pspki Wiki Rss Feed

Updated Wiki: Home

Camelot — Thu, 31 Jan 2013 17:13:19 GMT

Project Description
This module is intended to simplify certain PKI management tasks by using automation with Windows PowerShell.

This module is intended for Certification Authority management. For local certificate store management you should consider to use Quest AD PKI cmdlets.

Module Requirements

Windows PowerShell 2.0

This module can run on any of the specified operating system:

Windows Server 2003/2003 R2/2008*/2008 R2/2012
Windows XP**/Vista***/7***

* — Server Core installation is not supported.
** — with installed AdminPack
*** — with installed RSAT (Remote System Administration Tools)

Certification Authority requirements
This module supports Enterprise or Standalone Certification Authority servers that are running one the following operating system:

Windows Server 2003/2003 R2/2008 (including Server Core)/2008 R2 (including Server Core)/2012 (including Server Core)

Command list:
Full command list for the latest release:

Add-AuthorityInformationAccess (Alias: Add-AIA)
Add-CAKRACertificate
Add-CATemplate
Add-CertificateEnrollmentPolicyService (Alias: Add-CEP)
Add-CertificateEnrollmentService (Alias: Add-CES)
Add-CertificateTemplateAcl
Add-CRLDistributionPoint (Alias: Add-CDP)
Add-ExtensionList
Approve-CertificateRequest
Connect-CertificationAuthority (Alias: Connect-CA)
Deny-CertificateRequest
Disable-CertificateRevocationListFlag (Alias: Disable-CRLFlag)
Disable-InterfaceFlag
Disable-KeyRecoveryAgentFlag (Alias: Disable-KRAFlag)
Disable-PolicyModuleFlag
Enable-CertificateRevocationListFlag (Alias: Enable-CRLFlag)
Enable-InterfaceFlag
Enable-KeyRecoveryAgentFlag (Alias: Enable-KRAFlag)
Enable-PolicyModuleFlag
Get-ADKRACertificate
Get-AuthorityInformationAccess (Alias: Get-AIA)
Get-CAExchangeCertificate
Get-CAKRACertificate
Get-CASchema
Get-CATemplate
Get-CertificateRevocationList (Alias: Get-CRL)
Get-CertificateRevocationListFlag (Alias: Get-CRLFlag)
Get-CertificateTemplate
Get-CertificateTemplateAcl
Get-CertificateTrustList (Alias: Get-CTL)
Get-CertificateValidityPeriod
Get-CertificationAuthority (Alias: Get-CA)
Get-CryptographicServiceProvider (Alias: Get-Csp)
Get-CryptographicServiceProviderCNG (Alias: Get-CspCNG)
Get-CRLDistributionPoint (Alias: Get-CDP)
Get-CRLValidityPeriod
Get-EnrollmentServiceUri
Get-ErrorMessage
Get-ExtensionList
Get-FailedRequest
Get-InterfaceFlag
Get-IssuedRequest
Get-KeyRecoveryAgentFlag (Alias: Get-KRAFlag)
Get-ObjectIdentifier
Get-ObjectIdentifierEx
Get-PendingRequest
Get-PolicyModuleFlag
Get-RevokedRequest
Import-LostCertificate
Install-CertificationAuthority (Alias: Install-CA)
Publish-CRL
Receive-Certificate
Register-ObjectIdentifier
Remove-AuthorityInformationAccess (Alias: Remove-AIA)
Remove-CAKRACertificate
Remove-CATemplate
Remove-CertificateEnrollmentPolicyService (Alias: Remove-CEP)
Remove-CertificateEnrollmentService (Alias: Remove-CES)
Remove-CertificateTemplate
Remove-CertificateTemplateAcl
Remove-CRLDistributionPoint (Alias: Remove-CDP)
Remove-ExtensionList
Remove-Request
Restart-CertificationAuthority
Restore-CertificateRevocationListFlagDefault (Alias: Restore-CRLFlagDefault)
Restore-InterfaceFlagDefault
Restore-KeyRecoveryAgentFlagDefault (Alias: Restore-KRAFlagDefault)
Restore-PolicyModuleFlagDefault
Revoke-Certificate
Set-AuthorityInformationAccess (Alias: Set-AIA)
Set-CAKRACertificate
Set-CATemplate
Set-CertificateTemplateAcl
Set-CertificateValidityPeriod
Set-CRLDistributionPoint (Alias: Set-CDP)
Set-CRLValidityPeriod
Set-ExtensionList
Show-Certificate
Show-CertificateRevocationList (Alias: Show-CRL)
Show-CertificateTrustList (Alias: Show-CTL)
Start-CertificationAuthority
Stop-CertificationAuthority
Submit-CertificateRequest
Test-WebServerSSL
Uninstall-CertificationAuthority (Alias: Uninstall-CA)
Unregister-ObjectIdentifier

The following technologies and products were used to design this module:

Updated Wiki: Submit-CertificateRequest

Camelot — Thu, 31 Jan 2013 17:09:41 GMT

NAME

Submit-CertificateRequest

SYNOPSIS

Submits certificate request to a Certification Authority.

SYNTAX

Submit-CertificateRequest [-Path <FileInfo[]>] [<CommonParameters>]

Submit-CertificateRequest -CA <CertificateAuthority> [<CommonParameters>]

Submit-CertificateRequest [-Attribute <String[]>] [<CommonParameters>]

DESCRIPTION

Submits certificate request to a Certification Authority. The commands returns an object that indicates the status of the submission. If the certificate is issued immediately, issued certificate is included in the returned object.

PARAMETERS

-Path <FileInfo[]>

Specifies the path to a request file.

Required?	true
Position?	0
Default value
Accept pipeline input?	true (ByValue)
Accept wildcard characters?	false

-CA <CertificateAuthority>

Specifies a Certification Authority object to which the request is submitted. CA object can be retrieved by running either Get-CertificationAuthority or Connect-CertificationAuthority commands.

Required?	true
Position?	named
Default value
Accept pipeline input?	false
Accept wildcard characters?	false

-Attribute <String[]>

Specifies optional attributes which are passed along with the request and are used by Certification Authority to construct the certificate. The following syntax is used:

where <AttributeName> is an attribute name and <AttributeValue> is the value of the attribute. This command accepts multiple attributes.

For example, Enterprise CAs require certificate template information in the request, however, not all applications adds this information to the request (for example, Internet Information Service console, Exchange Management Console, non-Microsoft tools and other). In this case you can pass certificate template as attribute:

CertificateTemplate:WebServer

where 'CertificateTemplate' is attribute name and 'WebServer' is attribute value (in a given example it is certificate template common name).

Required?	false
Position?	named
Default value
Accept pipeline input?	false
Accept wildcard characters?	false

<CommonParameters>

This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer and OutVariable. For more information, type,
"get-help about_commonparameters".

INPUTS

IO.FileInfo[]

OUTPUTS

None.

NOTES

Author: Vadims Podans
Blog: http://en-us.sysadmins.lv

EXAMPLES

-------------- Example 1 --------------

PS C:\> $CA = Get-CA ca01.company.com
PS C:\> Submit-CertificateRequest -Path c:\request.req -CA $CA

In this example, a request contained in the 'c:\request.req' file is submitted to a CA server hosted on 'ca01.company.com' server.

-------------- Example 2 --------------

PS C:\> $CA = Get-CA ca01.company.com
PS C:\> Submit-CertificateRequest -Path c:\iis_ssl.req -CA $CA -Attribute "CertificateTemplate:WebServer"

In this example, a request contained in the 'c:\iis_ssl.req' file is submitted to a CA server hosted on 'ca01.company.com' server. The request is supposed to by issued based on a 'WebServer' certificate template.

Updated Wiki: Receive-Certificate

Camelot — Thu, 31 Jan 2013 17:06:58 GMT

NAME

Receive-Certificate

SYNOPSIS

Receives already issued certificate from a Certification Authority database.

