Server/PSPKI.Help.xml
<?xml version="1.0" encoding="utf-8"?><helpItems schema="maml">
<command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Add-AuthorityInformationAccess</command:name> <maml:description> <maml:para>Adds new Certification Authority Authority Information Access (AIA) paths.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Add</command:verb> <command:noun>AuthorityInformationAccess</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Adds new Certification Authority Authority Information Access (AIA) paths. This command doesn't change actual settings, but just prepares AIA URIs.</maml:para> <maml:para>Authority Information Access (AIA) extension is used to specify issuer's resources location like CRT file and/or Online Certificate Status Protocol (OCSP) URIs in the issued certificates AIA extension.</maml:para> <maml:para>When you define CRT file URIs it can be used by certificate chaining engine to retrieve particular certificate's issuer certificate. If an URI is missing or broken, certificate verification may fail and the certificate would be rejected. This command don't support physical CRT file publishing options, as the result you need to manually copy a file to the target locations. Original CRT file is placed in %windir%\system32\certsvc\certenroll folder. You may specify multiple URIs for redundancy. URIs are checked in the same order as they are placed in the certificate's AIA extension until issuer's certificate is retrieved. The most accessible URI should be placed first. This command adds new URIs below existing URIs. It is recommended to specify no more than two CRT location URIs. This is because if the first two URIs fails, client will fail chain building due to a timeout and certificate would be rejected.</maml:para> <maml:para>OCSP URI can be used by a clients to determine certificate revocation status. Unlike CRLs, OCSP consume very little network traffic (about 2kb for request and response). Currently only HTTP protocol is supported by OCSP locations. In Windows Vista and newer systems OCSP has higher priority than CRLDistributionPoints extension. Thus OCSP URIs are processed first. OCSP URIs has their own precedence rules, thus OCSP URIs are checked in the same order as they are placed in the certificate's AIA extension until revocation status is determined. It doesn't matter whether OCSP URIs are placed prior or after CRT file location URIs, because they are grouped in a different access methods. Here is an example:</maml:para> <maml:para>[1]Authority Info Access Access Method=On-line Certificate Status Protocol (1.3.6.1.5.5.7.48.1) Alternative Name: URL=http://eu.company.com/ocsp URL=http://na.company.com/ocsp [2]Authority Info Access Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2) Alternative Name: URL=http://eu.company.com/MyCA.crt URL=http://na.company.com/MyCA.crt</maml:para> <maml:para>in a given example even if CRT file URIs are placed after OCSP URIs certificate chaining engine will use Certification Authority Issuer's URIs first during chain building. The frist URI http://eu.company.com/MyCA.crt will be used. If it fails, http://na.company.com/MyCA.crt will be used.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Add-AuthorityInformationAccess</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies the AuthorityInformationAccess object to which new CRT distribution points are added. This object can be retrieved by running Get-AuthorityInformationAccess command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">AuthorityInformationAccess[]</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="1"> <maml:name>URI</maml:name> <maml:description> <maml:para>Specifies new CRT file publishing points for specified CA server. Must be passed in the following format: <Flags>:<RelativeURI>, where <Flags> is a combination of publishing flags. The following values are possible for <Flags>: 1 - Publish CRT's to this location. This flag is deprecated and can be used only with default local path. 2 - Include in the AIA extension of issued certificates. 32 - Include in the Online Certificate Status Protocol (OCSP) extension.</maml:para> <maml:para>Within <RelativeURI> you can use the following variables:</maml:para> <maml:para>%1 - the CA's computer DNS name %2 - the CA's computer NetBIOS name %3 - CA's logical name %4 - CA's certificates name %6 - the LDAP path of the forest's configuration naming context for the forest %7 - CA's 'sanitized' name. This is the same as CA name but with the following characters removed: \/:\*?"<>| %11 - indicates that CA certificate is certificate object in AD CS</maml:para> <maml:para>With Windows CA you should assert %4 variable within URI. This is important when you renew CA's certificate. After CA certificate renewal, CA server will maintain both certificates, previous and renewed. To differentiate them, CA server will include certificate index in the parentheses. For example you have specified the following URI: 2:http://eu.company.com/MyCA%4.crt In a given example CA server with initial CA certificate will publish the following URI in the issued certificates AIA extension: http://eu.company.com/MyCA.crt Once CA certificate is renewed, CA certificate will generate new CRT file with corresponding index and in newly issued certificates the following URI will be published: http://eu.company.com/MyCA(1).crt Subsequent CA certificate renewals will cause URI update accordingly.</maml:para> <maml:para>This allows clients to build correct certificate chains for previously and newly issued certificates. Also you don't need to change CRT file location after CA certificate renewal, because CA server will automatically place correct CA certificate file name.</maml:para> <maml:para>Note: Windows PKI supports the following URI formats. for CA certificate publishing: ldap:///<DirectoryAccessProtocolPath> UNC or absolute physical paths are no longer supported.</maml:para> <maml:para>for CA certificate retrieval: http://<DomainURL>/<VirtualDirectoryAndFilePath>.crt ldap:///<DirectoryAccessProtocolPath> ldap://<hostname>/<path>?<query></maml:para> <maml:para>Note: ldap:///<DirectoryAccessProtocolPath> URI type assumes Active Directory usage and must contain forest root domain domain component (DC=...) within LDAP path. This may cause big retrieval delays. Since Active Directory may contain many domain controllers and specified in LDAP URI content is automatically replicated between all domain controllers in the current forest. To simplify content retrieval from Active Directory CryptoAPI may not contact forest root domain, but contact nearest to client domain controller. Nearest domain controller is placed in $env:LogonServer system variable (or %LogonServer% in CMD syntax). </maml:para> <maml:para>Also Windows PKI supports another form of LDAP URIs with host name: ldap://<hostname>/path?query</maml:para> <maml:para>In this case client will not contact domain controller, but specified host directly. Unlike ldap:/// URI form, ldap://<hostname> may use 3rd party LDAP-compatible directory. Automatic content (CA certificate or certificate revocation list) publishing to such directories is not supported. You will have to manually publish CA certificates to these directories by using external means.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">String[]</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies the AuthorityInformationAccess object to which new CRT distribution points are added. This object can be retrieved by running Get-AuthorityInformationAccess command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">AuthorityInformationAccess[]</command:parameterValue> <dev:type> <maml:name>AuthorityInformationAccess[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="1"> <maml:name>URI</maml:name> <maml:description> <maml:para>Specifies new CRT file publishing points for specified CA server. Must be passed in the following format: <Flags>:<RelativeURI>, where <Flags> is a combination of publishing flags. The following values are possible for <Flags>: 1 - Publish CRT's to this location. This flag is deprecated and can be used only with default local path. 2 - Include in the AIA extension of issued certificates. 32 - Include in the Online Certificate Status Protocol (OCSP) extension.</maml:para> <maml:para>Within <RelativeURI> you can use the following variables:</maml:para> <maml:para>%1 - the CA's computer DNS name %2 - the CA's computer NetBIOS name %3 - CA's logical name %4 - CA's certificates name %6 - the LDAP path of the forest's configuration naming context for the forest %7 - CA's 'sanitized' name. This is the same as CA name but with the following characters removed: \/:\*?"<>| %11 - indicates that CA certificate is certificate object in AD CS</maml:para> <maml:para>With Windows CA you should assert %4 variable within URI. This is important when you renew CA's certificate. After CA certificate renewal, CA server will maintain both certificates, previous and renewed. To differentiate them, CA server will include certificate index in the parentheses. For example you have specified the following URI: 2:http://eu.company.com/MyCA%4.crt In a given example CA server with initial CA certificate will publish the following URI in the issued certificates AIA extension: http://eu.company.com/MyCA.crt Once CA certificate is renewed, CA certificate will generate new CRT file with corresponding index and in newly issued certificates the following URI will be published: http://eu.company.com/MyCA(1).crt Subsequent CA certificate renewals will cause URI update accordingly.</maml:para> <maml:para>This allows clients to build correct certificate chains for previously and newly issued certificates. Also you don't need to change CRT file location after CA certificate renewal, because CA server will automatically place correct CA certificate file name.</maml:para> <maml:para>Note: Windows PKI supports the following URI formats. for CA certificate publishing: ldap:///<DirectoryAccessProtocolPath> UNC or absolute physical paths are no longer supported.</maml:para> <maml:para>for CA certificate retrieval: http://<DomainURL>/<VirtualDirectoryAndFilePath>.crt ldap:///<DirectoryAccessProtocolPath> ldap://<hostname>/<path>?<query></maml:para> <maml:para>Note: ldap:///<DirectoryAccessProtocolPath> URI type assumes Active Directory usage and must contain forest root domain domain component (DC=...) within LDAP path. This may cause big retrieval delays. Since Active Directory may contain many domain controllers and specified in LDAP URI content is automatically replicated between all domain controllers in the current forest. To simplify content retrieval from Active Directory CryptoAPI may not contact forest root domain, but contact nearest to client domain controller. Nearest domain controller is placed in $env:LogonServer system variable (or %LogonServer% in CMD syntax). </maml:para> <maml:para>Also Windows PKI supports another form of LDAP URIs with host name: ldap://<hostname>/path?query</maml:para> <maml:para>In this case client will not contact domain controller, but specified host directly. Unlike ldap:/// URI form, ldap://<hostname> may use 3rd party LDAP-compatible directory. Automatic content (CA certificate or certificate revocation list) publishing to such directories is not supported. You will have to manually publish CA certificates to these directories by using external means.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.AuthorityInformationAccess[]</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_AuthorityInformationAccess.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.CertificateServices.AuthorityInformationAccess[]</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_AuthorityInformationAccess.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name MyCA | Get-AIA | Add-AuthorityInformationAccess -URI "2:http://eu.company.com/MyCA%4.crt" | Set-AuthorityInformationAccess -RestartCA</dev:code> <dev:remarks> <maml:para>This example will retrieve AIA extension configuration from 'MyCA' CA server and adds new URI that will be published in all issued certificates. After configuration is changed, the command will restart certificate services to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name RootCA | Get-AuthorityInformationAccess | Add-AuthorityInformationAccess -URI "32:http://na.company.com/OCSP" | Set-AuthorityInformationAccess -RestartCA</dev:code> <dev:remarks> <maml:para>This example will retrieve AIA extension configuration from 'RootCA' CA server and adds new URI that will be published in all issued certificates as OCSP location. After configuration is changed, the command will restart certificate services to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Add-AuthorityInformationAccess.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-AuthorityInformationAccess</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Remove-AuthorityInformationAccess</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Set-AuthorityInformationAccess</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Add-CAAccessControlEntry</command:name> <maml:description> <maml:para>Adds new Access Control Entry (ACE) to a Certification Authority's Access Control List (ACL).</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Add</command:verb> <command:noun>CAAccessControlEntry</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Adds new Access Control Entry (ACE) to a Certification Authority's Access Control List (ACL).</maml:para> <maml:para>This command performs ACL object change. Use Set-CASecurityDescriptor to write modified ACL to CA configuration.</maml:para> <maml:para>Note: CA security descriptor supports only one ACE per user. Therefore, if added user account already has explicit permissions on CA server, new ACE will not be added.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Add-CAAccessControlEntry</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies the current access control list (ACL) object to modify. This object can be retrieved by running either, Get-CASecurityDescriptor or Remove-CAAccessControlEntry commands.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CASecurityDescriptor[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="1"> <maml:name>AccessControlEntry</maml:name> <maml:description> <maml:para>Specifies the new access control entry object to add.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificationAuthorityAccessRule[]</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies the current access control list (ACL) object to modify. This object can be retrieved by running either, Get-CASecurityDescriptor or Remove-CAAccessControlEntry commands.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CASecurityDescriptor[]</command:parameterValue> <dev:type> <maml:name>CASecurityDescriptor[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="1"> <maml:name>AccessControlEntry</maml:name> <maml:description> <maml:para>Specifies the new access control entry object to add.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificationAuthorityAccessRule[]</command:parameterValue> <dev:type> <maml:name>CertificationAuthorityAccessRule[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.Security.AccessControl.CASecurityDescriptor</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_Security_AccessControl_CASecurityDescriptor.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.Security.AccessControl.CASecurityDescriptor</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_Security_AccessControl_CASecurityDescriptor.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> $ACE = @(New-Object PKI.Security.AccessControl.CertificationAuthorityAccessRule ([Security.Principal.NTAccount]"JohnWayne"), "ManageCA", "Allow") PS C:\> $ACE += New-Object PKI.Security.AccessControl.CertificationAuthorityAccessRule ([Security.Principal.NTAccount]"jsmith"), "ManageCertificates", "Allow" PS C:\> Get-CertificationAuthority "ca01.company.com" | Get-CASecurityDescriptor | Add-CAAccessControlEntry -AccessControlEntry $ACE | Set-CASecurityDescriptor -RestartCA</dev:code> <dev:remarks> <maml:para>First two lines create new access control entries: -- first creates ACE for John Wayne and grants him CA manager permissions. -- second creates ACE for John Smith and grants him certificate manager permissions. Third line retrieves current ACL from CA server, adds new access control entries and writes them to CA configuration. After command completion CA services will be restarted to immediately apply changes.</maml:para> <maml:para>Note that if ACL already contains entry for user account to be added, new ACE will not be added. Instead, use techniques described in Example 2.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> $ACE = New-Object PKI.Security.AccessControl.CertificationAuthorityAccessRule ([Security.Principal.NTAccount]"jsmith"), "ManageCA", "Allow") PS C:\> Get-CertificationAuthority "ca01.company.com" | Get-CASecurityDescriptor | Remove-CAAccessControlEntry -User "jsmith" | Add-CAAccessControlEntry -AccessControlEntry $ACE | Set-CASecurityDescriptor -RestartCA</dev:code> <dev:remarks> <maml:para>This example demonstrates techniques to change permissions explicitly granted to a user. In a given example, first line creates new access control entry for John Smith. Second line retrieves access control list from CA server, removes all permissions granted to John Smith and adds new access control entry.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Add-CAAccessControlEntry.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CASecurityDescriptor</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Remove-CAAccessControlEntry</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Set-CASecurityDescriptor</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Add-CAKRACertificate</command:name> <maml:description> <maml:para>Adds new Key Recovery Agent (KRA) certificate to a specified Certification Authority (CA).</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Add</command:verb> <command:noun>CAKRACertificate</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Adds new Key Recovery Agent (KRA) certificate to a specified Certification Authority (CA). This command doesn't change actual settings, but just prepares KRA object. To change KRAs on CA use this command in conjunction with Set-CAKRACertificate command.</maml:para> <maml:para>Key Recovery Agent certificate is used to encrypt user certificate's private key and store it in the CA database in a encrypted form. In the case when user cannot access his or her certificate private key, it is possible to recover it by key recovery agent (if Key Archival procedure was taken against particular certificate).