedCertificate  = 0x00000002
  AllowUntrustedRoot         = 0x00000004
}

#https://msdn.microsoft.com/en-us/library/windows/desktop/aa379071.aspx
$ObjectIdPublicKeyFlags = @{
  XCN_CRYPT_OID_INFO_PUBKEY_ANY               = 0
  XCN_CRYPT_OID_INFO_PUBKEY_SIGN_KEY_FLAG     = 0x80000000
  XCN_CRYPT_OID_INFO_PUBKEY_ENCRYPT_KEY_FLAG  = 0x40000000
}

#https://msdn.microsoft.com/en-us/library/windows/desktop/aa374813.aspx
$AlgorithmFlags = @{
  AlgorithmFlagsNone  = 0x00000000
  AlgorithmFlagsWrap  = 0x00000001
}

#https://msdn.microsoft.com/en-us/library/windows/desktop/ee373782.aspx
$X509EnrollmentAuthFlags = @{
  X509AuthNone         = 0
  X509AuthAnonymous    = 1
  X509AuthKerberos     = 2
  X509AuthUsername     = 4
  X509AuthCertificate  = 8
}

function New-DistinguishedName {
    param(
		[Parameter(Position=0,Mandatory=$true, ValueFromPipeline=$true)][ValidateNotNullOrEmpty()][String]$Subject,
        [Parameter(Mandatory=$false)][ValidateNotNullOrEmpty()][String]$NameFlags = $X500NameFlags.XCN_CERT_NAME_STR_NONE

    )
    process {
        #For a list of valid RDN keys: https://msdn.microsoft.com/en-us/library/aa377051.aspx
        $DN = New-Object -ComObject X509Enrollment.CX500DistinguishedName
        $DN.Encode($Subject, $NameFlags)
        return $DN
    }
}
function New-PrivateKey {
    param (
        [Parameter(Mandatory=$false)][ValidateNotNullOrEmpty()][String]$ProviderName = "Microsoft RSA SChannel Cryptographic Provider",
        [Parameter(Mandatory=$false)][ValidateNotNullOrEmpty()][Long]$KeySize = 4096,
        [Parameter(Mandatory=$false)][ValidateNotNullOrEmpty()][Long]$ExportPolicy = $X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG,
        [Parameter(Mandatory=$false)][ValidateNotNullOrEmpty()][Long]$KeySpec = $X509KeySpec.XCN_AT_KEYEXCHANGE,
        [Parameter(Mandatory=$false)][ValidateNotNullOrEmpty()][Long]$KeyUsage = $X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES,
        [Parameter(Mandatory=$false)][ValidateNotNullOrEmpty()][bool]$MachineContext = $true
    )
    process {
        $CCspInformations = New-Object -ComObject X509Enrollment.CCspInformations
        $CCspInformations.AddAvailableCsps()
        $Key = New-Object -ComObject X509Enrollment.CX509PrivateKey
        $Key.ProviderName = $ProviderName
        $Key.KeySpec = $KeySpec
        $Key.KeyUsage = $KeyUsage
        $Key.Length = $KeySize
        $Key.MachineContext = $MachineContext
        $Key.ExportPolicy = $ExportPolicy
        $Key.CspInformations = $CCspInformations
        return $Key
    }
}
function Get-AvailableCsps {
    process {
        $AvailableCsps = New-Object -ComObject X509Enrollment.CCspInformations
        $AvailableCsps.AddAvailableCsps()
        return $AvailableCsps
    }
}
function New-ExtensionEnhancedKeyUsage {
    param (
        [Parameter(Mandatory=$true)][ValidateNotNullOrEmpty()][System.Object[]]$Objects
    )
    process {
        $ExtensionEnhancedKeyUsage = New-Object -ComObject X509Enrollment.CX509ExtensionEnhancedKeyUsage
        $ObjectIds = New-Object -ComObject X509Enrollment.CObjectIds
        $Objects | %{
            $ObjectIds.Add($_)
        }
        $ExtensionEnhancedKeyUsage.InitializeEncode($ObjectIds)
        return $ExtensionEnhancedKeyUsage
    }
}
function Get-ExtensionEnhancedKeyUsageOids {
    process {
        return $X509ExtensionEnhancedKeyUsage
    }
}