SYNTAX

Receive-Certificate [-RequestRow <Object>] [<CommonParameters>]

Receive-Certificate [[-Path] <DirectoryInfo>] [<CommonParameters>]

Receive-Certificate [-Force <SwitchParameter>] [<CommonParameters>]

DESCRIPTION

Receives already issued certificate from a Certification Authority database. This command can be used to retrieve an issued pending certificate request after it's approval.

Although, the command saves received certificates in the specified folder, the command returns corresponding X509Certificate2 objects, so you can use these certificates for custom tasks.

PARAMETERS

-RequestRow <Object>

Specifies a RequestRow object. This object can be retrieved by using either Get-IssuedRequest or Get-RevokedRequest. The request object already contains information about target CA server and request ID in the CA database.

Note: this command retrieves only issued certificates, therefore you should not use Get-PendingRequest or Get-FailedRequest commands.

Required?	true
Position?	0
Default value
Accept pipeline input?	true (ByValue, ByPropertyName)
Accept wildcard characters?	false

-Path <DirectoryInfo>

Specifies the path to a directory where to store the issued certificate. This parameter accepts only directory paths. If the directory doesn't exist, the command attempts to create it.

Files names are generated in the following form: RequestID_<RequestID>.cer

where '<RequestID>' is the request ID in the CA database.

Note: you should avoid RequestRow piping from different CA servers, because 2 CA servers may have matching RequestID values. Instead, use this command against each CA server separately.

Required?	false
Position?	1
Default value
Accept pipeline input?	false
Accept wildcard characters?	false

-Force <SwitchParameter>

Specifies whether to overwrite existing file or not.

Required?	false
Position?	named
Default value
Accept pipeline input?	false
Accept wildcard characters?	false

<CommonParameters>

INPUTS

PKI.CertificateServices.DB.RequestRow

OUTPUTS

System.Security.Cryptography.X509Certificates.X509Certificate2

NOTES

Author: Vadims Podans
Blog: http://en-us.sysadmins.lv

EXAMPLES

-------------- Example 1 --------------

PS C:\> Get-CertificationAuthority -Name MyCA | Get-IssuedRequest -Filter "CertificateTemplate -eq WebServer", "CommonName -eq www.company.com" | Receive-Certificate -Path C:\certs -Force

In this example, the commands retrieve all issued certificates based on 'WebServer' template and issued to 'www.company.com' name and save them in 'C:\certs' folder.

Updated Wiki: Get-CertificateTrustList

Camelot — Thu, 31 Jan 2013 17:04:27 GMT

NAME

Get-CertificateTrustList

SYNOPSIS

Retrieves Certificate Trust List (CTL) object from a file or a DER-encoded byte array.

SYNTAX

Get-CertificateTrustList [-Path <String>] [<CommonParameters>]

Get-CertificateTrustList [-RawCTL <Byte[]>] [<CommonParameters>]

DESCRIPTION

Retrieves Certificate Trust List (CTL) object from a file or a DER-encoded byte array.

A CTL is a predefined list of items signed by a trusted entity. A CTL is a list of hashes of certificates or a list of file names. All the items in the list are authenticated and approved by a trusted signing entity. The primary use of CTLs is to verify signed Messages, using the CTL as a source of trusted root certificates.

PARAMETERS

-Path <String>

Specifies the path to a file.

Required?	true
Position?	0
Default value
Accept pipeline input?	true (ByValue)
Accept wildcard characters?	false

-RawCTL <Byte[]>

Specifies a pointer to a DER-encoded CTL byte array.

Required?	true
Position?	0
Default value
Accept pipeline input?	false
Accept wildcard characters?	false

<CommonParameters>

INPUTS

System.String; System.Byte[]

OUTPUTS

System.Security.Cryptography.X509Certificates.X509CTL

NOTES

Author: Vadims Podans
Blog: http://en-us.sysadmins.lv

EXAMPLES

-------------- Example 1 --------------

PS C:\> Get-CertificateTrustList -Path C:\authroot.stl

In this example, the CTL object is constructed from a CTL file. CTLs usually have .stl extension.

-------------- Example 2 --------------

PS C:\> $Raw = [IO.FILE]::ReadAllBytes("C:\authroot.stl") Get-CertificateTrustList -RawCTL $Raw

CTL object is constructed from a byte array.

RELATED LINKS

Show-CertificateTrustList

Updated Wiki: Home

Camelot — Sat, 28 Jul 2012 09:56:42 GMT

Project Description
This module is intended to simplify certain PKI management tasks by using automation with Windows PowerShell.

This module is intended for Certification Authority management. For local certificate store management you should consider to use Quest AD PKI cmdlets.

Module Requirements

Windows PowerShell 2.0

This module can run on any of the specified operating system:

Windows Server 2003/2003 R2/2008*/2008 R2/2012
Windows XP**/Vista***/7***

Windows Server 2003/2003 R2/2008 (including Server Core)/2008 R2 (including Server Core)/2012 (including Server Core)

Command list:
Full command list for the latest release:

Add-AuthorityInformationAccess (Alias: Add-AIA)
Add-CAKRACertificate
Add-CATemplate
Add-CertificateEnrollmentPolicyService (Alias: Add-CEP)
Add-CertificateEnrollmentService (Alias: Add-CES)
Add-CertificateTemplateAcl
Add-CRLDistributionPoint (Alias: Add-CDP)
Add-ExtensionList
Approve-CertificateRequest
Connect-CertificationAuthority (Alias: Connect-CA)
Deny-CertificateRequest
Disable-CertificateRevocationListFlag (Alias: Disable-CRLFlag)
Disable-InterfaceFlag
Disable-KeyRecoveryAgentFlag (Alias: Disable-KRAFlag)
Disable-PolicyModuleFlag
Enable-CertificateRevocationListFlag (Alias: Enable-CRLFlag)
Enable-InterfaceFlag
Enable-KeyRecoveryAgentFlag (Alias: Enable-KRAFlag)
Enable-PolicyModuleFlag
Get-ADKRACertificate
Get-AuthorityInformationAccess (Alias: Get-AIA)
Get-CAExchangeCertificate
Get-CAKRACertificate
Get-CASchema
Get-CATemplate
Get-CertificateRevocationList (Alias: Get-CRL)
Get-CertificateRevocationListFlag (Alias: Get-CRLFlag)
Get-CertificateTemplate
Get-CertificateTemplateAcl
Get-CertificateValidityPeriod
Get-CertificationAuthority (Alias: Get-CA)
Get-CRLDistributionPoint (Alias: Get-CDP)
Get-CRLValidityPeriod
Get-CryptographicServiceProvider (Alias: Get-Csp)
Get-CryptographicServiceProviderCNG (Alias: Get-CspCNG)
Get-EnrollmentServiceUri
Get-ErrorMessage
Get-ExtensionList
Get-FailedRequest
Get-InterfaceFlag
Get-IssuedRequest
Get-KeyRecoveryAgentFlag (Alias: Get-KRAFlag)
Get-ObjectIdentifier (Alias: Oid)
Get-ObjectIdentifierEx (Alias: Oid2)
Get-PendingRequest
Get-PolicyModuleFlag
Get-RevokedRequest
Import-LostCertificate
Install-CertificationAuthority (Alias: Install-CA)
Publish-CRL
Register-ObjectIdentifier
Remove-AuthorityInformationAccess (Alias: Remove-AIA)
Remove-CAKRACertificate
Remove-CATemplate
Remove-CertificateEnrollmentPolicyService (Alias: Remove-CEP)
Remove-CertificateEnrollmentService
Remove-CertificateTemplate
Remove-CertificateTemplateAcl
Remove-CRLDistributionPoint (Alias: Remove-CDP)
Remove-ExtensionList
Remove-Request
Restart-CertificationAuthority
Restore-CertificateRevocationListFlagDefault (Alias: Restore-CRLFlagDefault)
Restore-InterfaceFlagDefault
Restore-KeyRecoveryAgentFlagDefault (Alias: Restore-KRAFlagDefault)
Restore-PolicyModuleFlagDefault
Revoke-Certificate
Set-AuthorityInformationAccess (Alias: Set-AIA)
Set-CAKRACertificate
Set-CATemplate
Set-CertificateTemplateAcl
Set-CertificateValidityPeriod
Set-CRLDistributionPoint (Alias: Set-CDP)
Set-CRLValidityPeriod
Set-ExtensionList
Show-Certificate
Show-CertificateRevocationList (Alias: Show-CRL)
Start-CertificationAuthority
Stop-CertificationAuthority
Test-WebServerSSL
Uninstall-CertificationAuthority (Alias: Uninstall-CA)
Unregister-ObjectIdentifier

The following technologies and products were used to design this module:

Updated Wiki: Get-CASchema

Camelot — Sat, 28 Jul 2012 09:36:56 GMT

NAME

Get-CASchema

SYNOPSIS

Retrieves Certification Authority database schema.