</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Add-CAKRACertificate</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies the KRA object to process. This object can be retrieved by running Get-CAKRACertificate command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">KRA[]</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="1"> <maml:name>Certificate</maml:name> <maml:description> <maml:para>Specifies one or more X509Certificate2 objects that represent key recovery agent certificate(s). To retrieve a list of enterprise key recovery agent certificates use Get-ADKRACertificate command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">X509Certificate2[]</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies the KRA object to process. This object can be retrieved by running Get-CAKRACertificate command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">KRA[]</command:parameterValue> <dev:type> <maml:name>KRA[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="1"> <maml:name>Certificate</maml:name> <maml:description> <maml:para>Specifies one or more X509Certificate2 objects that represent key recovery agent certificate(s). To retrieve a list of enterprise key recovery agent certificates use Get-ADKRACertificate command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">X509Certificate2[]</command:parameterValue> <dev:type> <maml:name>X509Certificate2[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.KRA[]</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_KRA.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.CertificateServices.KRA[]</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_KRA.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> $KRACerts = Get-ADKRACertificate -Subject "CN=Key Recovery*" C:\PS>Get-CertificationAuthority -Name MyCA | Get-CAKRACertificate | Add-CAKRACertificate -Certificate $certs | Set-CAKRACertificate -RestartCA</dev:code> <dev:remarks> <maml:para>First command retrieves from Active Directory all KRA certificates where subject field starts with 'CN=Key Recovery' (in DN format). Second command will retrieve currently assigned KRA certificates to 'MyCA' CA server and adds new certificates obtained in first command. After configuration is changed, the command will restart certificate services to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> $Certs = Get-ADKRACertificate -ShowUI -Multipick C:\PS>Get-CertificationAuthority | Get-CAKRACertificate | Add-CAKRACertificate $Certs | Set-Certificate -RestartCA</dev:code> <dev:remarks> <maml:para>In this example first command will display certificate selection UI where you can select available KRA certificates. Second command will add selected (in previous command) certificates to currently assigned certificates and writes new certificate list back to a CA server. After configuration is changed, the command will restart certificate services to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Add-CAKRACertificate.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-ADKRACertificate</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CAKRACertificate</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Remove-CAKRACertificate</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Set-CAKRACertificate</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Add-CATemplate</command:name> <maml:description> <maml:para>Adds certificate templates to a list of templates to issue to a specified Certification Authority (CA).</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Add</command:verb> <command:noun>CATemplate</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Adds certificate templates to a list of templates to issue by a specified Certification Authority (CA).</maml:para> <maml:para>This command just prepares a new template list to be added to CA server. In order to write the new list to CA server use Set-CATemplate command (see examples).</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Add-CATemplate</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="named"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies the Certification Authority object with assigned templates. This object can be retrieved by running Get-CATemplate command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CATemplate[]</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="named"> <maml:name>DisplayName</maml:name> <maml:description> <maml:para>Specifies template (or templates) display names to assign to a specified CA server.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">String[]</command:parameterValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Add-CATemplate</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="named"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies the Certification Authority object with assigned templates. This object can be retrieved by running Get-CATemplate command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CATemplate[]</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="named"> <maml:name>Name</maml:name> <maml:description> <maml:para>Specifies template (or templates) common names to assign to a specified CA server.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">String[]</command:parameterValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Add-CATemplate</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="named"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies the Certification Authority object with assigned templates. This object can be retrieved by running Get-CATemplate command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CATemplate[]</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="named"> <maml:name>Template</maml:name> <maml:description> <maml:para>Specifies template (or templates) object to assign to a specified CA server. Template object can be retrieved by running Get-CertificateTemplate command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateTemplate[]</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="named"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies the Certification Authority object with assigned templates. This object can be retrieved by running Get-CATemplate command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CATemplate[]</command:parameterValue> <dev:type> <maml:name>CATemplate[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="named"> <maml:name>DisplayName</maml:name> <maml:description> <maml:para>Specifies template (or templates) display names to assign to a specified CA server.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="named"> <maml:name>Name</maml:name> <maml:description> <maml:para>Specifies template (or templates) common names to assign to a specified CA server.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="named"> <maml:name>Template</maml:name> <maml:description> <maml:para>Specifies template (or templates) object to assign to a specified CA server. Template object can be retrieved by running Get-CertificateTemplate command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateTemplate[]</command:parameterValue> <dev:type> <maml:name>CertificateTemplate[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.CATemplate[]</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_CATemplate.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.CertificateServices.CATemplate[]</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_CATemplate.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name "Company CA01" | Get-CATemplate | Add-CATemplate -Name "SmartCardV2","OfflineComputer" | Set-CATemplate</dev:code> <dev:remarks> <maml:para>This command will add 'SmartCardV2' and 'OfflineComputer' templates (must be created by using Certificate Templates MMC snap-in by duplicating existing templates) and assigns them to a 'Company CA01' certification authority.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority | Get-CATemplate | Add-CATemplate -DisplayName "Computer V2", "CA Exchange" | Set-CATemplate</dev:code> <dev:remarks> <maml:para>This command will add templates with display names: 'Computer V2' (must be created by using Certificate Templates MMC snap-in by duplicating existing templates) and 'CA Exchange' and assigns them to all Enterprise CAs in the forest.</maml:para> <maml:para>This example is useful to provide template redundancy, so clients are able to enroll for a certificate even if one CA server is down (offline).</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 3 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> $Template = Get-CertificateTemplate -Name WebServer C:\PS>Get-CertificationAuthority ca01.company.com | Get-CATemplate | Add-CATemplate -Template $Template | Set-CATemplate</dev:code> <dev:remarks> <maml:para>In this example the first command retrieves template object by running Get-CertificateTemplate command. In the second line, adds this template to a CA server running on 'ca01.company.com' server.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Add-CATemplate.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CATemplate</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Remove-CATemplate</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Set-CATemplate</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificateTemplate</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Add-CertificateEnrollmentPolicyService</command:name> <maml:description> <maml:para>Installs Certificate Enrollment Policy Service (CEP) instance on a local computer.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Add</command:verb> <command:noun>CertificateEnrollmentPolicyService</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Installs Certificate Enrollment Policy Service (CEP) instance an a local computer and configures IIS web application. This command supports only Windows Server 2008 R2 and newer operating systems.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Add-CertificateEnrollmentPolicyService</maml:name> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0"> <maml:name>Authentication</maml:name> <maml:description> <maml:para>Specifies authentication type for communication. Possible values are: Kerberos, UsrPwd or Certificate. Kerberos is used by default.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="1"> <maml:name>Thumbprint</maml:name> <maml:description> <maml:para>Specifies SSL certificate thumbprint. If this parameter is omitted, the command will try to enroll for a new SSL certificate from an Enterprise CA. The command will attempt to enroll for a certificate based on either, 'Computer' (if the local computer is member server) or 'Domain Controller' (if the local computer is domain controller) certificate template.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0"> <maml:name>Authentication</maml:name> <maml:description> <maml:para>Specifies authentication type for communication. Possible values are: Kerberos, UsrPwd or Certificate. Kerberos is used by default.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue>Kerberos</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="1"> <maml:name>Thumbprint</maml:name> <maml:description> <maml:para>Specifies SSL certificate thumbprint. If this parameter is omitted, the command will try to enroll for a new SSL certificate from an Enterprise CA. The command will attempt to enroll for a certificate based on either, 'Computer' (if the local computer is member server) or 'Domain Controller' (if the local computer is domain controller) certificate template.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>None.</maml:name> <maml:uri></maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>SysadminsLV.PKI.Utils.IServiceOperationResult</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_SysadminsLV_PKI_Utils_IServiceOperationResult.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Add-CertificateEnrollmentPolicyService</dev:code> <dev:remarks> <maml:para>Running the command without parameters, will install the Certificate Enrollment Policy Service instance with the default Kerberos authentication. If no valid SSL certificate is found, the new one will be requested and assigned for CEP service.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Add-CertificateEnrollmentPolicyService -Authentication Certificate -Thumbprint "D485FFFD6C2CBC161667087B3209CCD765A32544"</dev:code> <dev:remarks> <maml:para>In this example CEP server will be configured to use Certificate authentication. In addition, IIS Default Web Site will be configured to use SSL certificate with thumbprint 'D485FFFD6C2CBC161667087B3209CCD765A32544'. The certificate must be stored in LocalMachine store and have a private key.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Add-CertificateEnrollmentPolicyService.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Add-CertificateEnrollmentService</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Remove-CertificateEnrollmentService</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Remove-CertificateEnrollmentPolicyService</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Add-CertificateEnrollmentService</command:name> <maml:description> <maml:para>Installs Certificate Enrollment Service (CES) instance on a local computer.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Add</command:verb> <command:noun>CertificateEnrollmentService</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Installs Certificate Enrollment Service (CES) instance and configures it to work with specified certification authority. This command supports only Windows Server 2008 R2 and newer operating systems.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Add-CertificateEnrollmentService</maml:name> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0"> <maml:name>CAConfig</maml:name> <maml:description> <maml:para>Specifies certification authority configuration string in: CAComputerName\CASamitizedName format. CAComputerName may be either DNS or NetBIOS name. If this parameter is omitted, CA selection UI will be displayed during instance installation. If this parameter is omitted, an UI dialog box with CA server selection will be showed.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="1"> <maml:name>Authentication</maml:name> <maml:description> <maml:para>Specifies authentication type for communication. Possible values are: Kerberos, UsrPwd or Certificate. Kerberos is used by default.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="2"> <maml:name>User</maml:name> <maml:description> <maml:para>Sets CES AppPool account name. If this parameter is omitted, ApplicationPoolIdentity account will be used.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="3"> <maml:name>Password</maml:name> <maml:description> <maml:para /> </maml:description> <command:parameterValue required="true" variableLength="false">SecureString</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>RenewalOnly</maml:name> <maml:description> <maml:para>Sets CES service mode to Renewal Only. In that case CES will process certificate renewal requests only. No new certificate requests will be accepted.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0"> <maml:name>CAConfig</maml:name> <maml:description> <maml:para>Specifies certification authority configuration string in: CAComputerName\CASamitizedName format. CAComputerName may be either DNS or NetBIOS name. If this parameter is omitted, CA selection UI will be displayed during instance installation. If this parameter is omitted, an UI dialog box with CA server selection will be showed.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="1"> <maml:name>Authentication</maml:name> <maml:description> <maml:para>Specifies authentication type for communication. Possible values are: Kerberos, UsrPwd or Certificate. Kerberos is used by default.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue>Kerberos</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="2"> <maml:name>User</maml:name> <maml:description> <maml:para>Sets CES AppPool account name. If this parameter is omitted, ApplicationPoolIdentity account will be used.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>RenewalOnly</maml:name> <maml:description> <maml:para>Sets CES service mode to Renewal Only. In that case CES will process certificate renewal requests only. No new certificate requests will be accepted.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="3"> <maml:name>Password</maml:name> <maml:description> <maml:para /> </maml:description> <command:parameterValue required="true" variableLength="false">SecureString</command:parameterValue> <dev:type> <maml:name>SecureString</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>None.</maml:name> <maml:uri></maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>SysadminsLV.PKI.Utils.IServiceOperationResult</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_SysadminsLV_PKI_Utils_IServiceOperationResult.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Add-CertificateEnrollmentService</dev:code> <dev:remarks> <maml:para>Running command without parameters will cause CA selection UI appearance. You will need to select CA server for CES server. In addition, default Kerberos authentication will be used.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Add-CertificateEnrollmentService -CAConfig CA1\Contoso-CA -Authentication Certificate -User CustomUser -Password CustomPassword</dev:code> <dev:remarks> <maml:para>In this example CES server will be configured to CA server with Contoso-CA name and that is hosted on the computer named CA1. CES server will use client certificate for authentication and IIS AppPool will be configured to run under CustomUser account that has CustomPassword password.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Add-CertificateEnrollmentService.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Add-CertificateEnrollmentPolicyService</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Remove-CertificateEnrollmentService</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Remove-CertificateEnrollmentPolicyService</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Add-CertificateTemplateAcl</command:name> <maml:description> <maml:para>Adds an entity (user, computer, or security group) to the certificate template ACL.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Add</command:verb> <command:noun>CertificateTemplateAcl</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Adds an entity (user, computer, or security group) to the certificate template ACL.</maml:para> <maml:para>This command only prepares new certificate template ACL object. In order to write it to the actual object in Active Directory use this command's result to Set-CertificateTemplateAcl cmdlet (see Examples section).</maml:para> <maml:para>Note: in order to edit certificate template ACL, you must be granted for Enterprise Admins permissions or delegated permissions on 'Certificate Templates' Active Directory container.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Add-CertificateTemplateAcl</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies an ACL object of certificate template. This object can be retrieved by running Get-CertificateTemplateAcl command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">SecurityDescriptor2[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="1"> <maml:name>User</maml:name> <maml:description> <maml:para>specifies a user, computer or a group to add to ACL. If the template is intended for computers, use computer accounts and groups that contain computer accounts. If the template is intended for users, use user accounts and groups that contain user accounts. Use only global and/or universal groups. Domain Local groups are not allowed.