function New-ObjectId {
    param (
        [Parameter(Position=0,Mandatory=$true,ValueFromPipeline=$true)][ValidateNotNullOrEmpty()][String]$OID
    )
    process {
        $ObjectId = New-Object -ComObject X509Enrollment.CObjectId
        $ObjectId.InitializeFromValue($OID)
        return $ObjectId
    }
}
function New-ExtensionKeyUsage {
    param (
        [Parameter(Mandatory=$true)][ValidateNotNullOrEmpty()][System.Object[]]$Usage
    )
    process {
        $ExtensionKeyUsage = New-Object -ComObject X509Enrollment.CX509ExtensionKeyUsage
        $Flags = 0
        $Usage | %{ $Flags = $Flags -bor $_ }
        $ExtensionKeyUsage.InitializeEncode($Flags)
        return $ExtensionKeyUsage
    }
}
function Get-ExtensionKeyUsageFlags {
    process {
        return $X509KeyUsageFlags
    }
}

function New-CertificateRequestCertificate {
    process {
        $CertificateRequest = New-Object -ComObject X509Enrollment.CX509CertificateRequestCertificate
        return $CertificateRequest
    }
}
function New-CertEnrollment {
    process {
        $CertEnrollment = New-Object -ComObject X509Enrollment.CX509Enrollment
        return $CertEnrollment
    }
}
function New-EnrollmentPolicyWebService {
    param (
        [Parameter(Mandatory=$true)][ValidateNotNullOrEmpty()][String]$PolicyServerUrl,
        [Parameter(Mandatory=$false)][ValidateNotNullOrEmpty()][String]$PolicyServerId = "",
        [Parameter(Mandatory=$false)][ValidateNotNullOrEmpty()][Long]$Authentication  = $X509EnrollmentAuthFlags.X509AuthKerberos,
        [Parameter(Mandatory=$false)][ValidateNotNullOrEmpty()][bool]$AllowUntrusted = $false,
        [Parameter(Mandatory=$false)][ValidateNotNullOrEmpty()][Long]$Context = $X509CertificateEnrollmentContext.ContextMachine,
        [Parameter(Mandatory=$false)][ValidateNotNullOrEmpty()][String]$Username = "",
        [Parameter(Mandatory=$false)][ValidateNotNullOrEmpty()][String]$Password = "",
        [Parameter(Mandatory=$false)][ValidateNotNullOrEmpty()][String]$LoadOption = $X509EnrollmentPolicyLoadOption.LoadOptionDefault
    )
    process {
        #https://msdn.microsoft.com/en-us/library/windows/desktop/ee351692.aspx
        $ParentWindowHandle = 0
        $EnrollmentPolicyWebService = New-Object -ComObject x509Enrollment.CX509EnrollmentPolicyWebService
        $EnrollmentPolicyWebService.Initialize($PolicyServerUrl,$PolicyServerId,$Authentication,$AllowUntrusted,$Context)
        $EnrollmentPolicyWebService.SetCredential($ParentWindowHandle, $Authentication, $Username, $Password)
        $EnrollmentPolicyWebService.LoadPolicy($X509EnrollmentPolicyLoadOption.LoadOptionDefault)
        return $EnrollmentPolicyWebService
    }
}
function New-CertificateRequestPkcs10 {
    process {
        $CertificateRequestPkcs10 = New-Object -ComObject X509Enrollment.CX509CertificateRequestPkcs10
        return $CertificateRequestPkcs10
    }
}
function New-Enrollment {
    process {
        $Enrollment = New-Object -ComObject X509Enrollment.CX509Enrollment
        return $Enrollment
    }
}
function New-CARequest {
    process {
        $CARequest = New-Object -ComObject CertificateAuthority.Request
        return $CARequest
    }
}
function Get-CertEnrollmentContexts {
    process {
        return $X509CertificateEnrollmentContext
    }
}
function Get-EncodingTypes {
    process {
        return $EncodingType
    }
}
	#https://msdn.microsoft.com/en-us/library/windows/desktop/aa374830.aspx
	$AlternativeNameType = @{
	XCN_CERT_ALT_NAME_UNKNOWN = 0
	XCN_CERT_ALT_NAME_OTHER_NAME = 1
	XCN_CERT_ALT_NAME_RFC822_NAME = 2
	XCN_CERT_ALT_NAME_DNS_NAME = 3
	XCN_CERT_ALT_NAME_DIRECTORY_NAME = 5
	XCN_CERT_ALT_NAME_URL = 7
	XCN_CERT_ALT_NAME_IP_ADDRESS = 8
	XCN_CERT_ALT_NAME_REGISTERED_ID = 9
	XCN_CERT_ALT_NAME_GUID = 10
	XCN_CERT_ALT_NAME_USER_PRINCIPLE_NAME = 11
	}