SYNTAX

Get-CASchema [-CA] <CertificateAuthority> [[-Table] <TableList>] [<CommonParameters>]

DESCRIPTION

Retrieves Certification Authority database schema depending on selected table. Default table is 'Request' table.

PARAMETERS

-CA <CertificateAuthority>

Specifies the Certification Authority object. This object can be retrieved by running Get-CertificationAuthority command.

Required?	true
Position?	1
Default value
Accept pipeline input?	true (ByValue, ByPropertyName)
Accept wildcard characters?	false

-Table <TableList>

Specifies a table to be processed. Possible values can be 'Reqest', 'Attribute', 'Extension' or 'CRL'.

By default 'Request' table is used.

Required?	false
Position?	2
Default value	Request
Accept pipeline input?	false
Accept wildcard characters?	false

<CommonParameters>

INPUTS

PKI.CertificateAuthority.CertificateAuthority

OUTPUTS

PKI.CertificateAuthority.DB.Schema

NOTES

Author: Vadims Podans
Blog: http://en-us.sysadmins.lv

EXAMPLES

-------------- Example 1 --------------

C:\PS>Get-CertificationAuthority -Name MyCA* | Get-CASchema

Returns database schema for Certification Authority objects which name starts with "MyCA".

-------------- Example 2 --------------

C:\PS>Get-CertificationAuthority | Get-CASchema

Returns database schema for all Enterprise Certification Authority objects in the current forest.

Updated Wiki: Home

Camelot — Sat, 28 Jul 2012 09:00:22 GMT

Project Description
This module is intended to simplify certain PKI management tasks by using automation with Windows PowerShell.

This module is intended for Certification Authority management. For local certificate store management you should consider to use Quest AD PKI cmdlets.

Module Requirements

Windows PowerShell 2.0

This module can run on any of the specified operating system:

Windows Server 2003/2003 R2/2008*/2008 R2/2012
Windows XP**/Vista***/7***

* — Server Core installation is not supported.
** — with installed AdminPack
*** — with installed RSAT (Remote System Administration Tools)

Certification Authority requirements
This module supports Enterprise Certification Authority servers that are running one the following operating system:

Windows Server 2003/2003 R2/2008 (including Server Core)/2008 R2 (including Server Core)/2012 (including Server Core)

Command list:
Full command list for the latest release:

Add-AuthorityInformationAccess (Alias: Add-AIA)
Add-CAKRACertificate
Add-CATemplate
Add-CertificateEnrollmentPolicyService (Alias: Add-CEP)
Add-CertificateEnrollmentService (Alias: Add-CES)
Add-CertificateTemplateAcl
Add-CRLDistributionPoint (Alias: Add-CDP)
Add-ExtensionList
Approve-CertificateRequest
Connect-CertificationAuthority (Alias: Connect-CA)
Deny-CertificateRequest
Disable-CertificateRevocationListFlag (Alias: Disable-CRLFlag)
Disable-InterfaceFlag
Disable-KeyRecoveryAgentFlag (Alias: Disable-KRAFlag)
Disable-PolicyModuleFlag
Enable-CertificateRevocationListFlag (Alias: Enable-CRLFlag)
Enable-InterfaceFlag
Enable-KeyRecoveryAgentFlag (Alias: Enable-KRAFlag)
Enable-PolicyModuleFlag
Get-ADKRACertificate
Get-AuthorityInformationAccess (Alias: Get-AIA)
Get-CAExchangeCertificate
Get-CAKRACertificate
Get-CASchema
Get-CATemplate
Get-CertificateRevocationList (Alias: Get-CRL)
Get-CertificateRevocationListFlag (Alias: Get-CRLFlag)
Get-CertificateTemplate
Get-CertificateTemplateAcl
Get-CertificateValidityPeriod
Get-CertificationAuthority (Alias: Get-CA)
Get-CRLDistributionPoint (Alias: Get-CDP)
Get-CRLValidityPeriod
Get-CryptographicServiceProvider (Alias: Get-Csp)
Get-CryptographicServiceProviderCNG (Alias: Get-CspCNG)
Get-EnrollmentServiceUri
Get-ErrorMessage
Get-ExtensionList
Get-FailedRequest
Get-InterfaceFlag
Get-IssuedRequest
Get-KeyRecoveryAgentFlag (Alias: Get-KRAFlag)
Get-ObjectIdentifier (Alias: Oid)
Get-ObjectIdentifierEx (Alias: Oid2)
Get-PendingRequest
Get-PolicyModuleFlag
Get-RevokedRequest
Import-LostCertificate
Install-CertificationAuthority (Alias: Install-CA)
Publish-CRL
Register-ObjectIdentifier
Remove-AuthorityInformationAccess (Alias: Remove-AIA)
Remove-CAKRACertificate
Remove-CATemplate
Remove-CertificateEnrollmentPolicyService (Alias: Remove-CEP)
Remove-CertificateEnrollmentService
Remove-CertificateTemplate
Remove-CertificateTemplateAcl
Remove-CRLDistributionPoint (Alias: Remove-CDP)
Remove-ExtensionList
Remove-Request
Restart-CertificationAuthority
Restore-CertificateRevocationListFlagDefault (Alias: Restore-CRLFlagDefault)
Restore-InterfaceFlagDefault
Restore-KeyRecoveryAgentFlagDefault (Alias: Restore-KRAFlagDefault)
Restore-PolicyModuleFlagDefault
Revoke-Certificate
Set-AuthorityInformationAccess (Alias: Set-AIA)
Set-CAKRACertificate
Set-CATemplate
Set-CertificateTemplateAcl
Set-CertificateValidityPeriod
Set-CRLDistributionPoint (Alias: Set-CDP)
Set-CRLValidityPeriod
Set-ExtensionList
Show-Certificate
Show-CertificateRevocationList (Alias: Show-CRL)
Start-CertificationAuthority
Stop-CertificationAuthority
Test-WebServerSSL
Uninstall-CertificationAuthority (Alias: Uninstall-CA)
Unregister-ObjectIdentifier

The following technologies and products were used to design this module:

Updated Wiki: Restore-InterfaceFlagDefault

Camelot — Fri, 27 Jul 2012 08:35:21 GMT

NAME

Restore-InterfaceFlagDefault

SYNOPSIS

Restores Active Directory Certification Authority (AD CS) management and enrollment interface default flags.

SYNTAX

Restore-InterfaceFlagDefault [-InputObject] <InterfaceFlag> [-RestartCA] [<CommonParameters>]

DESCRIPTION

Restores Active Directory Certification Authority (AD CS) management and enrollment default flags and discards any previous interface flag modifications. This command is helpful in the case of incorrect configuration or you want to stay "default".

By default only these flags are enabled: LockICertRequest - default. NoRemoteICertAdminBackup - the CA restricts access to the backup-related methods of this protocol for remote callers.

PARAMETERS

-InputObject <InterfaceFlag>

Specifies existing InterfaceFlag object. This object can be retrieved by running Get-InterfaceFlag command.