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">NTAccount[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="2"> <maml:name>AccessType</maml:name> <maml:description> <maml:para>Specifies access type. Access type can be either: Allow or Deny. Try to avoid Deny access type usage. Instead, you should remove an account from the ACL or grant only required permissions.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">AccessControlType</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="3"> <maml:name>AccessMask</maml:name> <maml:description> <maml:para>Specifies a set of permissions to assign. The following values can be used: 'FullControl', 'Read', 'Write', 'Enroll', 'Autoenroll'.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">TemplateRight[]</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies an ACL object of certificate template. This object can be retrieved by running Get-CertificateTemplateAcl command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">SecurityDescriptor2[]</command:parameterValue> <dev:type> <maml:name>SecurityDescriptor2[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="1"> <maml:name>User</maml:name> <maml:description> <maml:para>specifies a user, computer or a group to add to ACL. If the template is intended for computers, use computer accounts and groups that contain computer accounts. If the template is intended for users, use user accounts and groups that contain user accounts. Use only global and/or universal groups. Domain Local groups are not allowed.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">NTAccount[]</command:parameterValue> <dev:type> <maml:name>NTAccount[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="2"> <maml:name>AccessType</maml:name> <maml:description> <maml:para>Specifies access type. Access type can be either: Allow or Deny. Try to avoid Deny access type usage. Instead, you should remove an account from the ACL or grant only required permissions.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">AccessControlType</command:parameterValue> <dev:type> <maml:name>AccessControlType</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="3"> <maml:name>AccessMask</maml:name> <maml:description> <maml:para>Specifies a set of permissions to assign. The following values can be used: 'FullControl', 'Read', 'Write', 'Enroll', 'Autoenroll'.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">TemplateRight[]</command:parameterValue> <dev:type> <maml:name>TemplateRight[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.Security.SecurityDescriptor[]</maml:name> <maml:uri></maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.Security.SecurityDescriptor[]</maml:name> <maml:uri></maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificateTemplate -Name WebServer | Get-CertificateTemplate | Add-CertificateTemplateAcl -User WebServerGroup -AccessType Allow -AccessMask Read, Enroll | Set-CertificateTemplateAcl</dev:code> <dev:remarks> <maml:para>This commands adds 'WebServerGroup' security group to the certificate template 'WebServer' and grants Read and Enroll permissions. After that, a new ACL is written to the actual object.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Add-CertificateTemplateAcl.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificateTemplate</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificateTemplateAcl</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Remove-CertificateTemplateAcl</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Set-CertificateTemplateAcl</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Add-CRLDistributionPoint</command:name> <maml:description> <maml:para>Adds new CRL distribution points (CDP) to a specified Certification Authority.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Add</command:verb> <command:noun>CRLDistributionPoint</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Adds new CRL distribution points (CDP) to a specified Certification Authority. This command doesn't change actual settings, but just prepares the CDP URIs.</maml:para> <maml:para>CDP Extension consist of two URI types:</maml:para> <maml:para>-- for physical CRL file publishing. These URIs are not appeared in the certificate CDP extension. -- for publishing in the certificate/CRL appropriate extensions.</maml:para> <maml:para>Published URIs are used by certificate chaining engine during certificate revocation status checking. URIs are checked in the same order as they are placed in the certificate's CDP extension until CRL is retrieved. The most accessible URI should be placed first. This command adds new URIs below existing URIs. It is recommended to specify no more than two CRL location URIs (for Base CRLs). This is because if the first two URIs fails, client will fail revocation checking due of timeout and certificate might be rejected. Here is an example:</maml:para> <maml:para>[1]CRL Distribution Point Distribution Point Name: Full Name: URL=http://eu.company.com/MyCA.crl URL=http://na.company.com/MyCA.crl</maml:para> <maml:para>In a given example http://eu.company.com/MyCA.crl is processed first. If this URI fails, http://na.company.com/MyCA.crl will be used. If both URIs fails, client application should report 'Revocation offline' error.</maml:para> <maml:para>Note: If certificate's AIA extension contains OCSP URIs and client application supports OCSP, it is used first. Otherwise CDP extension is used. If all OCSP locations fail, CDP extension is used. In certain cases applications (for example CryptoAPI) that supports OCSP may elect to ignore OCSP and use CDP extension instead. Thus it is very important to maintain correct and actual URIs in the CDP extension.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Add-CRLDistributionPoint</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies the CRLDistributionPoint object to which add new CRL distribution points. This object can be retrieved by running Get-CRLDistributionPoint command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CRLDistributionPoint[]</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="1"> <maml:name>URI</maml:name> <maml:description> <maml:para>Specifies new CRL file publishing distribution points for particular CA. Must be passed in the following format: <Flags>:<RelativeURI>, where <Flags> is a combination of publishing flags. The following values are possible for <Flags>:</maml:para> <maml:para>1 - Publish CRLs to this location. 2 - Include in all issued certificates. 4 - Include in CRLs. Clients use this to find delta CRL locations. 8 - Include in the CDP extension of CRLs. 64 - Publish delta CRLs to this location. Specifies where to publish in AD DS when publishing to LDAP URLs. 128 - Include in the IDP extension of issued CRLs.</maml:para> <maml:para>Within <RelativeURI> you can use the following variables:</maml:para> <maml:para>%1 - the CA's computer DNS name. %2 - the CA's computer NetBIOS name. %3 - CA's logical name. %6 - the LDAP path of the forest's configuration naming context for the forest. %7 - CA's 'sanitized' name. This is the same as CA name but with encoded special characters, such: \/:\*?"<>|. %8 - the CRL's renewal extension. %9 - indicates whether Delta CRLs are supported by this CA. %10 - indicates that the object is CDP object in AD CS.</maml:para> <maml:para>With Windows CA you should assert %8 variable within URI. It is important when you renew CA's certificate with new key pair. After CA certificate renewal CA server will maintain both CRLs that are signed by previous and renewed CA certificate. To separate them CA server will include certificate index in the parenthesises. For example you have specified the following URI: 6:http://eu.company.com/MyCA%8.crl In a given example CA server with initial CA certificate will publish the following URI in the issued certificates AIA extension: http://eu.company.com/MyCA.crl Once CA certificate is renewed with new key pair, CA certificate will generate new CRLs files with corresponding index and in newly issued certificates the following URI will be published: http://eu.company.com/MyCA(1).crl Subsequent CA certificate renewals with new key pair will cause URI update accordingly.</maml:para> <maml:para>Note: Windows PKI supports the following URI formats. for CRL publishing <DriveLetter>:\<FilePath>.crl file://\<RemoteServerName>\<ShareName>\<FilePath>.crl \<RemoteServerName>\<ShareName>\<FilePath>.crl ldap:///<DirectoryAccessProtocolPath></maml:para> <maml:para>for CRL retrieval: http://<DomainURL>/<VirtualDirectoryAndFilePath>.crl ldap:///<DirectoryAccessProtocolPath> ldap://<hostname>/<path>?<query></maml:para> <maml:para>Note: ldap:///<DirectoryAccessProtocolPath> URI type assumes Active Directory usage and must contain forest root domain domain component (DC=...) within LDAP path. This may cause big retrieval delays. Since Active Directory may contain many domain controllers and specified in LDAP URI content is automatically replicated between all domain controllers in the current forest. To simplify content retrieval from Active Directory CryptoAPI may not contact forest root domain, but contact nearest to client domain controller. Nearest domain controller is placed in $env:LogonServer system variable (or %LogonServer% in CMD syntax).</maml:para> <maml:para>Also Windows PKI supports another form of LDAP URIs with host name: ldap://<hostname>/path?query</maml:para> <maml:para>In this case client will not contact domain controller, but specified host directly. Unlike ldap:/// URI form, ldap://<hostname> may use 3rd party LDAP-compatible directory. Automatic content (CA certificate or certificate revocation list) publishing to such directories is not supported. You will have to manually publish CA certificates to these directories by using external means.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">String[]</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies the CRLDistributionPoint object to which add new CRL distribution points. This object can be retrieved by running Get-CRLDistributionPoint command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CRLDistributionPoint[]</command:parameterValue> <dev:type> <maml:name>CRLDistributionPoint[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="1"> <maml:name>URI</maml:name> <maml:description> <maml:para>Specifies new CRL file publishing distribution points for particular CA. Must be passed in the following format: <Flags>:<RelativeURI>, where <Flags> is a combination of publishing flags. The following values are possible for <Flags>:</maml:para> <maml:para>1 - Publish CRLs to this location. 2 - Include in all issued certificates. 4 - Include in CRLs. Clients use this to find delta CRL locations. 8 - Include in the CDP extension of CRLs. 64 - Publish delta CRLs to this location. Specifies where to publish in AD DS when publishing to LDAP URLs. 128 - Include in the IDP extension of issued CRLs.</maml:para> <maml:para>Within <RelativeURI> you can use the following variables:</maml:para> <maml:para>%1 - the CA's computer DNS name. %2 - the CA's computer NetBIOS name. %3 - CA's logical name. %6 - the LDAP path of the forest's configuration naming context for the forest. %7 - CA's 'sanitized' name. This is the same as CA name but with encoded special characters, such: \/:\*?"<>|. %8 - the CRL's renewal extension. %9 - indicates whether Delta CRLs are supported by this CA. %10 - indicates that the object is CDP object in AD CS.</maml:para> <maml:para>With Windows CA you should assert %8 variable within URI. It is important when you renew CA's certificate with new key pair. After CA certificate renewal CA server will maintain both CRLs that are signed by previous and renewed CA certificate. To separate them CA server will include certificate index in the parenthesises. For example you have specified the following URI: 6:http://eu.company.com/MyCA%8.crl In a given example CA server with initial CA certificate will publish the following URI in the issued certificates AIA extension: http://eu.company.com/MyCA.crl Once CA certificate is renewed with new key pair, CA certificate will generate new CRLs files with corresponding index and in newly issued certificates the following URI will be published: http://eu.company.com/MyCA(1).crl Subsequent CA certificate renewals with new key pair will cause URI update accordingly.</maml:para> <maml:para>Note: Windows PKI supports the following URI formats. for CRL publishing <DriveLetter>:\<FilePath>.crl file://\<RemoteServerName>\<ShareName>\<FilePath>.crl \<RemoteServerName>\<ShareName>\<FilePath>.crl ldap:///<DirectoryAccessProtocolPath></maml:para> <maml:para>for CRL retrieval: http://<DomainURL>/<VirtualDirectoryAndFilePath>.crl ldap:///<DirectoryAccessProtocolPath> ldap://<hostname>/<path>?<query></maml:para> <maml:para>Note: ldap:///<DirectoryAccessProtocolPath> URI type assumes Active Directory usage and must contain forest root domain domain component (DC=...) within LDAP path. This may cause big retrieval delays. Since Active Directory may contain many domain controllers and specified in LDAP URI content is automatically replicated between all domain controllers in the current forest. To simplify content retrieval from Active Directory CryptoAPI may not contact forest root domain, but contact nearest to client domain controller. Nearest domain controller is placed in $env:LogonServer system variable (or %LogonServer% in CMD syntax).</maml:para> <maml:para>Also Windows PKI supports another form of LDAP URIs with host name: ldap://<hostname>/path?query</maml:para> <maml:para>In this case client will not contact domain controller, but specified host directly. Unlike ldap:/// URI form, ldap://<hostname> may use 3rd party LDAP-compatible directory. Automatic content (CA certificate or certificate revocation list) publishing to such directories is not supported. You will have to manually publish CA certificates to these directories by using external means.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.CRLDistributionPoint[]</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_CRLDistributionPoint.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.CertificateServices.CRLDistributionPoint[]</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_CRLDistributionPoint.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority RootCA | Get-CrlDistributionPoint | Add-CrlDistributionPoint -NewURI "6:http://crl.domain.com/%3%8%9.crl" | Set-CrlDistributionPoint -RestartCA</dev:code> <dev:remarks> <maml:para>This example will add new CDP URI to certificate CDP for 'RootCA' CA server. Also this will add new URI in Freshest CRL in CRL CDP to locate corresponding Delta CRL. After command completion CA services will be restarted to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority | Get-CrlDistributionPoint | Add-CrlDistributionPoint -NewURI "65:\\ServerName\crlfile%9.crl", "65:C:\CertData\%3%8%9.crl" | Set-CrlDistributionPoint -RestartCA</dev:code> <dev:remarks> <maml:para>This will add new paths for Base and Delta CRL file publication for all CAs in the current forest. This example will not add any new URIs in certificate CDP extension, but instructs CA to publish physical CRL files to the specified locations. After command completion CA services will be restarted to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Add-CRLDistributionPoint.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CRLDistributionPoint</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Remove-CRLDistributionPoint</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Set-CRLDistributionPoint</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Add-ExtensionList</command:name> <maml:description> <maml:para>Adds certificate enabled/disabled extension lists.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Add</command:verb> <command:noun>ExtensionList</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Adds certificate enabled/disabled extension lists. Extensions are separated in 3 categories:</maml:para> <maml:para>EnabledExtensionList - contains extensions that CA server will publish in each issued certificate upon request. OfflineExtensionList - contains allowed extension list that CA server will publish in issued certificates when offline request is used. DisabledExtensionList - contains extensions that will not be published in certificate even if this extension is specified in the request.</maml:para> <maml:para>For more details see corresponding parameter description.</maml:para> <maml:para>Note: additional information can be found at: http://technet.microsoft.com/library/cc740063(WS.10).aspx</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Add-ExtensionList</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies the ExtensionList object with configured extensions. This object can be retrieved by running Get-ExtensionList command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">ExtensionList[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="1"> <maml:name>EnabledExtension</maml:name> <maml:description> <maml:para>Specifies the list of certificate extensions that are added to the issued certificate upon request. This list is processed by a policy module each time the request is resolved (produces issued certificate). You should carefully use this property and do not enable security-critical extension, like Subject Alternative Names (SAN). CA server performs additional extension processing by using 'OfflineExtension' parameter.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">Oid[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="2"> <maml:name>OfflineExtension</maml:name> <maml:description> <maml:para>Specifies the list of certificate extensions that are added to the issued certificate against offline request. 'offline' request is such request which includes subject information and CA server do not use Active Directory to build certificate's subject. For example, requests based on default 'WebServer' certificate template are considered as 'offline', because the template is configured to build the subject from submitted request. If certificate template is configured to build the subject from Active Directory, OfflineExtensionList property has no effect and any extensions in the request are written to CA database, but not included in issued certificate.</maml:para> <maml:para>For Standalone CAs, all requests are treated as 'offline'.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">Oid[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="3"> <maml:name>DisabledExtension</maml:name> <maml:description> <maml:para>Add one or more extension friendly name or extension OID to prevent from publishing in certificate.