	#https://msdn.microsoft.com/en-us/library/windows/desktop/aa374827.aspx
	$AlgorithmType = @{
	XCN_BCRYPT_UNKNOWN_INTERFACE = 0
	XCN_BCRYPT_SIGNATURE_INTERFACE = 0x5
	XCN_BCRYPT_ASYMMETRIC_ENCRYPTION_INTERFACE = 0x3
	XCN_BCRYPT_CIPHER_INTERFACE = 0x1
	XCN_BCRYPT_HASH_INTERFACE = 0x2
	XCN_BCRYPT_SECRET_AGREEMENT_INTERFACE = 0x4
	XCN_BCRYPT_RNG_INTERFACE = 0x6
	}

	#https://msdn.microsoft.com/en-us/library/windows/desktop/aa374936.aspx
	$EncodingType = @{
	XCN_CRYPT_STRING_BASE64HEADER = 0
	XCN_CRYPT_STRING_BASE64 = 0x1
	XCN_CRYPT_STRING_BINARY = 0x2
	XCN_CRYPT_STRING_BASE64REQUESTHEADER = 0x3
	XCN_CRYPT_STRING_HEX = 0x4
	XCN_CRYPT_STRING_HEXASCII = 0x5
	XCN_CRYPT_STRING_BASE64_ANY = 0x6
	XCN_CRYPT_STRING_ANY = 0x7
	XCN_CRYPT_STRING_HEX_ANY = 0x8
	XCN_CRYPT_STRING_BASE64X509CRLHEADER = 0x9
	XCN_CRYPT_STRING_HEXADDR = 0xa
	XCN_CRYPT_STRING_HEXASCIIADDR = 0xb
	XCN_CRYPT_STRING_HEXRAW = 0xc
	XCN_CRYPT_STRING_NOCRLF = 0x40000000
	XCN_CRYPT_STRING_NOCR = 0x80000000
	}

	#https://msdn.microsoft.com/en-us/library/windows/desktop/ee338606.aspx
	$EnrollmentCAProperty = @{
	CAPropCommonName = 1
	CAPropDistinguishedName = 2
	CAPropSanitizedName = 3
	CAPropSanitizedShortName = 4
	CAPropDNSName = 5
	CAPropCertificateTypes = 6
	CAPropCertificate = 7
	CAPropDescription = 8
	CAPropWebServers = 9
	CAPropSiteName = 10
	CAPropSecurity = 11
	CAPropRenewalOnly = 12
	}

	#https://msdn.microsoft.com/en-us/library/windows/desktop/aa374960.aspx
	$EnrollmentEnrollStatus = @{
	Enrolled = 0x00000001
	EnrollPended = 0x00000002
	EnrollUIDeferredEnrollmentRequired = 0x00000004
	EnrollError = 0x00000010
	EnrollUnknown = 0x00000020
	EnrollSkipped = 0x00000040
	EnrollDenied = 0x00000100
	}