Required?	true
Position?	1
Default value
Accept pipeline input?	true (ByValue, ByPropertyName)
Accept wildcard characters?	false

-RestartCA <>

Restarts CA service on the specified CA server to immediately apply changes.

Required?	false
Position?	named
Default value
Accept pipeline input?	false
Accept wildcard characters?	false

<CommonParameters>

INPUTS

PKI.CertificateAuthority.Flags.InterfaceFlag

OUTPUTS

PKI.CertificateAuthority.Flags.InterfaceFlag

NOTES

Author: Vadims Podans
Blog: http://en-us.sysadmins.lv

EXAMPLES

-------------- Example 1 --------------

C:\PS>Get-CertificationAuthority -name "company-CA01" | Get-InterFaceFlag | Restore-InterfaceFlagDefault -RestartCA

This command restores default management and enrollment interface restrictions for 'company-CA01' CA server. After the configuration is changed, the command will restart certificate services to immediately apply changes.

Updated Wiki: Set-CRLDistributionPoint

Camelot — Fri, 27 Jul 2012 08:34:58 GMT

NAME

Set-CRLDistributionPoint

SYNOPSIS

Set new CRL distribution points (CDP) for Certification Authority.

SYNTAX

Set-CRLDistributionPoint [-InputObject] <CRLDistributionPoint> [-RestartCA] [<CommonParameters>]

DESCRIPTION

Set new CRL distribution points (CDP) for Certification Authority. This command will write new CDP URIs to Certification Authority (CA) configuration.

PARAMETERS

-InputObject <CRLDistributionPoint>

Specifies an existing CDP object to rewrite. This object can be retrieved by running either Add-CRLDistributionPoint or Remove-CRLDistributionPoint command.

Required?	true
Position?	1
Default value
Accept pipeline input?	true (ByValue, ByPropertyName)
Accept wildcard characters?	false

-RestartCA <>

Restarts CA service on the specified CA server to immediately apply changes.

Required?	false
Position?	named
Default value
Accept pipeline input?	false
Accept wildcard characters?	false

<CommonParameters>

INPUTS

PKI.CertificateAuthority.CRLDistributionPoint

OUTPUTS

PKI.CertificateAuthority.CRLDistributionPoint

NOTES

Author: Vadims Podans
Blog: http://en-us.sysadmins.lv

EXAMPLES

-------------- Example 1 --------------

C:\PS>Get-CertificationAuthority RootCA | Get-CrlDistributionPoint | Add-CrlDistributionPoint -NewURI "6:http://crl.domain.com/%3%8%9.crl" | Set-CrlDistributionPoint -RestartCA

This example will add new CDP URI to certificate CDP for 'RootCA' CA server. Also this will add new URI in Freshest CRL in CRL CDP to locate corresponding Delta CRL. After command completion CA services will be restarted to immediately apply changes.

-------------- Example 2 --------------

C:\PS>Get-CertificationAuthority | Get-CrlDistributionPoint | Add-CrlDistributionPoint -NewURI "65:\\ServerName\crlfile%9.crl", "65:C:\CertData\%3%8%9.crl" | Set-CrlDistributionPoint -RestartCA

This example will add new paths for Base and Delta CRL file publication for all CAs in the current forest. This will not add any new URIs in certificate CDP extension, but instructs CA to publish physical CRL files to specified locations. After command completion CA services will be restarted to immediately apply changes.

-------------- Example 3 --------------

C:\PS>Get-CertificationAuthority -Name MyCA | Get-CrlDistributionPoint | Remove-CrlDistributionPoint -URI "*c:\windows*" | Set-CrlDistributionPoint -RestartCA

This example will remove all CDP URIs that contains "c:\windows" pattern. After command completion certificate services will be restarted to immediately apply changes.

-------------- Example 4 --------------

C:\PS>Get-CertificationAuthority -Name MyCA | Get-CrlDistributionPoint | Remove-CrlDistributionPoint -URI "*ldap://*" | Set-CrlDistributionPoint -RestartCA

This example will remove all URIs that are used for CRL file publication and/or retrieval from Active Directory. After command completion certificate services will be restarted to immediately apply changes.

Updated Wiki: Remove-CRLDistributionPoint

Camelot — Fri, 27 Jul 2012 08:34:30 GMT

NAME

Remove-CRLDistributionPoint

SYNOPSIS

Removes existing CRL distribution points (CDP) from Certification Authority.

SYNTAX

Remove-CRLDistributionPoint [-InputObject] <CRLDistributionPoint> [[-URI] <String[]>] [<CommonParameters>]

DESCRIPTION

Removes existing CRL distribution points (CDP) from Certification Authority. This command doesn't change actual settings, but just prepares CDP URIs to pass to Set-CRLDistributionPoint command (see examples).

PARAMETERS

-InputObject <CRLDistributionPoint>

Specifies the CDP object to remove from CRL distribution points. This object can be retrieved by running Get-CRLDistributionPoint command.

Required?	true
Position?	1
Default value
Accept pipeline input?	true (ByValue, ByPropertyName)
Accept wildcard characters?	false

-URI <String[]>

Specifies exact or partial pattern for URI to remove. This parameter accepts wildcards: * and ?.

* - is used as multiple character wildcard
? - is used as single character wildcard

Note: be careful with this command. If you remove existing and working URLs certificate revocation checking may fail.

Required?	false
Position?	2
Default value
Accept pipeline input?	false
Accept wildcard characters?	false

<CommonParameters>

INPUTS

PKI.CertificateAuthority.CRLDistributionPoint

OUTPUTS

PKI.CertificateAuthority.CRLDistributionPoint

NOTES

Author: Vadims Podans
Blog: http://en-us.sysadmins.lv

EXAMPLES

-------------- Example 1 --------------

C:\PS>Get-CertificationAuthority -Name MyCA | Get-CrlDistributionPoint | Remove-CrlDistributionPoint -URI "*c:\windows*" | Set-CrlDistributionPoint -RestartCA

This example will remove all CDP URIs that contains "c:\windows" pattern. After command completion certificate services will be restarted to immediately apply changes.

-------------- Example 2 --------------

C:\PS>Get-CertificationAuthority -Name MyCA | Get-CrlDistributionPoint | Remove-CrlDistributionPoint -URI "*ldap://*" | Set-CrlDistributionPoint -RestartCA

Updated Wiki: Get-CRLDistributionPoint

Camelot — Fri, 27 Jul 2012 08:34:06 GMT

NAME

Get-CRLDistributionPoint

SYNOPSIS

Retrieves specified Certification Authority Certificate Distribution Points (CDP) URLs

SYNTAX

Get-CRLDistributionPoint [-CA] <CertificateAuthority> [<CommonParameters>]

DESCRIPTION

Retrieves specified Certification Authority Certificate Distribution Points (CDP) URLs.

CDP extension is used by certificate chaining engine (CCE) to determine particular certificate revocation status. CDP extension consist of two parts:

- physical path that is used by Certification Authority (CA) to publish CRL files. These paths are not published in the certificate CDP extension.
- URL (URI) that is used by CA to publish in issued certificates for CRL retrieval.

PARAMETERS

-CA <CertificateAuthority>

Specifies the particular Certification Authority. This object can be retrieved by running Get-CertificationAuthority command.

Required?	true
Position?	1
Default value
Accept pipeline input?	true (ByValue)
Accept wildcard characters?	false

<CommonParameters>

INPUTS

PKI.CertificateAuthority.CertificateAuthority

OUTPUTS

PKI.CertificateAuthority.CRLDistributionPoint

NOTES

Author: Vadims Podans
Blog: http://en-us.sysadmins.lv

EXAMPLES

-------------- Example 1 --------------

C:\PS>Get-CertificationAuthority -Name RootCA | Get-CrlDistributionPoint

Retrieves CRL distribution points from 'RootCA' Certification Authority.

-------------- Example 2 --------------

C:\PS>Get-CertificationAuthority | Get-CrlDistributionPoint

Retrieves CDP info from all Certification Authorities in the current forest.