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">Oid[]</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies the ExtensionList object with configured extensions. This object can be retrieved by running Get-ExtensionList command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">ExtensionList[]</command:parameterValue> <dev:type> <maml:name>ExtensionList[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="1"> <maml:name>EnabledExtension</maml:name> <maml:description> <maml:para>Specifies the list of certificate extensions that are added to the issued certificate upon request. This list is processed by a policy module each time the request is resolved (produces issued certificate). You should carefully use this property and do not enable security-critical extension, like Subject Alternative Names (SAN). CA server performs additional extension processing by using 'OfflineExtension' parameter.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">Oid[]</command:parameterValue> <dev:type> <maml:name>Oid[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="2"> <maml:name>OfflineExtension</maml:name> <maml:description> <maml:para>Specifies the list of certificate extensions that are added to the issued certificate against offline request. 'offline' request is such request which includes subject information and CA server do not use Active Directory to build certificate's subject. For example, requests based on default 'WebServer' certificate template are considered as 'offline', because the template is configured to build the subject from submitted request. If certificate template is configured to build the subject from Active Directory, OfflineExtensionList property has no effect and any extensions in the request are written to CA database, but not included in issued certificate.</maml:para> <maml:para>For Standalone CAs, all requests are treated as 'offline'.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">Oid[]</command:parameterValue> <dev:type> <maml:name>Oid[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="3"> <maml:name>DisabledExtension</maml:name> <maml:description> <maml:para>Add one or more extension friendly name or extension OID to prevent from publishing in certificate.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">Oid[]</command:parameterValue> <dev:type> <maml:name>Oid[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.PolicyModule.ExtensionList[]</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_PolicyModule_ExtensionList.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.CertificateServices.PolicyModule.ExtensionList[]</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_PolicyModule_ExtensionList.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name Company-CA | Get-ExtensionList | Add-ExtensionList -DisabledExtension "Certificate Template Name" | Set-ExtensionList -RestartCA</dev:code> <dev:remarks> <maml:para>This example will add the 'Certificate Template Name' extension to restricted extension list. As the result CA server will not publish this extension in issued certificates. After configuration is changed, the command will restart certificate services to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name Company-CA | Get-ExtensionList | Add-ExtensionList -EnabledExtension "Certificate Policies" | Set-ExtensionList -RestartCA</dev:code> <dev:remarks> <maml:para>Adds 'Certificate Policies' extension to a extension list that is allowed to be published in issued certificates. After configuration is changed, the command will restart certificate services to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Add-ExtensionList.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-ExtensionList</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Remove-ExtensionList</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Set-ExtensionList</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Approve-CertificateRequest</command:name> <maml:description> <maml:para>Approves certificate for a certificate request that is placed in 'Pending Requests' node on the CA server.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Approve</command:verb> <command:noun>CertificateRequest</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Issues certificate for a certificate request that is placed in 'Pending Requests' node on the CA server. This is equivalent to manually issuing a certificate request from Certification Authority MMC snap-in.</maml:para> <maml:para>Note: for this command to succeed, the certificate request must be pending.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Approve-CertificateRequest</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>Request</maml:name> <maml:description> <maml:para>Specifies the pending request object. Pending request object can be retrieved by running Get-PendingRequest command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>Request</maml:name> <maml:description> <maml:para>Specifies the pending request object. Pending request object can be retrieved by running Get-PendingRequest command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>SysadminsLV.PKI.Management.CertificateServices.Database.AdcsDbRow</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_SysadminsLV_PKI_Management_CertificateServices_Database_AdcsDbRow.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>SysadminsLV.PKI.Utils.IServiceOperationResult</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_SysadminsLV_PKI_Utils_IServiceOperationResult.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority CompanyCA1 | Get-PendingRequest -ID 10,14 | Approve-CertificateRequest</dev:code> <dev:remarks> <maml:para>This command will attempt to approve certificate requests with ID 10 and 14 and issue certificates.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Approve-CertificateRequest.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-PendingRequest</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Deny-CertificateRequest</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Remove-AdcsDatabaseRow</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Connect-CertificationAuthority</command:name> <maml:description> <maml:para>Connects to a specified Certification Authority server.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Connect</command:verb> <command:noun>CertificationAuthority</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Connects to a specified Certification Authority server. The command supports connection to a single Standalone or Enterprise CA server.</maml:para> <maml:para>This command is similar to Get-CertificationAuthority and it's result can be piped to any command that accepts the Get-CertificationAuthority command's output.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Connect-CertificationAuthority</maml:name> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>ComputerName</maml:name> <maml:description> <maml:para>Specifies the fully qualified domain name (FQDN) or short name (NetBIOS) of the computer that hosts Certification Authority role.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">String[]</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>ComputerName</maml:name> <maml:description> <maml:para>Specifies the fully qualified domain name (FQDN) or short name (NetBIOS) of the computer that hosts Certification Authority role.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue>. (local computer)</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>None.</maml:name> <maml:uri></maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.CertificateServices.CertificateAuthority</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_CertificateAuthority.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Connect-CertificationAuthority</dev:code> <dev:remarks> <maml:para>Attempts to connect to a CA server that is installed on a local computer.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Connect-CertificationAuthority -ComputerName ca01.company.com</dev:code> <dev:remarks> <maml:para>Attempts to connect to a CA server that is installed on a 'ca01.company.com' computer.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Connect-CertificationAuthority.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Deny-CertificateRequest</command:name> <maml:description> <maml:para>Denies a certificate for a certificate request that is placed in 'Pending Requests' node on the CA server.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Deny</command:verb> <command:noun>CertificateRequest</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Denies certificate request that is placed in 'Pending Requests' node on the CA server. This is equivalent to manually denying the certificate request from Certification Authority MMC snap-in.</maml:para> <maml:para>Note: for this command to succeed, the certificate request must be pending.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Deny-CertificateRequest</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>Request</maml:name> <maml:description> <maml:para>Specifies the particular request object. Request object can be retrieved by running Get-PendingRequest command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>Request</maml:name> <maml:description> <maml:para>Specifies the particular request object. Request object can be retrieved by running Get-PendingRequest command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>SysadminsLV.PKI.Management.CertificateServices.Database.AdcsDbRow</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_SysadminsLV_PKI_Management_CertificateServices_Database_AdcsDbRow.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>SysadminsLV.PKI.Utils.IServiceOperationResult</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_SysadminsLV_PKI_Utils_IServiceOperationResult.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority CompanyCA1 | Get-PendingRequest -Filter "CertificateTemplate -eq WebServerV2" | Deny-CertificateRequest</dev:code> <dev:remarks> <maml:para>This command will attempt to deny certificate requests that are requested to use WebServerV2 certificate template.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Deny-CertificateRequest.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-PendingRequest</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Approve-CertificateRequest</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Remove-AdcsDatabaseRow</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Disable-CertificateRevocationListFlag</command:name> <maml:description> <maml:para>Disables certificate revocation list settings (flag) for specified CA server.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Disable</command:verb> <command:noun>CertificateRevocationListFlag</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Disables certificate revocation list settings (flag) for a specified CA server. These flags affects only to a CA server where they are defined.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Disable-CertificateRevocationListFlag</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies the CRLFlag object to process. This object can be retrieved by running Get-CertificateRevocationListFlag command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CRLFlag[]</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="1"> <maml:name>Flag</maml:name> <maml:description> <maml:para>Specifies the flag to disable. The following flag (of flags) can be used:</maml:para> <maml:para>DeltaUseOldestUnexpiredBase - the CA server will use oldest unexpired Base CRL for certificate revocation checking. Otherwise, the most recent Base CRL is used. DeleteExpiredCRLs - deletes CRLs signed by the expired CA keys. CRLNumberCritical - the CA server will mark CRL Number extension as critical. If a target application doesn't recognize this extension, a CRL will be rejected. RevCheckIgnoreOffline - the CA cerver will ignore certificate revocation checking failures (not recommended). IgnoreInvalidPolicies - the CA server will ignore invalid Certificate Policies extension in requests. RebuildModifiedSubjectOnly - when a CA server is configured to use the unmodified subject that is supplied in the certificate request, the policy module should not make any changes to the subject that is in the certificate request SaveFailedCerts - N/A IgnoreUnknownCMCAttributes - the CA server ignores unknown CMC attributes in the request. IgnoreCrossCertTrustError - the CA server ignores trust errors for cross-certificates during certificate chain building. PublishExpiredCertCRLs - the CA will publish expired revoked certificates in CRLs. EnforceEnrollmentAgent - the CA enforces enrollment agent restrictions. DisableRDNReorder - the CA server will not re-order relative distinguished name (RDN) in the certificate request. DisableRootCrossCerts - instruct Root CA server to not generate root cross-certificates after Root CA renewal with new key pair. LogfullResponse - the CA will dump request response to console. UseXCHGCertTemplate - instructs CA server to use CA Exchange template instead of using automatically generated short-lived certificates for key archival. UseCrossCertTemplate - instruct Root CA server to use Cross Certification Authority template during Root CA renewal with new key pair, instead of using automatically generated cross-certificates. AllowRequestAttributeSubject - the CA server will accept certificate subject submitted as a part of request attributes. DisableChainVerification - the CA server will not try to build chain for a certificate. RevCheckIgnoreNoRevCheck - the CA server ignores empty CRL Distribution Points (CDP) extension for non-root certificates. PreserveExpiredCerts - the CA server will preserve CA certificate in database and certificate store even if the certificate is not timely valid. PreserveRevokedCACerts - the CA server will preserve CA certificate in database and certificate store even if the certificate is revoked. BuildRootCACRLEntriesBasedOnKey - N/A</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">CRLFlagEnum</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>RestartCA</maml:name> <maml:description> <maml:para>Restarts CertSvc service on the specified CA server to immediately apply changes.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies the CRLFlag object to process. This object can be retrieved by running Get-CertificateRevocationListFlag command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CRLFlag[]</command:parameterValue> <dev:type> <maml:name>CRLFlag[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="1"> <maml:name>Flag</maml:name> <maml:description> <maml:para>Specifies the flag to disable. The following flag (of flags) can be used:</maml:para> <maml:para>DeltaUseOldestUnexpiredBase - the CA server will use oldest unexpired Base CRL for certificate revocation checking. Otherwise, the most recent Base CRL is used. DeleteExpiredCRLs - deletes CRLs signed by the expired CA keys. CRLNumberCritical - the CA server will mark CRL Number extension as critical. If a target application doesn't recognize this extension, a CRL will be rejected. RevCheckIgnoreOffline - the CA cerver will ignore certificate revocation checking failures (not recommended). IgnoreInvalidPolicies - the CA server will ignore invalid Certificate Policies extension in requests. RebuildModifiedSubjectOnly - when a CA server is configured to use the unmodified subject that is supplied in the certificate request, the policy module should not make any changes to the subject that is in the certificate request SaveFailedCerts - N/A IgnoreUnknownCMCAttributes - the CA server ignores unknown CMC attributes in the request. IgnoreCrossCertTrustError - the CA server ignores trust errors for cross-certificates during certificate chain building. PublishExpiredCertCRLs - the CA will publish expired revoked certificates in CRLs. EnforceEnrollmentAgent - the CA enforces enrollment agent restrictions. DisableRDNReorder - the CA server will not re-order relative distinguished name (RDN) in the certificate request. DisableRootCrossCerts - instruct Root CA server to not generate root cross-certificates after Root CA renewal with new key pair. LogfullResponse - the CA will dump request response to console. UseXCHGCertTemplate - instructs CA server to use CA Exchange template instead of using automatically generated short-lived certificates for key archival. UseCrossCertTemplate - instruct Root CA server to use Cross Certification Authority template during Root CA renewal with new key pair, instead of using automatically generated cross-certificates. AllowRequestAttributeSubject - the CA server will accept certificate subject submitted as a part of request attributes. DisableChainVerification - the CA server will not try to build chain for a certificate. RevCheckIgnoreNoRevCheck - the CA server ignores empty CRL Distribution Points (CDP) extension for non-root certificates. PreserveExpiredCerts - the CA server will preserve CA certificate in database and certificate store even if the certificate is not timely valid. PreserveRevokedCACerts - the CA server will preserve CA certificate in database and certificate store even if the certificate is revoked. BuildRootCACRLEntriesBasedOnKey - N/A</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">CRLFlagEnum</command:parameterValue> <dev:type> <maml:name>CRLFlagEnum</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>RestartCA</maml:name> <maml:description> <maml:para>Restarts CertSvc service on the specified CA server to immediately apply changes.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.Flags.CRLFlag</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_Flags_CRLFlag.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.CertificateServices.Flags.CRLFlag</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_Flags_CRLFlag.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name "company-CA01" | Get-CRLFlag | Disable-CRLFlag "RevCheckIgnoreOffline", "RevCheckIgnoreNoRevCheck" -RestartCA</dev:code> <dev:remarks> <maml:para>The command will instruct CA server to fail if certificate revocation status cannot be determined (aka "RevocationOffline") and/or non-root certificate has empty CDP extension (or CDP extension is not present). After the configuration is changed, the command will restart certificate services to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Disable-CertificateRevocationListFlag.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificateRevocationListFlag</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Enable-CertificateRevocationListFlag</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Restore-CertificateRevocationListFlagDefault</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Disable-InterfaceFlag</command:name> <maml:description> <maml:para>Disables Active Directory Certificate Services (AD CS) management or request interface settings.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Disable</command:verb> <command:noun>InterfaceFlag</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Disables Active Directory Certificate Services (AD CS) management or request interface settings.