Trying to automate pulling the DC certificate to import into a java keystore for LDAPS auth in a web app. The kicker is I want to do with with only built in windows tools. Trolled around and found some pieces, but it doesn't work. Here is what I have for now

​

$TcpSocket = New-Object Net.Sockets.TcpClient($DC1IP,$Port)
$tcpstream = $TcpSocket.GetStream()
$Callback = {param($sender,$cert,$chain,$errors) return $true}
$SSLStream = New-Object -TypeName System.Net.Security.SSLStream -ArgumentList @($tcpstream, $True, $Callback)
$SSLStream.AuthenticateAsClient($IPAddress)
$Certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($SSLStream.RemoteCertificate)
$SSLStream.Dispose()
$PublicCertInPemFormatPrep = "-----BEGIN CERTIFICATE-----`n"   
    [System.Convert]::ToBase64String($certificate.RawData, [System.Base64FormattingOptions]::InsertLineBreaks)   
    "`n-----END CERTIFICATE-----"
$DC1Cert = $PublicCertInPemFormatPrep -split "`n"
$DC1cert | out-file c:\temp\DC1.cer

Trying to import that with keytool gives the error that is in the PEM format and it needs to be x509. It looks identical to the export I get when manually exporting from the DC itself in base64 x509 though.

I guess I could install openssl on the servers that will need this. Would prefer not to though.

​

EDIT:

I got it. I checked out the certificate in a hex editor and it didn't match the cert I exported from the DC. After playing around with the exporting I found I needed to encode it as OEM

$DC1cert | out-file c:\temp\DC1.cer -Encoding oem

That fixed it.