-------------- Example 3 --------------

C:\PS>Get-CertificationAuthority RootCA | Get-CrlDistributionPoint | Add-CrlDistributionPoint -NewURI "6:http://crl.domain.com/%3%8%9.crl" | Set-CrlDistributionPoint -RestartCA

-------------- Example 4 --------------

C:\PS>Get-CertificationAuthority | Get-CrlDistributionPoint | Add-CrlDistributionPoint -NewURI "65:\\ServerName\crlfile%9.crl", "65:C:\CertData\%3%8%9.crl" | Set-CrlDistributionPoint -RestartCA

-------------- Example 5 --------------

C:\PS>Get-CertificationAuthority -Name MyCA | Get-CrlDistributionPoint | Remove-CrlDistributionPoint -URI "*c:\windows*" | Set-CrlDistributionPoint -RestartCA

This example will remove all CDP URIs that contains "c:\windows" pattern. After command completion certificate services will be restarted to immediately apply changes.

-------------- Example 6 --------------

C:\PS>Get-CertificationAuthority -Name MyCA | Get-CrlDistributionPoint | Remove-CrlDistributionPoint -URI "*ldap://*" | Set-CrlDistributionPoint -RestartCA

Updated Wiki: Set-CertificateTemplateAcl

Camelot — Fri, 27 Jul 2012 08:33:21 GMT

[This command is not available in non-domain environments]

NAME

Set-CertificateTemplateAcl

SYNOPSIS

Changes the security descriptor of a certificate template.

SYNTAX

Set-CertificateTemplateAcl [-InputObject] <SecurityDescriptor> [<CommonParameters>]

DESCRIPTION

The Set-CertificateTemplateAcl cmdlet writes the security descriptor of a specified certificate template to the actual certificate template object, to match the values in a security descriptor that you supply.

Note: in order to edit certificate template ACL, you must be granted for Enterprise Admins permissions or delegated permissions on 'Certificate Templates' Active Directory container.

PARAMETERS

-InputObject <SecurityDescriptor>

Specifies an ACL object of certificate template. This object can be retrieved by running Add-CertificateTemplateAcl or Remove-CertificateTemplateAcl cmdlet.

Required?	true
Position?	1
Default value
Accept pipeline input?	true (ByValue, ByPropertyName)
Accept wildcard characters?	false

<CommonParameters>

INPUTS

PKI.Security.SecurityDescriptor

OUTPUTS

PKI.Security.SecurityDescriptor

NOTES

Author: Vadims Podans
Blog: http://en-us.sysadmins.lv

EXAMPLES

-------------- Example 1 --------------

C:\PS>Get-CertificateTemplate -Name WebServer | Get-CertificateTemplate | Add-CertificateTemplateAcl -User WebServerGroup -AccessType Allow -AccessMask Read, Enroll

This commands adds 'WebServerGroup' security group to the certificate template 'WebServer' and grants Read and Enroll permissions. After that, a new ACL is written to the actual object.

-------------- Example 2 --------------

C:\PS>Get-CertificateTemplate -Name WebServer | Get-CertificateTemplateAcl | Remove-CertificateTemplateAcl -User OldWebServer -AccessType Allow | Set-CertificateTemplateAcl

This commands removes all granted permissions for 'OldWebServer' account from 'WebServer' certificate template ACL. After that, a new ACL will be written to the actual certificate template object (Set-CertificateTemplateAcl).

Updated Wiki: Remove-CertificateTemplateAcl

Camelot — Fri, 27 Jul 2012 08:33:08 GMT

[This command is not available in non-domain environments]

NAME

Remove-CertificateTemplateAcl

SYNOPSIS

Removes an entity (user, computer, or security group) from the certificate template ACL.

SYNTAX

Remove-CertificateTemplateAcl [-InputObject] <SecurityDescriptor> [[-User] <NTAccount[]>] [[-AccessType] <AccessControlType>] [<CommonParameters>]

DESCRIPTION

Removes an entity (user, computer, or security group) from the certificate template ACL.

This command only prepares new certificate template ACL object. In order to write it to the actual object use this command's result to Set-CertificateTemplateAcl cmdlet (see Examples section).

Note: in order to edit certificate template ACL, you must be granted for Enterprise Admins permissions or delegated permissions on 'Certificate Templates' Active Directory container.

PARAMETERS

-InputObject <SecurityDescriptor>

Specifies an ACL object of certificate template. This object can be retrieved by running Get-CertificateTemplateAcl command.

Required?	true
Position?	1
Default value
Accept pipeline input?	true (ByValue, ByPropertyName)
Accept wildcard characters?	false

-User <NTAccount[]>

Specifies an account (user, computer or security group) to remove from the certificate template ACL.

Required?	false
Position?	2
Default value
Accept pipeline input?	false
Accept wildcard characters?	false

-AccessType <AccessControlType>

Specifies the AccessType to remove. The value can be either Allow or Deny. All Access Control Entries (ACE) with specified AccessType will be removed from ACL.

Required?	false
Position?	3
Default value
Accept pipeline input?	false
Accept wildcard characters?	false

<CommonParameters>

INPUTS

PKI.Security.SecurityDescriptor

OUTPUTS

PKI.Security.SecurityDescriptor

NOTES

Author: Vadims Podans
Blog: http://en-us.sysadmins.lv

EXAMPLES

-------------- Example 1 --------------

C:\PS>Get-CertificateTemplate -Name WebServer | Get-CertificateTemplateAcl | Remove-CertificateTemplateAcl -User OldWebServer -AccessType Allow | Set-CertificateTemplateAcl

This command removes all granted permissions for 'OldWebServer' account from 'WebServer' certificate template ACL. After that, a new ACL will be written to the actual certificate template object (Set-CertificateTemplateAcl).

Updated Wiki: Uninstall-CertificationAuthority

Camelot — Fri, 27 Jul 2012 08:32:25 GMT

[This command is available only in Windows Server 2008 and Windows Server 2008 R2]

NAME

Uninstall-CertificationAuthority

SYNOPSIS

Uninstalls Active Directory Certificate Services role from the local computer.

SYNTAX

Uninstall-CertificationAuthority [-AutoRestart] [-Force] [-WhatIf] [-Confirm] [<CommonParameters>]

DESCRIPTION

Uninstalls Active Directory Certificate Services role from the local computer. The command supports Windows Server 2008 R2 Server Core installations.

PARAMETERS

-AutoRestart

Automatically restarts computer to complete CA role removal. Otherwise you will have to restart the server manually.

Required?	false
Position?	named
Default value
Accept pipeline input?	false
Accept wildcard characters?	false

-Force

By default, the commands prompts you whether you want to remove CA role. Use ?Force switch to suppress all prompts.

Required?	false
Position?	named
Default value
Accept pipeline input?	false
Accept wildcard characters?	false

-WhatIf

Describes what would happen if you executed the command without actually executing the command.

Required?	false
Position?	named
Default value
Accept pipeline input?	false
Accept wildcard characters?	false

-Confirm

Prompts you for confirmation before executing the command.

Required?	false
Position?	named
Default value
Accept pipeline input?	false
Accept wildcard characters?	false

<CommonParameters>

INPUTS

None.

OUTPUTS

None.

NOTES

Author: Vadims Podans
Blog: http://en-us.sysadmins.lv

EXAMPLES

-------------------------- EXAMPLE 1 --------------------------

C:\PS>Uninstall-CertificationAuthority -AutoRestart -Force

The command will uninstall CA role, suppresses all prompts and automatically restarts the server upon completion.

RELATED LINKS

Install-CertificationAuthority

Updated Wiki: Install-CertificationAuthority

Camelot — Fri, 27 Jul 2012 08:32:09 GMT

[This command is available only in Windows Server 2008 and Windows Server 2008 R2]

NAME

Install-CertificationAuthority

SYNOPSIS

Installs Active Directory Certificate Services role on local computer.