</maml:para> <maml:para>Management interface is implemented in ICertAdmin and request interface is implemented in ICertRequest. By using this you can limit these interface usage. For example you can prevent AD CS remote management with ICertAdmin interface and allow AD CS management only locally.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Disable-InterfaceFlag</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies the InterfaceFlag object to process. This object can be retrieved by running Get-InterfaceFlag command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">InterfaceFlag[]</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="1"> <maml:name>Flag</maml:name> <maml:description> <maml:para>Specifies the flag (or multiple flags) to disable. The following flags can be used:</maml:para> <maml:para>LockICertRequest - the behavior for this flag is not defined and it should not be used. NoRemoteICertRequest - the CA will not issue any certificates or hold pending any requests for remote users. NoLocalICertRequest - the CA will not issue any certificates or hold pending any requests for local users. NoRPCICertRequest - the CA will not issue any certificates or hold pending any requests for callers using the ICertPassage interface. NoRemoteICertAdmin - no access to Certificate Services Remote Administration Protocol methods for remote callers. NoLocalICertAdmin - no access to Certificate Services Remote Administration Protocol methods for local callers. NoRemoteICertAdminBackup - the CA restricts access to the backup-related methods of this protocol for remote callers. NoLocalICertAdminBackup - the CA restricts access to the backup-related methods of this protocol for local callers. NoSnapshotBackup - the database files cannot be backed up using a mechanism other than the methods of the ICertAdmin2 interface. EnforceEncryptICertRequest - a RPC security settings (defined in http://msdn.microsoft.com/library/cc243867(PROT.10).aspx ) should be defined for all RPC connections to the server for certificate-request operations. EnforceEncryptICertAdmin - a RPC security settings (defined in http://msdn.microsoft.com/library/cc243867(PROT.10).aspx ) should be defined for all RPC connections to the server for certificate administrative operations (the methods defined in the ICertAdmin2 interface). EnableExitKeyRetrieval - enables an exit algorithm to retrieve the Encrypted private-Key Blob. EnableAdminAsAuditor - only CA administrators can update the CA audit filter settings.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">InterfaceFlagEnum</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>RestartCA</maml:name> <maml:description> <maml:para>Restarts CertSvc service on the specified CA server to immediately apply changes.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies the InterfaceFlag object to process. This object can be retrieved by running Get-InterfaceFlag command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">InterfaceFlag[]</command:parameterValue> <dev:type> <maml:name>InterfaceFlag[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="1"> <maml:name>Flag</maml:name> <maml:description> <maml:para>Specifies the flag (or multiple flags) to disable. The following flags can be used:</maml:para> <maml:para>LockICertRequest - the behavior for this flag is not defined and it should not be used. NoRemoteICertRequest - the CA will not issue any certificates or hold pending any requests for remote users. NoLocalICertRequest - the CA will not issue any certificates or hold pending any requests for local users. NoRPCICertRequest - the CA will not issue any certificates or hold pending any requests for callers using the ICertPassage interface. NoRemoteICertAdmin - no access to Certificate Services Remote Administration Protocol methods for remote callers. NoLocalICertAdmin - no access to Certificate Services Remote Administration Protocol methods for local callers. NoRemoteICertAdminBackup - the CA restricts access to the backup-related methods of this protocol for remote callers. NoLocalICertAdminBackup - the CA restricts access to the backup-related methods of this protocol for local callers. NoSnapshotBackup - the database files cannot be backed up using a mechanism other than the methods of the ICertAdmin2 interface. EnforceEncryptICertRequest - a RPC security settings (defined in http://msdn.microsoft.com/library/cc243867(PROT.10).aspx ) should be defined for all RPC connections to the server for certificate-request operations. EnforceEncryptICertAdmin - a RPC security settings (defined in http://msdn.microsoft.com/library/cc243867(PROT.10).aspx ) should be defined for all RPC connections to the server for certificate administrative operations (the methods defined in the ICertAdmin2 interface). EnableExitKeyRetrieval - enables an exit algorithm to retrieve the Encrypted private-Key Blob. EnableAdminAsAuditor - only CA administrators can update the CA audit filter settings.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">InterfaceFlagEnum</command:parameterValue> <dev:type> <maml:name>InterfaceFlagEnum</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>RestartCA</maml:name> <maml:description> <maml:para>Restarts CertSvc service on the specified CA server to immediately apply changes.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.Flags.InterfaceFlag</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_Flags_InterfaceFlag.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.CertificateServices.Flags.InterfaceFlag</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_Flags_InterfaceFlag.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -name "company-CA01" | Get-InterfaceFlag | Disable-InterfaceFlag -Flag "NoLocalIcertRequest" -RestartCA</dev:code> <dev:remarks> <maml:para>This example removes local enrollment restriction for "company-CA01" CA server. After the configuration is changed, the command will restart certificate services to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority | Get-InterfaceFlag | Disable-InterfaceFlag -Flag "NoRemoteICertAdminBackup" -RestartCA</dev:code> <dev:remarks> <maml:para>This example removes remote backup restrictions for all Enterprise CAs in the current Active Directory forest. After the configuration is changed, the command will restart certificate services to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Disable-InterfaceFlag.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-InterfaceFlag</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Enable-InterfaceFlag</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Restore-InterfaceFlagDefault</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Disable-KeyRecoveryAgentFlag</command:name> <maml:description> <maml:para>Disables key recovery agent settings (flag) for specified CA server.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Disable</command:verb> <command:noun>KeyRecoveryAgentFlag</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Disables Key Recovery Agent (KRA) settings (flag) for specified CA server. By default no KRA flags are enabled.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Disable-KeyRecoveryAgentFlag</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies the KRA object to process. This object can be retrieved by running Get-KeyRecoveryAgentFlag command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">KRAFlag[]</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="1"> <maml:name>Flag</maml:name> <maml:description> <maml:para>Specifies the flag to disable. The following flag (of flags) can be used:</maml:para> <maml:para>EnableForeign - enables key archival for certificates issued by other (or 3rd party) CA. SaveBadRequestKey - enforces key archival even if the submitted public and private key pair cannot be verified. EnableArchiveAll - enforces key archival for all incoming certificate requests. Do not use this flag unless all certificate requests support key archival. DisableUseDefaultProvider - disables default cryptographic service provider (CSP) usage for public and private key pair verification.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">KRAFlagEnum</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>RestartCA</maml:name> <maml:description> <maml:para>Restarts CertSvc service on the specified CA server to immediately apply changes.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies the KRA object to process. This object can be retrieved by running Get-KeyRecoveryAgentFlag command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">KRAFlag[]</command:parameterValue> <dev:type> <maml:name>KRAFlag[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="1"> <maml:name>Flag</maml:name> <maml:description> <maml:para>Specifies the flag to disable. The following flag (of flags) can be used:</maml:para> <maml:para>EnableForeign - enables key archival for certificates issued by other (or 3rd party) CA. SaveBadRequestKey - enforces key archival even if the submitted public and private key pair cannot be verified. EnableArchiveAll - enforces key archival for all incoming certificate requests. Do not use this flag unless all certificate requests support key archival. DisableUseDefaultProvider - disables default cryptographic service provider (CSP) usage for public and private key pair verification.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">KRAFlagEnum</command:parameterValue> <dev:type> <maml:name>KRAFlagEnum</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>RestartCA</maml:name> <maml:description> <maml:para>Restarts CertSvc service on the specified CA server to immediately apply changes.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.Flags.KRAFlag</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_Flags_KRAFlag.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.CertificateServices.Flags.KRAFlag</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_Flags_KRAFlag.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name "company-CA01" | Get-KeyRecoveryAgentFlag | Disable-KeyRecoveryAgentFlad -Flag "EnableForeign"</dev:code> <dev:remarks> <maml:para>This command disables key archival for keys that were issued (signed) by other (or 3rd party) CA server. After the configuration is changed, the command will restart certificate services to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Disable-KeyRecoveryAgentFlag.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-KeyRecoveryAgentFlag</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Enable-KeyRecoveryAgentFlag</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Restore-KeyRecoveryAgentFlagDefault</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Disable-PolicyModuleFlag</command:name> <maml:description> <maml:para>Disables policy module flags.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Disable</command:verb> <command:noun>PolicyModuleFlag</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Disables policy module flags. These flags are processed by the policy module during certificate request processing.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Disable-PolicyModuleFlag</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies the object that contains existing EditFlags object to process. The object can be retrieved by running Get-PolicyModuleFlag command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">EditFlag[]</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="1"> <maml:name>Flag</maml:name> <maml:description> <maml:para>Specifies flag to disable for processing by CA policy module. This parameter accepts the following value or values:</maml:para> <maml:para>EnableRequestExtensions -- Enables 'Enabled Request Extensions' list processing. RequestExtensionList -- Instructs CA server to process RequestExtensionList property. DisableExtensionList -- Enables 'Disabled Request Extensions' list processing. If the flag is enabled and certificate request contains one or more extemsions from this list, extensions will be discarded. AddOldKeyUsage -- N/A AddOldCertType -- N/A AttributeEndDate -- Allows to specify certificate's validity end date. While certificate's validity on Enterprise CAs is (mainly) determined by certificate template settings, Standalone CAs determines this value by ValidityPeriod and ValidityPeriodUnits settings only. This flag allows to override ValidityPeriod and ValidityPeriodUnits settings to set certificate's validity. BasicConstraintsCritical -- Marks Basic Constraints extension as critical. BasicConstraintsCA -- Enables Basic Constraints extension for CA certificates. EnableAKIKeyID -- Enables KeyID (issuer's public key hash) value to appear in Authority Key Identifier (AKI) extension. AttributeCA -- N/A IgnoreRequestGroup -- N/A EnableAKIIssuerName -- Enables issuer name value to appear in Authority Key Identifier (AKI) extension. EnableAKIIssuerSerial -- Enables issuer certificate's serial number to appear in Authority Key Identifier (AKI) extension. EnableAKICritical -- Marks Authority Key Identifier (AKI) extension as critical. ServerUpgraded -- N/A AttributeEKU -- Enables Enhanced Key Usages (EKU) extensions passing as unauthenticated request attribute (rather than including EKU extension as authenticated extension in the request). EnableDefaultSMIME -- N/A EmailOptional -- N/A AttributeSubjectAlternativeName -- Enables Subject Alternative Name (SAN) extensions passing as unauthenticated request attribute (rather than including SAN extension as authenticated extension in the request). Note: Do not enable this flag on Enterprise CAs. Instead, inclue SAN extension directly in the request. EnableLDAPReferrals -- Allows Certification Authority (CA) to chase a referral for user or computer information in a trusted forest. When referrals are not chased and the user information is not available, the request will be denied if the user is enrolling from another forest. Referral chasing is not enabled by default as unintended template enumeration and enrollment may occur in some scenarios. This flag is necessary only for Cross-Forest Enrollment scenarios. EnableChaseClientDC -- N/A AuditCertTemplateLoad -- Enables template list load from Active Directory audit. DisableOldOSCNUPN -- N/A DisableLDAPPackageList -- N/A EnableUPNMap -- N/A EnableOCSPRevNoCheck -- Enables id-pkix-ocsp-nocheck extension in the request. EnableRenewOnBehalfOf -- Enables certificate renewel on behalf of other user or computer.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">PolicyModuleFlagEnum</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>RestartCA</maml:name> <maml:description> <maml:para>Restarts CA service on the specified CA server to immediately apply changes.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies the object that contains existing EditFlags object to process. The object can be retrieved by running Get-PolicyModuleFlag command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">EditFlag[]</command:parameterValue> <dev:type> <maml:name>EditFlag[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="1"> <maml:name>Flag</maml:name> <maml:description> <maml:para>Specifies flag to disable for processing by CA policy module. This parameter accepts the following value or values:</maml:para> <maml:para>EnableRequestExtensions -- Enables 'Enabled Request Extensions' list processing. RequestExtensionList -- Instructs CA server to process RequestExtensionList property. DisableExtensionList -- Enables 'Disabled Request Extensions' list processing. If the flag is enabled and certificate request contains one or more extemsions from this list, extensions will be discarded. AddOldKeyUsage -- N/A AddOldCertType -- N/A AttributeEndDate -- Allows to specify certificate's validity end date. While certificate's validity on Enterprise CAs is (mainly) determined by certificate template settings, Standalone CAs determines this value by ValidityPeriod and ValidityPeriodUnits settings only. This flag allows to override ValidityPeriod and ValidityPeriodUnits settings to set certificate's validity. BasicConstraintsCritical -- Marks Basic Constraints extension as critical. BasicConstraintsCA -- Enables Basic Constraints extension for CA certificates. EnableAKIKeyID -- Enables KeyID (issuer's public key hash) value to appear in Authority Key Identifier (AKI) extension. AttributeCA -- N/A IgnoreRequestGroup -- N/A EnableAKIIssuerName -- Enables issuer name value to appear in Authority Key Identifier (AKI) extension. EnableAKIIssuerSerial -- Enables issuer certificate's serial number to appear in Authority Key Identifier (AKI) extension. EnableAKICritical -- Marks Authority Key Identifier (AKI) extension as critical. ServerUpgraded -- N/A AttributeEKU -- Enables Enhanced Key Usages (EKU) extensions passing as unauthenticated request attribute (rather than including EKU extension as authenticated extension in the request). EnableDefaultSMIME -- N/A EmailOptional -- N/A AttributeSubjectAlternativeName -- Enables Subject Alternative Name (SAN) extensions passing as unauthenticated request attribute (rather than including SAN extension as authenticated extension in the request). Note: Do not enable this flag on Enterprise CAs. Instead, inclue SAN extension directly in the request. EnableLDAPReferrals -- Allows Certification Authority (CA) to chase a referral for user or computer information in a trusted forest. When referrals are not chased and the user information is not available, the request will be denied if the user is enrolling from another forest. Referral chasing is not enabled by default as unintended template enumeration and enrollment may occur in some scenarios. This flag is necessary only for Cross-Forest Enrollment scenarios. EnableChaseClientDC -- N/A AuditCertTemplateLoad -- Enables template list load from Active Directory audit. DisableOldOSCNUPN -- N/A DisableLDAPPackageList -- N/A EnableUPNMap -- N/A EnableOCSPRevNoCheck -- Enables id-pkix-ocsp-nocheck extension in the request. EnableRenewOnBehalfOf -- Enables certificate renewel on behalf of other user or computer.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">PolicyModuleFlagEnum</command:parameterValue> <dev:type> <maml:name>PolicyModuleFlagEnum</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>RestartCA</maml:name> <maml:description> <maml:para>Restarts CA service on the specified CA server to immediately apply changes.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.PolicyModule.EditFlag</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_PolicyModule_EditFlag.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.CertificateServices.PolicyModule.EditFlag</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_PolicyModule_EditFlag.