xcertificateimport
When using the interactive Windows Certificates snap-in, a 3rd very important cert target store type can be selected:
One can select "my user account", "computer account" and "service account" as target for certificates.
xCertificateImport currently seems to only support 2 target store types:
Location: 'LocalMachine' or 'CurrentUser'
As an admin it would be very cool to be able to also use xCertificateImport to also manage service-related certificates, as there are otherwise no PowerShell means to do so and the GUI cert tool is a PITA, as its not scriptable. And there are Microsoft own services out there that needs such certificates. For example Microsoft AD LDS uses certificates stored in the service accounts section for SSL/TLS certificates. e.g. in:
[HKLM\SOFTWARE\Microsoft\Cryptography\Services\ADAMinst1\SystemCertificates\My\Certificates]
There seems to be no means to use xCertificateImport to manage that path
(Referring to https://msdn.microsoft.com/en-us/library/windows/desktop/aa388136(v=vs.85).aspx#CERTSYSTEMSTORESERVICES)
(the old fashioned state based Powershell Cert commands seem to have the same deficits, but why not do it right in this command - that would probably need a 3rd parameter Location="service" and a further Servicename="...." parameter)

1 comment
-
Moving to the Certificate section of this UserVoice - while PowerShell team does own the xCertificate module, this comment: https://github.com/PowerShell/xCertificate/issues/32 gives some additional context. The ask is more around exposing the Right Set of PKI cmdlets that can then be manipulated by a DSC resource to do the right thing.