	#https://msdn.microsoft.com/en-us/library/windows/desktop/ee338609.aspx
	$EnrollmentTemplateProperty = @{
	TemplatePropCommonName = 1
	TemplatePropFriendlyName = 2
	TemplatePropEKUs = 3
	TemplatePropCryptoProviders = 4
	TemplatePropMajorRevision = 5
	TemplatePropDescription = 6
	TemplatePropKeySpec = 7
	TemplatePropSchemaVersion = 8
	TemplatePropMinorRevision = 9
	TemplatePropRASignatureCount = 10
	TemplatePropMinimumKeySize = 11
	TemplatePropOID = 12
	TemplatePropSupersede = 13
	TemplatePropRACertificatePolicies = 14
	TemplatePropRAEKUs = 15
	TemplatePropCertificatePolicies = 16
	TemplatePropV1ApplicationPolicy = 17
	TemplatePropAsymmetricAlgorithm = 18
	TemplatePropKeySecurityDescriptor = 19
	TemplatePropSymmetricAlgorithm = 20
	TemplatePropSymmetricKeyLength = 21
	TemplatePropHashAlgorithm = 22
	TemplatePropEnrollmentFlags = 23
	TemplatePropSubjectNameFlags = 24
	TemplatePropPrivateKeyFlags = 25
	TemplatePropGeneralFlags = 26
	TemplatePropSecurityDescriptor = 27
	TemplatePropExtensions = 28
	TemplatePropValidityPeriod = 29
	TemplatePropRenewalPeriod = 30
	}

	#https://msdn.microsoft.com/en-us/library/windows/desktop/aa379061.aspx
	$KeyIdentifierHashAlgorithm = @{
	SKIHashDefault = 0
	SKIHashSha1 = 1
	SKIHashCapiSha1 = 2
	SKIHashSha256 = 3
	}

	#https://msdn.microsoft.com/en-us/library/windows/desktop/aa379070.aspx
	$ObjectIdGroupId = @{
	XCN_CRYPT_ANY_GROUP_ID = 0
	XCN_CRYPT_HASH_ALG_OID_GROUP_ID = 1
	XCN_CRYPT_ENCRYPT_ALG_OID_GROUP_ID = 2
	XCN_CRYPT_PUBKEY_ALG_OID_GROUP_ID = 3
	XCN_CRYPT_SIGN_ALG_OID_GROUP_ID = 4
	XCN_CRYPT_RDN_ATTR_OID_GROUP_ID = 5
	XCN_CRYPT_EXT_OR_ATTR_OID_GROUP_ID = 6
	XCN_CRYPT_ENHKEY_USAGE_OID_GROUP_ID = 7
	XCN_CRYPT_POLICY_OID_GROUP_ID = 8
	XCN_CRYPT_TEMPLATE_OID_GROUP_ID = 9
	XCN_CRYPT_LAST_OID_GROUP_ID = 9
	XCN_CRYPT_FIRST_ALG_OID_GROUP_ID = 1
	XCN_CRYPT_LAST_ALG_OID_GROUP_ID = 4
	XCN_CRYPT_OID_DISABLE_SEARCH_DS_FLAG = 0x80000000
	XCN_CRYPT_KEY_LENGTH_MASK = 0xffff0000
	}

	#https://msdn.microsoft.com/en-us/library/windows/desktop/aa379394.aspx
	$X500NameFlags = @{
	XCN_CERT_NAME_STR_NONE = 0
	XCN_CERT_SIMPLE_NAME_STR = 1
	XCN_CERT_OID_NAME_STR = 2
	XCN_CERT_X500_NAME_STR = 3
	XCN_CERT_XML_NAME_STR = 4
	XCN_CERT_NAME_STR_SEMICOLON_FLAG = 0x40000000
	XCN_CERT_NAME_STR_NO_PLUS_FLAG = 0x20000000
	XCN_CERT_NAME_STR_NO_QUOTING_FLAG = 0x10000000
	XCN_CERT_NAME_STR_CRLF_FLAG = 0x8000000
	XCN_CERT_NAME_STR_COMMA_FLAG = 0x4000000
	XCN_CERT_NAME_STR_REVERSE_FLAG = 0x2000000
	XCN_CERT_NAME_STR_FORWARD_FLAG = 0x1000000
	XCN_CERT_NAME_STR_DISABLE_IE4_UTF8_FLAG = 0x10000
	XCN_CERT_NAME_STR_ENABLE_T61_UNICODE_FLAG = 0x20000
	XCN_CERT_NAME_STR_ENABLE_UTF8_UNICODE_FLAG = 0x40000
	XCN_CERT_NAME_STR_FORCE_UTF8_DIR_STR_FLAG = 0x80000
	XCN_CERT_NAME_STR_DISABLE_UTF8_DIR_STR_FLAG = 0x100000
	}