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name Company-CA | Get-PolicyModuleFlag | Disable-PolicyModuleFlag AttributeSubjectAlternativeName -RestartCA</dev:code> <dev:remarks> <maml:para>Disables 'Subject Alternative Name' attribute in a submitted certificate request and restarts certificate services. In order to issue a certificate with SAN extension, it must be a part of certificate request extensions. After command completion Company-CA CA server will be restarted to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name Company-CA | Get-PolicyModuleFlag | Disable-PolicyModuleFlag EnableOCSPRevNoCheck, DisableExtensionList -RestartCA</dev:code> <dev:remarks> <maml:para>Disables 'OCSP No Revocation Checking' extension and disables Disabled Certificate Extension list processing. This will prevent CA to issue OCSP Response Signing certificate and any previously disabled extension (see Add-ExtensionList) will be populated in the issued certificates. After command completion Company-CA CA server will be restarted to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Disable-PolicyModuleFlag.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-PolicyModuleFlag</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Enable-PolicyModuleFlag</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Restore-PolicyModuleFlagDefault</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Enable-CertificateRevocationListFlag</command:name> <maml:description> <maml:para>Enables certificate revocation list settings (flag) for specified CA server.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Enable</command:verb> <command:noun>CertificateRevocationListFlag</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Enables certificate revocation list settings (flag) for specified CA server. These flags affects only to a CA server where they are defined.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Enable-CertificateRevocationListFlag</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies the CRLFlag object to process. This object can be retrieved by running Get-CertificateRevocationListFlag command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CRLFlag[]</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="1"> <maml:name>Flag</maml:name> <maml:description> <maml:para>Specifies the flag to disable. The following flag (of flags) can be used:</maml:para> <maml:para>DeltaUseOldestUnexpiredBase - the CA server will use oldest unexpired Base CRL for certificate revocation checking. Otherwise, the most recent Base CRL is used. DeleteExpiredCRLs - deletes CRLs signed by the expired CA keys. CRLNumberCritical - the CA server will mark CRL Number extension as critical. If a target application doesn't recognize this extension, a CRL will be rejected. RevCheckIgnoreOffline - the CA cerver will ignore certificate revocation checking failures (not recommended). IgnoreInvalidPolicies - the CA server will ignore invalid Certificate Policies extension in requests. RebuildModifiedSubjectOnly - when a CA server is configured to use the unmodified subject that is supplied in the certificate request, the policy module should not make any changes to the subject that is in the certificate request SaveFailedCerts - N/A IgnoreUnknownCMCAttributes - the CA server ignores unknown CMC attributes in the request. IgnoreCrossCertTrustError - the CA server ignores trust errors for cross-certificates during certificate chain building. PublishExpiredCertCRLs - the CA will publish expired revoked certificates in CRLs. EnforceEnrollmentAgent - the CA enforces enrollment agent restrictions. DisableRDNReorder - the CA server will not re-order relative distinguished name (RDN) in the certificate request. DisableRootCrossCerts - instruct Root CA server to not generate root cross-certificates after Root CA renewal with new key pair. LogfullResponse - the CA will dump request response to console. UseXCHGCertTemplate - instructs CA server to use CA Exchange template instead of using automatically generated short-lived certificates for key archival. UseCrossCertTemplate - instruct Root CA server to use Cross Certification Authority template during Root CA renewal with new key pair, instead of using automatically generated cross-certificates. AllowRequestAttributeSubject - the CA server will accept certificate subject submitted as a part of request attributes. DisableChainVerification - the CA server will not try to build chain for a certificate. RevCheckIgnoreNoRevCheck - the CA server ignores empty CRL Distribution Points (CDP) extension for non-root certificates. PreserveExpiredCerts - the CA server will preserve CA certificate in database and certificate store even if the certificate is not timely valid. PreserveRevokedCACerts - the CA server will preserve CA certificate in database and certificate store even if the certificate is revoked. BuildRootCACRLEntriesBasedOnKey - N/A</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">CRLFlagEnum</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>RestartCA</maml:name> <maml:description> <maml:para>Restarts CertSvc service on the specified CA server to immediately apply changes.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies the CRLFlag object to process. This object can be retrieved by running Get-CertificateRevocationListFlag command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CRLFlag[]</command:parameterValue> <dev:type> <maml:name>CRLFlag[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="1"> <maml:name>Flag</maml:name> <maml:description> <maml:para>Specifies the flag to disable. The following flag (of flags) can be used:</maml:para> <maml:para>DeltaUseOldestUnexpiredBase - the CA server will use oldest unexpired Base CRL for certificate revocation checking. Otherwise, the most recent Base CRL is used. DeleteExpiredCRLs - deletes CRLs signed by the expired CA keys. CRLNumberCritical - the CA server will mark CRL Number extension as critical. If a target application doesn't recognize this extension, a CRL will be rejected. RevCheckIgnoreOffline - the CA cerver will ignore certificate revocation checking failures (not recommended). IgnoreInvalidPolicies - the CA server will ignore invalid Certificate Policies extension in requests. RebuildModifiedSubjectOnly - when a CA server is configured to use the unmodified subject that is supplied in the certificate request, the policy module should not make any changes to the subject that is in the certificate request SaveFailedCerts - N/A IgnoreUnknownCMCAttributes - the CA server ignores unknown CMC attributes in the request. IgnoreCrossCertTrustError - the CA server ignores trust errors for cross-certificates during certificate chain building. PublishExpiredCertCRLs - the CA will publish expired revoked certificates in CRLs. EnforceEnrollmentAgent - the CA enforces enrollment agent restrictions. DisableRDNReorder - the CA server will not re-order relative distinguished name (RDN) in the certificate request. DisableRootCrossCerts - instruct Root CA server to not generate root cross-certificates after Root CA renewal with new key pair. LogfullResponse - the CA will dump request response to console. UseXCHGCertTemplate - instructs CA server to use CA Exchange template instead of using automatically generated short-lived certificates for key archival. UseCrossCertTemplate - instruct Root CA server to use Cross Certification Authority template during Root CA renewal with new key pair, instead of using automatically generated cross-certificates. AllowRequestAttributeSubject - the CA server will accept certificate subject submitted as a part of request attributes. DisableChainVerification - the CA server will not try to build chain for a certificate. RevCheckIgnoreNoRevCheck - the CA server ignores empty CRL Distribution Points (CDP) extension for non-root certificates. PreserveExpiredCerts - the CA server will preserve CA certificate in database and certificate store even if the certificate is not timely valid. PreserveRevokedCACerts - the CA server will preserve CA certificate in database and certificate store even if the certificate is revoked. BuildRootCACRLEntriesBasedOnKey - N/A</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">CRLFlagEnum</command:parameterValue> <dev:type> <maml:name>CRLFlagEnum</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>RestartCA</maml:name> <maml:description> <maml:para>Restarts CertSvc service on the specified CA server to immediately apply changes.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.Flags.CRLFlag</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_Flags_CRLFlag.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.CertificateServices.Flags.CRLFlag</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_Flags_CRLFlag.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name "company-CA01" | Get-CRLFlag | Enable-CRLFlag "UseXCHGCertTemplate" -RestartCA</dev:code> <dev:remarks> <maml:para>The command will instruct CA 'company-CA01' CA server to use CA Exchange template to issue CA Exchange certificate for key archival. Note that CA Exchange template must be added to CA template issuance list. After the configuration is changed, the command will restart certificate services to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Enable-CertificateRevocationListFlag.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificateRevocationListFlag</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Disable-CertificateRevocationListFlag</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Restore-CertificateRevocationListFlagDefault</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Enable-InterfaceFlag</command:name> <maml:description> <maml:para>Enables Active Directory Certificate Services (AD CS) management or request interface settings.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Enable</command:verb> <command:noun>InterfaceFlag</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Enables Active Directory Certificate Services (AD CS) management or request interface flags.</maml:para> <maml:para>Management interface is implemented in ICertAdmin and request interface is implemented in ICertRequest. By using this you can limit these interface usage. For example you can prevent AD CS remote management with ICertAdmin interface and allow AD CS management only locally.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Enable-InterfaceFlag</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies the InterfaceFlag object to process. This object can be retrieved by running Get-InterfaceFlag command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">InterfaceFlag[]</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="1"> <maml:name>Flag</maml:name> <maml:description> <maml:para>Specifies the flag (or multiple flags) to enable. The following flags can be used:</maml:para> <maml:para>LockICertRequest - the behavior for this flag is not defined and it should not be used. NoRemoteICertRequest - the CA will not issue any certificates or hold pending any requests for remote users. NoLocalICertRequest - the CA will not issue any certificates or hold pending any requests for local users. NoRPCICertRequest - the CA will not issue any certificates or hold pending any requests for callers using the ICertPassage interface. NoRemoteICertAdmin - no access to Certificate Services Remote Administration Protocol methods for remote callers. NoLocalICertAdmin - no access to Certificate Services Remote Administration Protocol methods for local callers. NoRemoteICertAdminBackup - the CA restricts access to the backup-related methods of this protocol for remote callers. NoLocalICertAdminBackup - the CA restricts access to the backup-related methods of this protocol for local callers. NoSnapshotBackup - the database files cannot be backed up using a mechanism other than the methods of the ICertAdmin2 interface. EnforceEncryptICertRequest - a RPC security settings (defined in http://msdn.microsoft.com/library/cc243867(PROT.10).aspx ) should be defined for all RPC connections to the server for certificate-request operations. EnforceEncryptICertAdmin - a RPC security settings (defined in http://msdn.microsoft.com/library/cc243867(PROT.10).aspx ) should be defined for all RPC connections to the server for certificate administrative operations (the methods defined in the ICertAdmin2 interface). EnableExitKeyRetrieval - enables an exit algorithm to retrieve the Encrypted private-Key Blob. EnableAdminAsAuditor - only CA administrators can update the CA audit filter settings.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">InterfaceFlagEnum</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>RestartCA</maml:name> <maml:description> <maml:para>Restarts CertSvc service on the specified CA server to immediately apply changes.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies the InterfaceFlag object to process. This object can be retrieved by running Get-InterfaceFlag command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">InterfaceFlag[]</command:parameterValue> <dev:type> <maml:name>InterfaceFlag[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="1"> <maml:name>Flag</maml:name> <maml:description> <maml:para>Specifies the flag (or multiple flags) to enable. The following flags can be used:</maml:para> <maml:para>LockICertRequest - the behavior for this flag is not defined and it should not be used. NoRemoteICertRequest - the CA will not issue any certificates or hold pending any requests for remote users. NoLocalICertRequest - the CA will not issue any certificates or hold pending any requests for local users. NoRPCICertRequest - the CA will not issue any certificates or hold pending any requests for callers using the ICertPassage interface. NoRemoteICertAdmin - no access to Certificate Services Remote Administration Protocol methods for remote callers. NoLocalICertAdmin - no access to Certificate Services Remote Administration Protocol methods for local callers. NoRemoteICertAdminBackup - the CA restricts access to the backup-related methods of this protocol for remote callers. NoLocalICertAdminBackup - the CA restricts access to the backup-related methods of this protocol for local callers. NoSnapshotBackup - the database files cannot be backed up using a mechanism other than the methods of the ICertAdmin2 interface. EnforceEncryptICertRequest - a RPC security settings (defined in http://msdn.microsoft.com/library/cc243867(PROT.10).aspx ) should be defined for all RPC connections to the server for certificate-request operations. EnforceEncryptICertAdmin - a RPC security settings (defined in http://msdn.microsoft.com/library/cc243867(PROT.10).aspx ) should be defined for all RPC connections to the server for certificate administrative operations (the methods defined in the ICertAdmin2 interface). EnableExitKeyRetrieval - enables an exit algorithm to retrieve the Encrypted private-Key Blob. EnableAdminAsAuditor - only CA administrators can update the CA audit filter settings.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">InterfaceFlagEnum</command:parameterValue> <dev:type> <maml:name>InterfaceFlagEnum</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>RestartCA</maml:name> <maml:description> <maml:para>Restarts CertSvc service on the specified CA server to immediately apply changes.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.Flags.InterfaceFlag</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_Flags_InterfaceFlag.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.CertificateServices.Flags.InterfaceFlag</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_Flags_InterfaceFlag.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -name "company-CA01" | Get-InterfaceFlag | Enable-InterfaceFlag -Flag "NoRemoteIcertAdmin", "NoRemoteICertAdminBackup" -RestartCA</dev:code> <dev:remarks> <maml:para>This example restricts 'company-CA01' CA server remote management and remote backup operations. After the configuration is changed, the command will restart certificate services to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority | Get-InterfaceFlag | Enable-InterfaceFlag -Flag "EnableAdminAsAuditor" -RestartCA</dev:code> <dev:remarks> <maml:para>This example grants CA Administrators CA Auditor role for all Enterprise CAs in the current forest. After the configuration is changed, the command will restart certificate services to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Enable-InterfaceFlag.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-InterfaceFlag</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Disable-InterfaceFlag</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Restore-InterfaceFlagDefault</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Enable-KeyRecoveryAgentFlag</command:name> <maml:description> <maml:para>Enables key recovery agent settings (flag) for specified CA server.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Enable</command:verb> <command:noun>KeyRecoveryAgentFlag</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Enables Key Recovery Agent (KRA) settings (flag) for specified CA server.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Enable-KeyRecoveryAgentFlag</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies the KRA object to process. This object can be retrieved by running Get-KeyRecoveryAgentFlag command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">KRAFlag[]</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="1"> <maml:name>Flag</maml:name> <maml:description> <maml:para>Specifies the flag to enable. The following flag (of flags) can be used:</maml:para> <maml:para>EnableForeign - enables key archival for certificates issued by other (or 3rd party) CA. SaveBadRequestKey - enforces key archival even if the submitted public and private key pair cannot be verified. EnableArchiveAll - enforces key archival for all incoming certificate requests. Do not use this flag unless all certificate requests support key archival. DisableUseDefaultProvider - disables default cryptographic service provider (CSP) usage for public and private key pair verification.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">KRAFlagEnum</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>RestartCA</maml:name> <maml:description> <maml:para>Restarts CertSvc service on the specified CA server to immediately apply changes.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies the KRA object to process. This object can be retrieved by running Get-KeyRecoveryAgentFlag command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">KRAFlag[]</command:parameterValue> <dev:type> <maml:name>KRAFlag[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="1"> <maml:name>Flag</maml:name> <maml:description> <maml:para>Specifies the flag to enable. The following flag (of flags) can be used:</maml:para> <maml:para>EnableForeign - enables key archival for certificates issued by other (or 3rd party) CA. SaveBadRequestKey - enforces key archival even if the submitted public and private key pair cannot be verified. EnableArchiveAll - enforces key archival for all incoming certificate requests. Do not use this flag unless all certificate requests support key archival. DisableUseDefaultProvider - disables default cryptographic service provider (CSP) usage for public and private key pair verification.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">KRAFlagEnum</command:parameterValue> <dev:type> <maml:name>KRAFlagEnum</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>RestartCA</maml:name> <maml:description> <maml:para>Restarts CertSvc service on the specified CA server to immediately apply changes.