SYNTAX

Install-CertificationAuthority [-CAName <String>] [-CADNSuffix <String>] [-CAType <String>] [-ParentCA <String>] [-CSP <String>] [-KeyLength <Int32>] [-HashAlgorithm <String>] [-ValidForYears <Int32>] [-RequestFileName <String>] [-DBDirectory <String>] [-LogDirectory <String>] [-OverwriteExisting] [-AllowCSPInteraction] [-Force] [-WhatIf] [-Confirm] [<CommonParameters>]

Install-CertificationAuthority -CACertFile <FileInfo> -Password <SecureString> [-DBDirectory <String>] [-LogDirectory <String>] [-OverwriteExisting] [-AllowCSPInteraction] [-Force] [-WhatIf] [-Confirm] [<CommonParameters>]

Install-CertificationAuthority -Thumbprint <String> [-DBDirectory <String>] [-LogDirectory <String>] [-OverwriteExisting] [-AllowCSPInteraction] [-Force] [-WhatIf] [-Confirm] [<CommonParameters>]

DESCRIPTION

Installs Active Directory Certificate Services (AD CS) role on local computer. A user can choose different options, such Certification Authority (CA) type, key pair parameters, CA certificate validity and so on. The command supports Windows Server 2008 R2 Server Core installations.

PARAMETERS

-CAName <String>

Specifies a custom CA certificate name/subject (what you see in the certificate display UI). If not passed, a '-CA' form is used for workgroup CAs and '-' form is used for domain CAs. The parameter supports Unicode names.

Required?	false
Position?	named
Default value
Accept pipeline input?	false
Accept wildcard characters?	false

-CADNSuffix <String>

Specifies a DN suffix to specify some additional information. For example, company name, country, city, etc. DN suffix is empty for workgroup CAs and includes current domain distinguished name (for example, DC=domain,DC=com). The parameter accepts suffixes in a X500 form, for example: OU=Information Systems, O=Sysadmins LV, C=LV.

Required?	false
Position?	named
Default value
Accept pipeline input?	false
Accept wildcard characters?	false

-CAType <String>

Specifies CA type: Standalone Root, Standalone Subordinate, Enterprise Root, Enterprise Subordinate.

If not passed, for non-domain environments or if you don't have Enterprise Admins rights, Standalone Root is used. If you have Enterprise Admins rights and your forest already has installed CAs, Enterprise Subordinate is used. If no Enterprise CAs installedin the forest, Enterprise Root is used.

Required?	false
Position?	named
Default value
Accept pipeline input?	false
Accept wildcard characters?	false

-ParentCA <String>

This parameter allows you to specify parent CA location only if you install Enterprise Subordinate CA. For other CA types, the parameter is ignored. Parent CA information must be passed in the following form: CAComputerName\CASanitizedName. Sanitized name is a sanitized form of CA name (subject). Mostly sanitized name is the same as CA name (unless you use Unicode and/or special characters, that are disallowed in X500). If the parameter is not specified, a certificate request will be generated on the root of system drive. If selected CA type is Standalone Subordinate, the parameter is ignored. Request will be saved in a file.

Required?	false
Position?	named
Default value
Accept pipeline input?	false
Accept wildcard characters?	false

-CSP <String>

Specifies custom cryptographic service provider. By default 'RSA#Microsoft Software Key Storage Provider' is used (in most cases you will use default CSP). You need to explicitly specify custom CSP only when you setup completely CNG authority (CSPs with ECDSA prefix) or you use HSM. Each HSM uses it's own custom CSP. You must install HSM middleware before CA installation.

The full list of supportable and available "by default" CSPs for Windows Server 2008+ is: Microsoft Base Cryptographic Provider v1.0 Microsoft Base DSS Cryptographic Provider Microsoft Base Smart Card Crypto Provider Microsoft Enhanced Cryptographic Provider v1.0 Microsoft Strong Cryptographic Provider RSA#Microsoft Software Key Storage Provider DSA#Microsoft Software Key Storage Provider ECDSA_P256#Microsoft Software Key Storage Provider ECDSA_P384#Microsoft Software Key Storage Provider ECDSA_P521#Microsoft Software Key Storage Provider RSA#Microsoft Smart Card Key Storage Provider ECDSA_P256#Microsoft Smart Card Key Storage Provider ECDSA_P384#Microsoft Smart Card Key Storage Provider ECDSA_P521#Microsoft Smart Card Key Storage Provider

Required?	false
Position?	named
Default value
Accept pipeline input?	false
Accept wildcard characters?	false

-KeyLength <Int32>

This parameter specifies the key length. If not specified, a 2048-bit key will be generated. There is a little trick: if you look to a CSP list (above), you will see that key length is specified for each ECDSA* provider. I've developed a script logic in that way,so the script ignores this parameter if one of ECDSA* CSP is explicitly chosen and uses key length that is supported by the CSP.Therefore you will not receive an error if you select 'ECDSA_P256#Microsoft Smart Card Key Storage Provider' CSP with 2048 key length.256-bit key will be selected automatically.

Required?	false
Position?	named
Default value
Accept pipeline input?	false
Accept wildcard characters?	false

-HashAlgorithm <String>

This parameter specifies hash algorithm that will be used for CA certificate/request hashing. Note that this is important for root CA installations. Subordinate CA certificates are hashed and signed by the parent CA with it's own settings. By default 'SHA1' isused (though this parameter is applicable for all CA installation types).

Required?	false
Position?	named
Default value
Accept pipeline input?	false
Accept wildcard characters?	false

-ValidForYears <Int32>

Specifies the validity for root CA installations. By default root CA certificates are valid for 5 years. You can increase this value to 10, 20, 50, whatever you need. For any subordinate CA types this parameter is silently ignored. This is because subordinate CAvalidity is determined by the parent CA. This parameter accepts integer values, assuming that the value is specified in years.

Required?	false
Position?	named
Default value
Accept pipeline input?	false
Accept wildcard characters?	false

-RequestFileName <String>

If you setup any sort of subordinate (not root) CAs you can specify custom path to a request file. By default request file is generated on the root of system drive.

Required?	false
Position?	named
Default value
Accept pipeline input?	false
Accept wildcard characters?	false

-DBDirectory <String>

Specifies the path to a folder to store CA database. If not specified, the default path: %windir%\System32\CertLog folder is used. If you need to specify custom path (for example, shared storage for CA clusters), you need to specify the next parameter too. The path must be valid.

Required?	false
Position?	named
Default value
Accept pipeline input?	false
Accept wildcard characters?	false

-LogDirectory <String>

Specifies the path to a folderto store CA database log files. By default %windir%\System32\CertLog folder is used. If you use custom path for either database or log folders, you must explicitly specify both paths.

Required?	false
Position?	named
Default value
Accept pipeline input?	false
Accept wildcard characters?	false

-OverwriteExisting

Specifies, whether to overwrite any existing database files in the specified directories.

Required?	false
Position?	named
Default value
Accept pipeline input?	false
Accept wildcard characters?	false

-AllowCSPInteraction

Specifies, whether the cryptographic service provider (CSP) is allowed to interact with the desktop. This parameter should be used only if you use custom hardware-based CSP (HSM or smart card CSP). In other cases you don't need to allow CSP interactions.

Required?	false
Position?	named
Default value
Accept pipeline input?	false
Accept wildcard characters?	false

-Force

By default, the script explicitly prompts you whether you want to install Certification Authority with selected values. If you want to implement silent (quiet) installations ? specify this parameter to suppress any prompts during role installation

Required?	false
Position?	named
Default value
Accept pipeline input?	false
Accept wildcard characters?	false

-WhatIf

Describes what would happen if you executed the command without actually executing the command.

Required?	false
Position?	named
Default value
Accept pipeline input?	false
Accept wildcard characters?	false

-Confirm

Prompts you for confirmation before executing the command.