	#https://msdn.microsoft.com/en-us/library/windows/desktop/aa379399.aspx
	$X509CertificateEnrollmentContext = @{
	ContextUser = 0x1
	ContextMachine = 0x2
	ContextAdministratorForceMachine = 0x3
	}

	#https://msdn.microsoft.com/en-us/library/windows/desktop/ee351760.aspx
	$X509EnrollmentPolicyLoadOption = @{
	LoadOptionDefault = 0
	LoadOptionCacheOnly = 1
	LoadOptionReload = 2
	LoadOptionRegisterForADChanges = 4
	}

	#https://msdn.microsoft.com/en-us/library/windows/desktop/aa379410.aspx
	$X509KeyUsageFlags = @{
	XCN_CERT_NO_KEY_USAGE = 0
	XCN_CERT_DIGITAL_SIGNATURE_KEY_USAGE = 0x80
	XCN_CERT_NON_REPUDIATION_KEY_USAGE = 0x40
	XCN_CERT_KEY_ENCIPHERMENT_KEY_USAGE = 0x20
	XCN_CERT_DATA_ENCIPHERMENT_KEY_USAGE = 0x10
	XCN_CERT_KEY_AGREEMENT_KEY_USAGE = 0x8
	XCN_CERT_KEY_CERT_SIGN_KEY_USAGE = 0x4
	XCN_CERT_OFFLINE_CRL_SIGN_KEY_USAGE = 0x2
	XCN_CERT_CRL_SIGN_KEY_USAGE = 0x2
	XCN_CERT_ENCIPHER_ONLY_KEY_USAGE = 0x1
	XCN_CERT_DECIPHER_ONLY_KEY_USAGE = ( 0x80 -shl 8 )
	}

	#https://msdn.microsoft.com/en-us/library/windows/desktop/aa379412.aspx
	$X509PrivateKeyExportFlags = @{
	XCN_NCRYPT_ALLOW_EXPORT_NONE = 0
	XCN_NCRYPT_ALLOW_EXPORT_FLAG = 0x1
	XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG = 0x2
	XCN_NCRYPT_ALLOW_ARCHIVING_FLAG = 0x4
	XCN_NCRYPT_ALLOW_PLAINTEXT_ARCHIVING_FLAG = 0x8
	}

	#https://msdn.microsoft.com/en-us/library/windows/desktop/aa379417.aspx
	$X509PrivateKeyUsageFlags = @{
	XCN_NCRYPT_ALLOW_USAGES_NONE = 0
	XCN_NCRYPT_ALLOW_DECRYPT_FLAG = 0x1
	XCN_NCRYPT_ALLOW_SIGNING_FLAG = 0x2
	XCN_NCRYPT_ALLOW_KEY_AGREEMENT_FLAG = 0x4
	XCN_NCRYPT_ALLOW_ALL_USAGES = 0xffffff
	}