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.Flags.KRAFlag</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_Flags_KRAFlag.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.CertificateServices.Flags.KRAFlag</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_Flags_KRAFlag.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority | Get-KeyRecoveryAgentFlag | Enable-KeyRecoveryAgentFlad -Flag "EnableForeign"</dev:code> <dev:remarks> <maml:para>This example allows the CA to archive public and private key pair that were issued (signed) by other (or 3rd party) CA. After the configuration is changed, the command will restart certificate services to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Enable-KeyRecoveryAgentFlag.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-KeyRecoveryAgentFlag</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Disable-KeyRecoveryAgentFlag</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Restore-KeyRecoveryAgentFlagDefault</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Enable-PolicyModuleFlag</command:name> <maml:description> <maml:para>Enables policy module flags.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Enable</command:verb> <command:noun>PolicyModuleFlag</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Enables policy module flags. These flags are processed by the policy module during certificate request processing.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Enable-PolicyModuleFlag</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies the EditFlags object to process. The object can be retrieved by running Get-PolicyModuleFlag command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">EditFlag[]</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="1"> <maml:name>Flag</maml:name> <maml:description> <maml:para>Specifies new flag to enable for processing by CA policy module. This parameter accepts the following value or values:</maml:para> <maml:para>EnableRequestExtensions -- Enables 'Enabled Request Extensions' list processing. RequestExtensionList -- Instructs CA server to process RequestExtensionList property. DisableExtensionList -- Enables 'Disabled Request Extensions' list processing. If the flag is enabled and certificate request contains one or more extemsions from this list, extensions will be discarded. AddOldKeyUsage -- N/A AddOldCertType -- N/A AttributeEndDate -- Allows to specify certificate's validity end date. While certificate's validity on Enterprise CAs is (mainly) determined by certificate template settings, Standalone CAs determines this value by ValidityPeriod and ValidityPeriodUnits settings only. This flag allows to override ValidityPeriod and ValidityPeriodUnits settings to set certificate's validity. BasicConstraintsCritical -- Marks Basic Constraints extension as critical. BasicConstraintsCA -- Enables Basic Constraints extension for CA certificates. EnableAKIKeyID -- Enables KeyID (issuer's public key hash) value to appear in Authority Key Identifier (AKI) extension. AttributeCA -- N/A IgnoreRequestGroup -- N/A EnableAKIIssuerName -- Enables issuer name value to appear in Authority Key Identifier (AKI) extension. EnableAKIIssuerSerial -- Enables issuer certificate's serial number to appear in Authority Key Identifier (AKI) extension. EnableAKICritical -- Marks Authority Key Identifier (AKI) extension as critical. ServerUpgraded -- N/A AttributeEKU -- Enables Enhanced Key Usages (EKU) extensions passing as unauthenticated request attribute (rather than including EKU extension as authenticated extension in the request). EnableDefaultSMIME -- N/A EmailOptional -- N/A AttributeSubjectAlternativeName -- Enables Subject Alternative Name (SAN) extensions passing as unauthenticated request attribute (rather than including SAN extension as authenticated extension in the request). Note: Do not enable this flag on Enterprise CAs. Instead, inclue SAN extension directly in the request. EnableLDAPReferrals -- Allows Certification Authority (CA) to chase a referral for user or computer information in a trusted forest. When referrals are not chased and the user information is not available, the request will be denied if the user is enrolling from another forest. Referral chasing is not enabled by default as unintended template enumeration and enrollment may occur in some scenarios. This flag is necessary only for Cross-Forest Enrollment scenarios. EnableChaseClientDC -- N/A AuditCertTemplateLoad -- Enables template list load from Active Directory audit. DisableOldOSCNUPN -- N/A DisableLDAPPackageList -- N/A EnableUPNMap -- N/A EnableOCSPRevNoCheck -- Enables id-pkix-ocsp-nocheck extension in the request. EnableRenewOnBehalfOf -- Enables certificate renewel on behalf of other user or computer.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">PolicyModuleFlagEnum</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>RestartCA</maml:name> <maml:description> <maml:para>Restarts CertSvc service on the specified CA server to immediately apply changes.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies the EditFlags object to process. The object can be retrieved by running Get-PolicyModuleFlag command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">EditFlag[]</command:parameterValue> <dev:type> <maml:name>EditFlag[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="1"> <maml:name>Flag</maml:name> <maml:description> <maml:para>Specifies new flag to enable for processing by CA policy module. This parameter accepts the following value or values:</maml:para> <maml:para>EnableRequestExtensions -- Enables 'Enabled Request Extensions' list processing. RequestExtensionList -- Instructs CA server to process RequestExtensionList property. DisableExtensionList -- Enables 'Disabled Request Extensions' list processing. If the flag is enabled and certificate request contains one or more extemsions from this list, extensions will be discarded. AddOldKeyUsage -- N/A AddOldCertType -- N/A AttributeEndDate -- Allows to specify certificate's validity end date. While certificate's validity on Enterprise CAs is (mainly) determined by certificate template settings, Standalone CAs determines this value by ValidityPeriod and ValidityPeriodUnits settings only. This flag allows to override ValidityPeriod and ValidityPeriodUnits settings to set certificate's validity. BasicConstraintsCritical -- Marks Basic Constraints extension as critical. BasicConstraintsCA -- Enables Basic Constraints extension for CA certificates. EnableAKIKeyID -- Enables KeyID (issuer's public key hash) value to appear in Authority Key Identifier (AKI) extension. AttributeCA -- N/A IgnoreRequestGroup -- N/A EnableAKIIssuerName -- Enables issuer name value to appear in Authority Key Identifier (AKI) extension. EnableAKIIssuerSerial -- Enables issuer certificate's serial number to appear in Authority Key Identifier (AKI) extension. EnableAKICritical -- Marks Authority Key Identifier (AKI) extension as critical. ServerUpgraded -- N/A AttributeEKU -- Enables Enhanced Key Usages (EKU) extensions passing as unauthenticated request attribute (rather than including EKU extension as authenticated extension in the request). EnableDefaultSMIME -- N/A EmailOptional -- N/A AttributeSubjectAlternativeName -- Enables Subject Alternative Name (SAN) extensions passing as unauthenticated request attribute (rather than including SAN extension as authenticated extension in the request). Note: Do not enable this flag on Enterprise CAs. Instead, inclue SAN extension directly in the request. EnableLDAPReferrals -- Allows Certification Authority (CA) to chase a referral for user or computer information in a trusted forest. When referrals are not chased and the user information is not available, the request will be denied if the user is enrolling from another forest. Referral chasing is not enabled by default as unintended template enumeration and enrollment may occur in some scenarios. This flag is necessary only for Cross-Forest Enrollment scenarios. EnableChaseClientDC -- N/A AuditCertTemplateLoad -- Enables template list load from Active Directory audit. DisableOldOSCNUPN -- N/A DisableLDAPPackageList -- N/A EnableUPNMap -- N/A EnableOCSPRevNoCheck -- Enables id-pkix-ocsp-nocheck extension in the request. EnableRenewOnBehalfOf -- Enables certificate renewel on behalf of other user or computer.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">PolicyModuleFlagEnum</command:parameterValue> <dev:type> <maml:name>PolicyModuleFlagEnum</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>RestartCA</maml:name> <maml:description> <maml:para>Restarts CertSvc service on the specified CA server to immediately apply changes.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.PolicyModule.EditFlag</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_PolicyModule_EditFlag.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.CertificateServices.PolicyModule.EditFlag</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_PolicyModule_EditFlag.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name Company-CA | Get-PolicyModuleFlag | Enable-PolicyModuleFlag AttributeSubjectAlternativeName -Restart CA</dev:code> <dev:remarks> <maml:para>Enables 'Subject Alternative Name' attribute in a submitted certificate request. After command completion 'Company-CA' CA server will be restarted to immediately apply changes.</maml:para> <maml:para>Note: do not enable SAN attribute on Enterprise CAs if it is possible to include SAN as extension.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name Company-CA | Get-PolicyModuleFlag | Enable-PolicyModuleFlag EnableOCSPRevNoCheck, DisableExtensionList -RestartCA</dev:code> <dev:remarks> <maml:para>Enables 'OCSP No Revocation Checking' extension and disables Disabled Certificate Extension list processing. This will allow CA to issue OCSP Response Signing certificate and will instruct CA server to process disabled extension list (see Add-ExtensionList) and extensions in this list will be not populated in issued certificates. After command completion 'Company-CA' CA server will be restarted to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Enable-PolicyModuleFlag.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-PolicyModuleFlag</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Disable-PolicyModuleFlag</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Restore-PolicyModuleFlagDefault</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Get-ADKRACertificate</command:name> <maml:description> <maml:para>Retrieves all published to Active Directory Key Recovery Agents (KRA) certificates.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Get</command:verb> <command:noun>ADKRACertificate</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Retrieves all published to Active Directory Key Recovery Agents (KRA) certificates. This command must be used to retrieve key recovery agent certificates for Add-CAKRACertificate command purposes.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Get-ADKRACertificate</maml:name> <command:parameter required="false" variableLength="false" globbing="true" pipelineInput="false" position="0"> <maml:name>Subject</maml:name> <maml:description> <maml:para>Specifies a filter for Subject field (distinguished name format). This parameter works in conjunction with other parameters.</maml:para> <maml:para>This parameter accepts the following wildcard characters: ? -- for single wildcard character matching * -- for multiple wildcard character matching</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="true" pipelineInput="false" position="1"> <maml:name>Issuer</maml:name> <maml:description> <maml:para>Specifies a filter for Issuer field (distinguished name format). This parameter works in conjunction with other parameters.</maml:para> <maml:para>This parameter accepts the following wildcard characters: ? -- for single wildcard character matching * -- for multiple wildcard character matching</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>ValidOnly</maml:name> <maml:description> <maml:para>Specifies whether to return only valid certificates. Valid KRA certificate must conform the following requirements:</maml:para> <maml:para>-- time valid -- has valid certificate chain up to any trusted root -- is not revoked -- valid for 'Key Recovery Agent' application policy (enhanced key usage)</maml:para> <maml:para>This parameter works in conjunction with other parameters.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>ShowUI</maml:name> <maml:description> <maml:para>Displays a certificate pickup UI window. By using this window you can select one or more KRA certificates to use.</maml:para> <maml:para>This parameter works in conjunction with other parameters.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="false" variableLength="false" globbing="true" pipelineInput="false" position="0"> <maml:name>Subject</maml:name> <maml:description> <maml:para>Specifies a filter for Subject field (distinguished name format). This parameter works in conjunction with other parameters.</maml:para> <maml:para>This parameter accepts the following wildcard characters: ? -- for single wildcard character matching * -- for multiple wildcard character matching</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="true" pipelineInput="false" position="1"> <maml:name>Issuer</maml:name> <maml:description> <maml:para>Specifies a filter for Issuer field (distinguished name format). This parameter works in conjunction with other parameters.</maml:para> <maml:para>This parameter accepts the following wildcard characters: ? -- for single wildcard character matching * -- for multiple wildcard character matching</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>ValidOnly</maml:name> <maml:description> <maml:para>Specifies whether to return only valid certificates. Valid KRA certificate must conform the following requirements:</maml:para> <maml:para>-- time valid -- has valid certificate chain up to any trusted root -- is not revoked -- valid for 'Key Recovery Agent' application policy (enhanced key usage)</maml:para> <maml:para>This parameter works in conjunction with other parameters.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>ShowUI</maml:name> <maml:description> <maml:para>Displays a certificate pickup UI window. By using this window you can select one or more KRA certificates to use.</maml:para> <maml:para>This parameter works in conjunction with other parameters.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>None.</maml:name> <maml:uri></maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>System.Security.Cryptography.X509Certificates.X509Certificate2[]</maml:name> <maml:uri></maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-ADKRACertificate</dev:code> <dev:remarks> <maml:para>Returns all published to Active Directory KRA certificates without performing any certificate checking.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-ADKRACertificate -Issuer "*MyCA*" -ValidOnly</dev:code> <dev:remarks> <maml:para>Returns all valid KRA certificates issued by a CA server which name (including DN suffixes) contains "MyCA" string.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Get-ADKRACertificate.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CAKRACertificate</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Add-CAKRACertificate</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Remove-CAKRACertificate</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Set-CAKRACertificate</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Get-AuthorityInformationAccess</command:name> <maml:description> <maml:para>Retrieves specified Certification Authority Authority Information Access (AIA) info.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Get</command:verb> <command:noun>AuthorityInformationAccess</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Retrieves specified Certification Authority Authority Information Access (AIA) info.</maml:para> <maml:para>AIA extension is used by certificate chaining engine (CCE) for certificate chain building and (if applicable) for certificate revocation checking by using OCSP protocol. AIA extension may consist of three parts:</maml:para> <maml:para>- physical path that is used by Certification Authority (CA) to publish CRT files (no longer supported by Windows CA). - URI (URIs) that is used by CA to publish in issued certificates for CRT file retrieval. This URI (URIs) are published to a issued certificates Authority Information Access extension as Certification Authority Issuer access method. - URI (URIs) that is used by clients to determine certificate revocation status by using Online Certificate Status Protocol.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Get-AuthorityInformationAccess</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue)" position="0"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the Certification Authority object. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateAuthority[]</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue)" position="0"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the Certification Authority object. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateAuthority[]</command:parameterValue> <dev:type> <maml:name>CertificateAuthority[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.CertificateAuthority</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_CertificateAuthority.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.CertificateServices.AuthorityInformationAccess</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_AuthorityInformationAccess.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name MyCA | Get-AIA | Add-AuthorityInformationAccess -URI "2:http://eu.company.com/MyCA%4.crt" | Set-AuthorityInformationAccess -RestartCA</dev:code> <dev:remarks> <maml:para>This example will retrieve AIA extension configuration from 'MyCA' CA server and adds new URI that will be published in all issued certificates. After configuration is changed, the command will restart certificate services to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name RootCA | Get-AuthorityInformationAccess | Add-AuthorityInformationAccess -URI "32:http://na.company.com/OCSP" | Set-AuthorityInformationAccess -RestartCA</dev:code> <dev:remarks> <maml:para>This example will retrieve AIA extension configuration from 'RootCA' CA server and adds new URI that will be published in all issued certificates as OCSP location. After configuration is changed, the command will restart certificate services to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 3 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name MyCA | Get-AuthorityInformationAccess | Remove-AuthorityInformationAccess -URI "*c:\windows*" | Set-AuthorityInformationAccess -RestartCA</dev:code> <dev:remarks> <maml:para>This example will remove all AIA URIs that contains 'c:\windows' pattern. After command completion certificate services will be restarted to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 4 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name MyCA | Get-AuthorityInformationAccess | Remove-AuthorityInformationAccess -URI "*ldap://*" | Set-AuthorityInformationAccess -RestartCA</dev:code> <dev:remarks> <maml:para>This example will remove all URIs that are used for CRT file publication and/or retrieval from Active Directory. After command completion certificate services will be restarted to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Get-AuthorityInformationAccess.