Required?	false
Position?	named
Default value
Accept pipeline input?	false
Accept wildcard characters?	false

-CACertFile <FileInfo>

Specifies the path to a PFX file with CA certificate. Relative paths are allowed. Setup API performs additional checks for the certificate. Therefore you must ensure if: this is CA certificate (but not EFS encryption ;)), CA certificate is trusted (for non-root certificates)and chains to trusted CA and CA certificate revocation checking can be performed. Otherwise you will unable to setup CA with that CA certificate.

Required?	true
Position?	named
Default value
Accept pipeline input?	false
Accept wildcard characters?	false

-Password <SecureString>

Specifies the password to open PFX file. The parameter supports only securestrings! You can't type a password as a simple text. This is made for security reasons. There are few ways to pass a password in a securestring form: $Password = Read-Host -a

or ConvertTo-SecureString <plaintext> -a -f You can enclose last command in parentheses and pass directly as a parameter value.

Required?	true
Position?	named
Default value
Accept pipeline input?	false
Accept wildcard characters?	false

-Thumbprint <String>

Specifies a thumbprint of the certificate to use. The certificate must be installed in Local Machine\Personal store and must be trusted (for non-root certificates) and must not be revoked (the issuer revocation information must be available).

Required?	true
Position?	named
Default value
Accept pipeline input?	false
Accept wildcard characters?	false

<CommonParameters>

INPUTS

None.

OUTPUTS

None.

NOTES

Author: Vadims Podans
Blog: http://en-us.sysadmins.lv

EXAMPLES

-------------------------- EXAMPLE 1 --------------------------

PS>Install-CertificationAuthority -CAName "My Root CA" -CADNSuffix "OU=Information Systems, O=Sysadmins LV, C=LV" `
-CAType "Standalone Root" -ValidForYears 10

In this scenario you setup new Standalone Root CA with "CN=My Root CA, OU=Information Systems, O=Sysadmins LV, C=LV" subject, that will be valid for 10 years. The CA will use default paths to CA database and log files and certificate will use 'RSA#Microsoft Software Key Storage Provider' CSP with 2048-bit key and SHA1 hashing algorithm.

-------------------------- EXAMPLE 2 --------------------------

PS>Install-CertificationAuthority -CAName "My Root CA" -CADNSuffix "OU=Information Systems, O=Sysadmins LV, C=LV" `
-CAType "Standalone Root" -ValidForYears 20 -CSP "ECDSA_P256#Microsoft Smart Card Key Storage Provider" `
-HashAlgorithm SHA512

This example is similar to previous, with the exception that this CA will be completely CNG/SHA2 root. CA certificate will use CNG (not RSA) keys and hashing algorithm will be SHA512.

-------------------------- EXAMPLE 3 --------------------------

PS>Install-CertificationAuthority -CAName "Clustered CA" -CADNSuffix "OU=Information Systems, O=Sysadmins LV, C=LV" `
-CAType "Enterprise Subordinate" -KeyLength 4096 -DBDirectory "S:\CertDB" -LogDirectory "S:\CertLog" `
-RequestFileName "S:\Clustered CA.req"

This example assumes that you setup CA cluster first node (but not necessary). CA database will be stored on a shared storage (attached with S: drive letter). CA certificate will use default 'RSA#Microsoft Software Key Storage Provider' with 4096-bit key and default SHA1 hashing algorithm. CA certificate validity will be determined by the parent CA. In addition, CA certificate request will be stored on the shared storage.

-------------------------- EXAMPLE 4 --------------------------

PS>$Password = Read-Host -AsSecureString
PS> Install-CertificationAuthority -CACertFile .\ClusteredCA.pfx -Password $Password `
-DBDirectory "S:\CertDB" -LogDirectory "S:\CertLog" -OverwriteExisting

This is two-line example. Say, you have successfully installed CA cluster first node and have exported CA certificate to a PFX, and moved it to the second node (to the current directory). At first you will be prompted for a password. Since you type password to a securestring prompt, no characters will be displayed. After that you will specify relative path to a PFX file and specify shared storage to store CA database and log files. You overwrite database files that wascreated during first node installation. Actually this command installs CA cluster second node.

-------------------------- EXAMPLE 5 --------------------------

PS>Install-CertificationAuthority -CAName "Company Enterprise CA-2" -CADNSuffix "O=Company, E=companypki@company.com" `
-CAType "Enterprise Subordinate" -ParentCA "ca01.company.com\Company Enterprise CA-1"

From best-practices perspective this is not a very good example, because it assumes at least 2 tiers of Enterprise CAs. However, it is still common. In a given example, Enterprise Subordinate CA will be installed and certificate request will be sent directly to existing Enterprise CA — 'Company Enterprise CA-1' that is hosted on 'ca01.company.com'. Note that existing CA must be online and must issue 'Subordinate Certification Authority' template.

RELATED LINKS

Uninstall-CertificationAuthority

Updated Wiki: Get-CertificateRevocationList

Camelot — Fri, 27 Jul 2012 08:30:29 GMT

NAME

Get-CertificateRevocationList

SYNOPSIS

Retrieves CRL object from a file or a DER-encoded byte array.

SYNTAX

Get-CertificateRevocationList [-Path] <String> [<CommonParameters>]

Get-CertificateRevocationList [-RawCRL] <Byte[]> [<CommonParameters>]

DESCRIPTION

Retrieves CRL object from a file or a DER-encoded byte array.

PARAMETERS

-Path <String>

Specifies the path to a file.

Required?	true
Position?	1
Default value
Accept pipeline input?	true (ByValue)
Accept wildcard characters?	false

-RawCRL <Byte[]>

Specifies a pointer to a DER-encoded CRL byte array.

Required?	true
Position?	1
Default value
Accept pipeline input?	false
Accept wildcard characters?	false

<CommonParameters>

INPUTS

System.String; System.Byte[]

OUTPUTS

System.Security.Cryptography.X509Certificates.X509CRL2

NOTES

Author: Vadims Podans
Blog: http://en-us.sysadmins.lv

EXAMPLES

-------------- Example 1 --------------

C:\PS>Get-CRL C:\Custom.crl

Returns X509CRL2 object from a specified file.

-------------- Example 2 --------------

C:\PS>$Raw = [IO.FILE]::ReadAllBytes("C:\Custom.crl")
C:\PS>Get-CRL -RawCRL $Raw

Returns X509CRL2 object from a DER-encoded byte array.

RELATED LINKS

Show-CertificateRevocationList

Updated Wiki: Get-InterfaceFlag

Camelot — Fri, 27 Jul 2012 08:30:11 GMT

NAME

Get-InterfaceFlag

SYNOPSIS

Retrieves Active Directory Certificate Services (AD CS) management and request interface flags.

SYNTAX

Get-InterfaceFlag [-CA] <CertificateAuthority> [<CommonParameters>]

DESCRIPTION

Retrieves Active Directory Certificate Services (AD CS) management and request interface flags.

Management interface is implemented in ICertAdmin and request interface is implemented in ICertRequest. By using this (and related commands, such Enable-InterfaceFlag and Disable-InterfaceFlag) you can limit these interface usage. For example you can prevent AD CS remote management with ICertAdmin interface and allow AD CS management only locally.

PARAMETERS

-CA <CertificateAuthority>

Specifies the Certification Authority object. This object can be retrieved by running Get-CertificationAuthority command.

Required?	true
Position?	1
Default value
Accept pipeline input?	true (ByValue, ByPropertyName)
Accept wildcard characters?	false

<CommonParameters>

INPUTS

PKI.CertificateAuthority.CertificateAuthority

OUTPUTS

PKI.CertificateAuthority.Flags.InterfaceFlag

NOTES

Author: Vadims Podans
Blog: http://en-us.sysadmins.lv

EXAMPLES

-------------- Example 1 --------------

C:\PS>Get-CertificationAuthority -name "company-CA1" | Get-InterfaceFlag

Returns 'company-CA1' CA server management and enrollment interface settings.

-------------- Example 2 --------------

C:\PS>Get-CertificationAuthority | Get-InterfaceFlag

Returns management and enrollment interface settings for all Enterprise CA servers in the current Active Directory forest.