	#https://msdn.microsoft.com/en-us/library/windows/desktop/aa378132.aspx
	$X509ExtensionEnhancedKeyUsage = @{
	XCN_OID_ANY_APPLICATION_POLICY = "1.3.6.1.4.1.311.10.12.1"
	XCN_OID_AUTO_ENROLL_CTL_USAGE = "1.3.6.1.4.1.311.20.1"
	XCN_OID_DRM = "1.3.6.1.4.1.311.10.5.1"
	XCN_OID_DS_EMAIL_REPLICATION = "1.3.6.1.4.1.311.21.19"
	XCN_OID_EFS_RECOVERY = "1.3.6.1.4.1.311.10.3.4.1"
	XCN_OID_EMBEDDED_NT_CRYPTO = "1.3.6.1.4.1.311.10.3.8"
	XCN_OID_ENROLLMENT_AGENT = "1.3.6.1.4.1.311.20.2.1"
	XCN_OID_IPSEC_KP_IKE_INTERMEDIATE = "1.3.6.1.5.5.8.2.2"
	XCN_OID_KP_CA_EXCHANGE = "1.3.6.1.4.1.311.21.5"
	XCN_OID_KP_CTL_USAGE_SIGNING = "1.3.6.1.4.1.311.10.3.1"
	XCN_OID_KP_DOCUMENT_SIGNING = "1.3.6.1.4.1.311.10.3.12"
	XCN_OID_KP_EFS = "1.3.6.1.4.1.311.10.3.4"
	XCN_OID_KP_KEY_RECOVERY = "1.3.6.1.4.1.311.10.3.11"
	XCN_OID_KP_KEY_RECOVERY_AGENT = "1.3.6.1.4.1.311.21.6"
	XCN_OID_KP_LIFETIME_SIGNING = "1.3.6.1.4.1.311.10.3.13"
	XCN_OID_KP_QUALIFIED_SUBORDINATION = "1.3.6.1.4.1.311.10.3.10"
	XCN_OID_KP_SMARTCARD_LOGON = "1.3.6.1.4.1.311.20.2.2"
	XCN_OID_KP_TIME_STAMP_SIGNING = "1.3.6.1.4.1.311.10.3.2"
	XCN_OID_LICENSE_SERVER = "1.3.6.1.4.1.311.10.6.2"
	XCN_OID_LICENSES = "1.3.6.1.4.1.311.10.6.1"
	XCN_OID_NT5_CRYPTO = "1.3.6.1.4.1.311.10.3.7"
	XCN_OID_OEM_WHQL_CRYPTO = "1.3.6.1.4.1.311.10.3.7"
	XCN_OID_PKIX_KP_CLIENT_AUTH = "1.3.6.1.5.5.7.3.2"
	XCN_OID_PKIX_KP_CODE_SIGNING = "1.3.6.1.5.5.7.3.3"
	XCN_OID_PKIX_KP_EMAIL_PROTECTION = "1.3.6.1.5.5.7.3.4"
	XCN_OID_PKIX_KP_IPSEC_END_SYSTEM = "1.3.6.1.5.5.7.3.5"
	XCN_OID_PKIX_KP_IPSEC_TUNNEL = "1.3.6.1.5.5.7.3.6"
	XCN_OID_PKIX_KP_IPSEC_USER = "1.3.6.1.5.5.7.3.7"
	XCN_OID_PKIX_KP_OCSP_SIGNING = "1.3.6.1.5.5.7.3.9"
	XCN_OID_PKIX_KP_SERVER_AUTH = "1.3.6.1.5.5.7.3.1"
	XCN_OID_PKIX_KP_TIMESTAMP_SIGNING = "1.3.6.1.5.5.7.3.8"
	XCN_OID_ROOT_LIST_SIGNER = "1.3.6.1.4.1.311.10.3.9"
	XCN_OID_WHQL_CRYPTO = "1.3.6.1.4.1.311.10.3.5"
	}

	#https://msdn.microsoft.com/en-us/library/windows/desktop/aa379409.aspx
	$X509KeySpec = @{
	XCN_AT_NONE = 0
	XCN_AT_KEYEXCHANGE = 1
	XCN_AT_SIGNATURE = 2
	}

	#https://msdn.microsoft.com/en-us/library/windows/desktop/aa376782.aspx
	$InstallResponseRestrictionFlags = @{
	AllowNone = 0x00000000
	AllowNoOutstandingRequest = 0x00000001
	AllowUntrustedCertificate = 0x00000002
	AllowUntrustedRoot = 0x00000004
	}