-------------- Example 3 --------------

C:\PS>Get-CertificationAuthority -name "company-CA01" | Get-InterfaceFlag | Disable-InterfaceFlag -Flag "NoLocalIcertRequest" -RestartCA

This example removes local enrollment restriction for "company-CA01" CA server. After the configuration is changed, the command will restart certificate services to immediately apply changes.

-------------- Example 4 --------------

C:\PS>Get-CertificationAuthority | Get-InterfaceFlag | Disable-InterfaceFlag -Flag "NoRemoteICertAdminBackup" -RestartCA

This example removes remote backup restrictions for all Enterprise CAs in the current Active Directory forest. After the configuration is changed, the command will restart certificate services to immediately apply changes.

-------------- Example 5 --------------

C:\PS>Get-CertificationAuthority -name "company-CA01" | Get-InterfaceFlag | Enable-InterfaceFlag -Flag "NoRemoteIcertAdmin", "NoRemoteICertAdminBackup" -RestartCA

This example restricts "company-CA01" CA server remote management and remote backup operations. After the configuration is changed, the command will restart certificate services to immediately apply changes.

-------------- Example 6 --------------

C:\PS>Get-CertificationAuthority | Get-InterfaceFlag | Enable-InterfaceFlag -Flag "EnableAdminAsAuditor" -RestartCA

This example grants CA Administrators CA Auditor role for all Enterprise CAs in the current forest. After the configuration is changed, the command will restart certificate services to immediately apply changes.

Updated Wiki: Disable-KeyRecoveryAgentFlag

Camelot — Fri, 27 Jul 2012 08:29:28 GMT

[This command is not available in non-domain environments]

NAME

Disable-KeyRecoveryAgentFlag

SYNOPSIS

Disables key recovery agent settings (flag) for specified CA server.

SYNTAX

Disable-KeyRecoveryAgentFlag [-InputObject] <KRAFlag> [-Flag] <KRAFlagEnum[]> [-RestartCA] [<CommonParameters>]

DESCRIPTION

Disables Key Recovery Agent (KRA) settings (flag) for specified CA server. By default no KRA flags are enabled.

PARAMETERS

-InputObject <KRAFlag>

Specifies the KRA object to process. This object can be retrieved by running Get-KeyRecoveryAgentFlag command.

Required?	true
Position?	1
Default value
Accept pipeline input?	true (ByValue, ByPropertyName)
Accept wildcard characters?	false

-Flag <KRAFlagEnum[]>

Specifies the flag to disable. The following flag (of flags) can be used:

EnableForeign - enables key archival for certificates issued by other (or 3rd party) CA.
SaveBadRequestKey - enforces key archival even if the submitted public and private key pair cannot be verified.
EnableArchiveAll - enforces key archival for all incoming certificate requests. Do not use this flag unless all certificate requests support key archival.
DisableUseDefaultProvider - disables default cryptographic service provider (CSP) usage for public and private key pair verification.

Required?	true
Position?	2
Default value
Accept pipeline input?	false
Accept wildcard characters?	false

-RestartCA <>

Restarts CertSvc service on the specified CA server to immediately apply changes.

Required?	false
Position?	named
Default value
Accept pipeline input?	false
Accept wildcard characters?	false

<CommonParameters>

INPUTS

PKI.CertificateAuthority.Flags.KRAFlag

OUTPUTS

PKI.CertificateAuthority.Flags.KRAFlag

NOTES

Author: Vadims Podans
Blog: http://en-us.sysadmins.lv

EXAMPLES

-------------- Example 1 --------------

C:\PS>Get-CertificationAuthority -Name "company-CA01" | Get-KeyRecoveryAgentFlag | Disable-KeyRecoveryAgentFlad -Flag "EnableForeign"

This command disables key archival for keys that were issued (signed) by other (or 3rd party) CA server. After the configuration is changed, the command will restart certificate services to immediately apply changes.

Updated Wiki: Restore-KeyRecoveryAgentFlagDefault

Camelot — Fri, 27 Jul 2012 08:28:09 GMT

[This command is not available in non-domain environments]

NAME

Restore-KeyRecoveryAgentFlagDefault

SYNOPSIS

Restores Active Directory Certification Authority (AD CS) key recovery agent default flags.

SYNTAX

Restore-KeyRecoveryAgentFlagDefault [-InputObject] <KRAFlag> [-RestartCA] [<CommonParameters>]

DESCRIPTION

Restores Active Directory Certification Authority (AD CS) key recovery agent default flags and discards any previous KRA flag modifications. This command is helpful in the case of incorrect configuration or you want to stay "default".

By default no flags are enabled.

PARAMETERS

-InputObject <KRAFlag>

Specifies existing KRAFlag object. This object can be retrieved by running Get-KeyRecoveryAgentFlag command.

Required?	true
Position?	1
Default value
Accept pipeline input?	true (ByValue, ByPropertyName)
Accept wildcard characters?	false

-RestartCA <>

Restarts CA service on the specified CA server to immediately apply changes.

Required?	false
Position?	named
Default value
Accept pipeline input?	false
Accept wildcard characters?	false

<CommonParameters>

INPUTS

PKI.CertificateAuthority.Flags.KRAFlag

OUTPUTS

PKI.CertificateAuthority.Flags.KRAFlag

NOTES

Author: Vadims Podans
Blog: http://en-us.sysadmins.lv

EXAMPLES

-------------- Example 1 --------------

C:\PS>Get-CertificationAuthority ca01.company.com | Get-KRAFlag | Restore-KRAFlag -RestartCA

The command restores default KRA flag configuration for CA server running on 'ca01.company.com' computer. After the configuration is changed, the command will restart certificate services to immediately apply changes.

Updated Wiki: Get-KeyRecoveryAgentFlag

Camelot — Fri, 27 Jul 2012 08:27:41 GMT

[This command is not available in non-domain environments]

NAME

Get-KeyRecoveryAgentFlag

SYNOPSIS

Retrieves Active Directory Certificate Services (AD CS) key recovery agent (KRA) settings.

SYNTAX

Get-KeyRecoveryAgentFlag [-CA] <CertificateAuthority> [<CommonParameters>]

DESCRIPTION

Retrieves Active Directory Certificate Services (AD CS) key recovery agent (KRA) settings. Use this command in conjunction with Enable-KeyRecoveryAgentFlag and Disable-KeyRecoveryAgentFlag cmdlets to configure KRA settings.

By default no KRA flags are defined.

PARAMETERS

-CA <CertificateAuthority>

Specifies the Certification Authority object. This object can be retrieved by running Get-CertificationAuthority command.

Required?	true
Position?	1
Default value
Accept pipeline input?	true (ByValue, ByPropertyName)
Accept wildcard characters?	false

<CommonParameters>

INPUTS

PKI.CertificateAuthority.CertificateAuthority

OUTPUTS

PKI.CertificateAuthority.Flags.KRAFlag

NOTES

Author: Vadims Podans
Blog: http://en-us.sysadmins.lv

EXAMPLES

-------------- Example 1 --------------

C:\PS>Get-CertificationAuthority -name "company-CA01" | Get-KeyRecoveryAgentFlag

The command retrieves KRA settings for 'company-CA01' CA server.

-------------- Example 2 --------------

C:\PS>Get-CertificationAuthority | Get-KeyRecoveryAgentFlag

The command retrieves KRA settings for all Enterprise CAs in the current Active Directory forest.

-------------- Example 3 --------------

C:\PS>Get-CertificationAuthority -Name "company-CA01" | Get-KeyRecoveryAgentFlag | Disable-KeyRecoveryAgentFlad -Flag "EnableForeign"

-------------- Example 4 --------------

C:\PS>Get-CertificationAuthority | Get-KeyRecoveryAgentFlag | Enable-KeyRecoveryAgentFlad -Flag "EnableForeign"

This example allows the CA to archive public and private key pair that were issued (signed) by other (or 3rd party) CA. After the configuration is changed, the command will restart certificate services to immediately apply changes.