	#https://msdn.microsoft.com/en-us/library/windows/desktop/aa379071.aspx
	$ObjectIdPublicKeyFlags = @{
	XCN_CRYPT_OID_INFO_PUBKEY_ANY = 0
	XCN_CRYPT_OID_INFO_PUBKEY_SIGN_KEY_FLAG = 0x80000000
	XCN_CRYPT_OID_INFO_PUBKEY_ENCRYPT_KEY_FLAG = 0x40000000
	}

	#https://msdn.microsoft.com/en-us/library/windows/desktop/aa374813.aspx
	$AlgorithmFlags = @{
	AlgorithmFlagsNone = 0x00000000
	AlgorithmFlagsWrap = 0x00000001
	}

	#https://msdn.microsoft.com/en-us/library/windows/desktop/ee373782.aspx
	$X509EnrollmentAuthFlags = @{
	X509AuthNone = 0
	X509AuthAnonymous = 1
	X509AuthKerberos = 2
	X509AuthUsername = 4
	X509AuthCertificate = 8
	}

	function New-DistinguishedName {
	param(
	[Parameter(Position=0,Mandatory=$true, ValueFromPipeline=$true)][ValidateNotNullOrEmpty()][String]$Subject,
	[Parameter(Mandatory=$false)][ValidateNotNullOrEmpty()][String]$NameFlags = $X500NameFlags.XCN_CERT_NAME_STR_NONE

	)
	process {
	#For a list of valid RDN keys: https://msdn.microsoft.com/en-us/library/aa377051.aspx
	$DN = New-Object -ComObject X509Enrollment.CX500DistinguishedName
	$DN.Encode($Subject, $NameFlags)
	return $DN
	}
	}
	function New-PrivateKey {
	param (
	[Parameter(Mandatory=$false)][ValidateNotNullOrEmpty()][String]$ProviderName = "Microsoft RSA SChannel Cryptographic Provider",
	[Parameter(Mandatory=$false)][ValidateNotNullOrEmpty()][Long]$KeySize = 4096,
	[Parameter(Mandatory=$false)][ValidateNotNullOrEmpty()][Long]$ExportPolicy = $X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG,
	[Parameter(Mandatory=$false)][ValidateNotNullOrEmpty()][Long]$KeySpec = $X509KeySpec.XCN_AT_KEYEXCHANGE,
	[Parameter(Mandatory=$false)][ValidateNotNullOrEmpty()][Long]$KeyUsage = $X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES,
	[Parameter(Mandatory=$false)][ValidateNotNullOrEmpty()][bool]$MachineContext = $true
	)
	process {
	$CCspInformations = New-Object -ComObject X509Enrollment.CCspInformations
	$CCspInformations.AddAvailableCsps()
	$Key = New-Object -ComObject X509Enrollment.CX509PrivateKey
	$Key.ProviderName = $ProviderName
	$Key.KeySpec = $KeySpec
	$Key.KeyUsage = $KeyUsage
	$Key.Length = $KeySize
	$Key.MachineContext = $MachineContext
	$Key.ExportPolicy = $ExportPolicy
	$Key.CspInformations = $CCspInformations
	return $Key
	}
	}
	function Get-AvailableCsps {
	process {
	$AvailableCsps = New-Object -ComObject X509Enrollment.CCspInformations
	$AvailableCsps.AddAvailableCsps()
	return $AvailableCsps
	}
	}
	function New-ExtensionEnhancedKeyUsage {
	param (
	[Parameter(Mandatory=$true)][ValidateNotNullOrEmpty()][System.Object[]]$Objects
	)
	process {
	$ExtensionEnhancedKeyUsage = New-Object -ComObject X509Enrollment.CX509ExtensionEnhancedKeyUsage
	$ObjectIds = New-Object -ComObject X509Enrollment.CObjectIds
	$Objects \| %{
	$ObjectIds.Add($_)
	}
	$ExtensionEnhancedKeyUsage.InitializeEncode($ObjectIds)
	return $ExtensionEnhancedKeyUsage
	}
	}
	function Get-ExtensionEnhancedKeyUsageOids {
	process {
	return $X509ExtensionEnhancedKeyUsage
	}
	}

	function New-ObjectId {
	param (
	[Parameter(Position=0,Mandatory=$true,ValueFromPipeline=$true)][ValidateNotNullOrEmpty()][String]$OID
	)
	process {
	$ObjectId = New-Object -ComObject X509Enrollment.CObjectId
	$ObjectId.InitializeFromValue($OID)
	return $ObjectId
	}
	}
	function New-ExtensionKeyUsage {
	param (
	[Parameter(Mandatory=$true)][ValidateNotNullOrEmpty()][System.Object[]]$Usage
	)
	process {
	$ExtensionKeyUsage = New-Object -ComObject X509Enrollment.CX509ExtensionKeyUsage
	$Flags = 0
	$Usage \| %{ $Flags = $Flags -bor $_ }
	$ExtensionKeyUsage.InitializeEncode($Flags)
	return $ExtensionKeyUsage
	}
	}
	function Get-ExtensionKeyUsageFlags {
	process {
	return $X509KeyUsageFlags
	}
	}

	function New-CertificateRequestCertificate {
	process {
	$CertificateRequest = New-Object -ComObject X509Enrollment.CX509CertificateRequestCertificate
	return $CertificateRequest
	}
	}
	function New-CertEnrollment {
	process {
	$CertEnrollment = New-Object -ComObject X509Enrollment.CX509Enrollment
	return $CertEnrollment
	}
	}
	function New-EnrollmentPolicyWebService {
	param (
	[Parameter(Mandatory=$true)][ValidateNotNullOrEmpty()][String]$PolicyServerUrl,
	[Parameter(Mandatory=$false)][ValidateNotNullOrEmpty()][String]$PolicyServerId = "",
	[Parameter(Mandatory=$false)][ValidateNotNullOrEmpty()][Long]$Authentication = $X509EnrollmentAuthFlags.X509AuthKerberos,
	[Parameter(Mandatory=$false)][ValidateNotNullOrEmpty()][bool]$AllowUntrusted = $false,
	[Parameter(Mandatory=$false)][ValidateNotNullOrEmpty()][Long]$Context = $X509CertificateEnrollmentContext.ContextMachine,
	[Parameter(Mandatory=$false)][ValidateNotNullOrEmpty()][String]$Username = "",
	[Parameter(Mandatory=$false)][ValidateNotNullOrEmpty()][String]$Password = "",
	[Parameter(Mandatory=$false)][ValidateNotNullOrEmpty()][String]$LoadOption = $X509EnrollmentPolicyLoadOption.LoadOptionDefault
	)
	process {
	#https://msdn.microsoft.com/en-us/library/windows/desktop/ee351692.aspx
	$ParentWindowHandle = 0
	$EnrollmentPolicyWebService = New-Object -ComObject x509Enrollment.CX509EnrollmentPolicyWebService
	$EnrollmentPolicyWebService.Initialize($PolicyServerUrl,$PolicyServerId,$Authentication,$AllowUntrusted,$Context)
	$EnrollmentPolicyWebService.SetCredential($ParentWindowHandle, $Authentication, $Username, $Password)
	$EnrollmentPolicyWebService.LoadPolicy($X509EnrollmentPolicyLoadOption.LoadOptionDefault)
	return $EnrollmentPolicyWebService
	}
	}
	function New-CertificateRequestPkcs10 {
	process {
	$CertificateRequestPkcs10 = New-Object -ComObject X509Enrollment.CX509CertificateRequestPkcs10
	return $CertificateRequestPkcs10
	}
	}
	function New-Enrollment {
	process {
	$Enrollment = New-Object -ComObject X509Enrollment.CX509Enrollment
	return $Enrollment
	}
	}
	function New-CARequest {
	process {
	$CARequest = New-Object -ComObject CertificateAuthority.Request
	return $CARequest
	}
	}
	function Get-CertEnrollmentContexts {
	process {
	return $X509CertificateEnrollmentContext
	}
	}
	function Get-EncodingTypes {
	process {
	return $EncodingType
	}
	}