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Add-AuthorityInformationAccess</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Remove-AuthorityInformationAccess</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Set-AuthorityInformationAccess</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Get-CACryptographyConfig</command:name> <maml:description> <maml:para>Retrieves cryptography configuration on a specified Certification Authority server.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Get</command:verb> <command:noun>CACryptographyConfig</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Retrieves cryptography configuration on a specified Certification Authority (CA) server. This command retrieves provider and algorithm names that are used by a CA when signing certificates and certificate revocation lists (CRLs).</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Get-CACryptographyConfig</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue)" position="0"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the Certification Authority object. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateAuthority[]</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue)" position="0"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the Certification Authority object. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateAuthority[]</command:parameterValue> <dev:type> <maml:name>CertificateAuthority[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.CACryptography</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_CACryptography.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.CertificateServices.CACryptography</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_CACryptography.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name MyCA | Get-CACryptographyConfig | Set-CACryptographyConfig -HashingAlgorithm SHA256 -RestartCA</dev:code> <dev:remarks> <maml:para>This example retrieves existing CA cryptography configuration and changes hashing algorithm to 'SHA256'. After certificate service is restarted, all new issued certificates and CRLs will be signed by used a 'SHA256' signing algorithm.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Get-CACryptographyConfig.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Set-CACryptographyConfig</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Get-CAExchangeCertificate</command:name> <maml:description> <maml:para>Retrieves CA Exchange certificate from specified Certification Authority (CA)</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Get</command:verb> <command:noun>CAExchangeCertificate</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Retrieves CA Exchange certificate from specified Certification Authority (CA).</maml:para> <maml:para>CA Exchange certificate is used by key archival process. Client application retrieves this certificate from enrollment server and encrypts it using the client private key. Encrypted key is sent to CA by using enrollment transport. Also PKIView.msc MMC snap-in relies on CA Exchange certificate to locate OCSP URLs in the AIA extensions.</maml:para> <maml:para>In Windows Server 2003, CA Exchange certificate was used to retrieve all URLs configured by CA for AIA and CDP extensions.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Get-CAExchangeCertificate</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the particular Certification Authority. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateAuthority[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="1"> <maml:name>Encoding</maml:name> <maml:description> <maml:para>Specifies output encoding format. This parameter supports Binary and Base64 encodings.</maml:para> <maml:para>Binary encoding is a certificate DER-encoded byte array. Base64 is a textually encoded DER-encoded byte array. Is commonly used for copy/pasting from console window. If '-X509' parameter is specified, this parameter is ignored.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">X509EncodingType</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>X509</maml:name> <maml:description> <maml:para>This parameter returns CA Exchange certificate as an X509Certificate2 object.</maml:para> <maml:para>If this parameter is True, 'Encoding' parameter is ignored.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the particular Certification Authority. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateAuthority[]</command:parameterValue> <dev:type> <maml:name>CertificateAuthority[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="1"> <maml:name>Encoding</maml:name> <maml:description> <maml:para>Specifies output encoding format. This parameter supports Binary and Base64 encodings.</maml:para> <maml:para>Binary encoding is a certificate DER-encoded byte array. Base64 is a textually encoded DER-encoded byte array. Is commonly used for copy/pasting from console window. If '-X509' parameter is specified, this parameter is ignored.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">X509EncodingType</command:parameterValue> <dev:type> <maml:name>X509EncodingType</maml:name> <maml:uri/> </dev:type> <dev:defaultValue>Base64</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>X509</maml:name> <maml:description> <maml:para>This parameter returns CA Exchange certificate as an X509Certificate2 object.</maml:para> <maml:para>If this parameter is True, 'Encoding' parameter is ignored.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.CertificateAuthority</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_CertificateAuthority.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>System.String</maml:name> <maml:uri>http://msdn.microsoft.com/en-us/library/system.string.aspx</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para>Certificate encoded in a Base64 string</maml:para> </maml:description> </command:returnValue> <command:returnValue> <dev:type> <maml:name> System.Byte[]</maml:name> <maml:uri> http://msdn.microsoft.com/en-us/library/system.byte.aspx</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para> Pure binary copy of the certificate</maml:para> </maml:description> </command:returnValue> <command:returnValue> <dev:type> <maml:name> System.Security.Cryptography.X509Certificates.X509Certificate2</maml:name> <maml:uri> http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509certificate2.aspx</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para> An X509Certificate2 object</maml:para> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name MyCA | Get-CAExchangeCertificate</dev:code> <dev:remarks> <maml:para>Returns the most recent CA Exchange certificate in a Base64 encoding.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority ca01.company.com | Get-CAExchangeCertificate -Encoding Binary</dev:code> <dev:remarks> <maml:para>Returns the most recent CA Exchange certificate in a DER-encoded byte array form.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 3 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name MyCA | Get-CAExchangeCertificate -X509</dev:code> <dev:remarks> <maml:para>Returns the most recent CA Exchange certificate as an X509Certificate2 object.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Get-CAExchangeCertificate.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Get-CAKRACertificate</command:name> <maml:description> <maml:para>Retrieves assigned to a specified Certification Authority (CA) Key Recovery Agent certificates.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Get</command:verb> <command:noun>CAKRACertificate</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Retrieves assigned to a specified Certification Authority (CA) Key Recovery Agent certificates.</maml:para> <maml:para>Key Recovery Agent certificate is used to encrypt user's certificate private key and store it in CA database. In the case when user cannot access his or her certificate private key it is possible to recover it by Key Recovery Agent if Key Archival procedure was taken against particular certificate</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Get-CAKRACertificate</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the Certification Authority object. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateAuthority[]</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the Certification Authority object. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateAuthority[]</command:parameterValue> <dev:type> <maml:name>CertificateAuthority[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.CertificateAuthority</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_CertificateAuthority.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.CertificateServices.KRA</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_KRA.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> $KRACerts = Get-ADKRACertificate -Subject "CN=Key Recovery*" C:\PS>Get-CertificationAuthority -Name MyCA | Get-CAKRACertificate | Add-CAKRACertificate -Certificate $certs | Set-CAKRACertificate -RestartCA</dev:code> <dev:remarks> <maml:para>First command retrieves from Active Directory all KRA certificates where subject field starts with 'CN=Key Recovery' (in DN format). Second command will retrieve currently assigned KRA certificates to MyCA CA server and adds new certificates obtained in first command. After configuration is changed, the command will restart certificate services to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> $Certs = Get-ADKRACertificate -ShowUI -Multipick C:\PS>Get-CertificationAuthority | Get-CAKRACertificate | Add-CAKRACertificate $Certs | Set-Certificate -RestartCA</dev:code> <dev:remarks> <maml:para>In this example first command will display certificate selection UI where you can select available KRA certificates. Second command will add selected (in previous command) certificates to currently assigned certificates and writes new certificate list back to a CA server. After configuration is changed, the command will restart certificate services to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 3 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name MyCA | Get-CAKRACertificate | Remove-CAKRACertificate -Thumbprint "70144a763e3a662756898c3160297c8cbcd244dc" | Set-CAKRACertificate -RestartCA</dev:code> <dev:remarks> <maml:para>This example will remove key recovery agent certificate with thumbprint '70144a763e3a662756898c3160297c8cbcd244dc' from 'MyCA' CA server. After command completion certificate services will be restarted to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 4 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority | Get-CAKRACertificate | Remove-CAKRACertificate -InvalidOnly | Set-CAKRACertificate -RestartCA</dev:code> <dev:remarks> <maml:para>This example will remove invalid KRA certificates from all CA servers in the current forest. After command completion certificate services will be restarted to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 5 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name Company-CA | Get-CAKRACertificate | Remove-CAKRACertificate -ShowUI | Set-CAKRACertificate -RestartCA</dev:code> <dev:remarks> <maml:para>This example will retrieve currently assigned KRA certificates and displays certificate selection UI where you can select certificates to remove and writes new KRA certificate list back to a Company-CA CA server. After command completion certificate services will be restarted to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Get-CAKRACertificate.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-ADKRACertificate</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Add-CAKRACertificate</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Remove-CAKRACertificate</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Set-CAKRACertificate</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Get-CASchema</command:name> <maml:description> <maml:para>Retrieves Certification Authority database schema.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Get</command:verb> <command:noun>CASchema</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Retrieves Certification Authority database schema depending on selected table. Default table is 'Request' table.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Get-CASchema</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the Certification Authority object. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateAuthority[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="1"> <maml:name>Table</maml:name> <maml:description> <maml:para>Specifies the Certification Authority object. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">AdcsDbViewTableName</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the Certification Authority object. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateAuthority[]</command:parameterValue> <dev:type> <maml:name>CertificateAuthority[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="1"> <maml:name>Table</maml:name> <maml:description> <maml:para>Specifies the Certification Authority object. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">AdcsDbViewTableName</command:parameterValue> <dev:type> <maml:name>AdcsDbViewTableName</maml:name> <maml:uri/> </dev:type> <dev:defaultValue>Request</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.CertificateAuthority</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_CertificateAuthority.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>SysadminsLV.PKI.Management.CertificateServices.Database.AdcsDbColumnSchema</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_SysadminsLV_PKI_Management_CertificateServices_Database_AdcsDbColumnSchema.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name MyCA* | Get-CASchema</dev:code> <dev:remarks> <maml:para>Returns database schema for Certification Authority objects which name starts with "MyCA".</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority | Get-CASchema</dev:code> <dev:remarks> <maml:para>Returns database schema for all Enterprise Certification Authority objects in the current forest.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Get-CASchema.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Get-CASecurityDescriptor</command:name> <maml:description> <maml:para>Gets Certification Authority's Access Control List (ACL).</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Get</command:verb> <command:noun>CASecurityDescriptor</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Gets Certification Authority's Access Control List (ACL). This ACL controls the access level to the specified CA server.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Get-CASecurityDescriptor</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the Certification Authority object. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateAuthority[]</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the Certification Authority object. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateAuthority[]</command:parameterValue> <dev:type> <maml:name>CertificateAuthority[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.CertificateAuthority</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_CertificateAuthority.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.Security.AccessControl.CASecurityDescriptor</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_Security_AccessControl_CASecurityDescriptor.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority "ca01.company.com" | Get-CASecurityDescriptor</dev:code> <dev:remarks> <maml:para>Retrievex current Access Control List from CA server installed on "ca01.company.com".</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> $ACE = @(New-Object PKI.Security.AccessControl.CertificationAuthorityAccessRule ([Security.Principal.NTAccount]"JohnWayne"), "ManageCA", "Allow") PS C:\> $ACE += New-Object PKI.Security.AccessControl.CertificationAuthorityAccessRule ([Security.Principal.NTAccount]"jsmith"), "ManageCertificates", "Allow" PS C:\> Get-CertificationAuthority "ca01.company.com" | Get-CASecurityDescriptor | Add-CAAccessControlEntry -AccessControlEntry $ACE | Set-CASecurityDescriptor -RestartCA</dev:code> <dev:remarks> <maml:para>First two lines create new access control entries: -- first creates ACE for John Wayne and grants him CA manager permissions. -- second creates ACE for John Smith and grants him certificate manager permissions. Third line retrieves current ACL from CA server, adds new access control entries and writes them to CA configuration. After command completion CA services will be restarted to immediately apply changes.</maml:para> <maml:para>Note that if ACL already contains entry for user account to be added, new ACE will not be added. Instead, use techniques described in Example 4.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 3 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority "ca01.company.com" | Get-CASecurityDescriptor | Remove-CAAccessControlEntry -User "jsmith","JohnWayne" | Set-CASecurityDescriptor -RestartCA</dev:code> <dev:remarks> <maml:para>This example retrieves current access control list from CA server installed on "ca01.company.com", removes all permissions explicitly granted to John Smith and John Wayne and writes modified ACL to CA configuration. After command completion CA services will be restarted to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 4 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> $ACE = New-Object PKI.Security.AccessControl.CertificationAuthorityAccessRule ([Security.Principal.NTAccount]"jsmith"), "ManageCA", "Allow") PS C:\> Get-CertificationAuthority "ca01.company.com" | Get-CASecurityDescriptor | Remove-CAAccessControlEntry -User "jsmith" | Add-CAAccessControlEntry -AccessControlEntry $ACE | Set-CASecurityDescriptor -RestartCA</dev:code> <dev:remarks> <maml:para>This example demonstrates techniques to change permissions explicitly granted to a user. In a given example, first line creates new access control entry for John Smith. Second line retrieves access control list from CA server, removes all permissions granted to John Smith and adds new access control entry.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Get-CASecurityDescriptor.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Add-CAAccessControlEntry</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Remove-CAAccessControlEntry</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Set-CASecurityDescriptor</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Get-CATemplate</command:name> <maml:description> <maml:para>Retrieves certificate templates that are assigned to a specified Certification Authority (CA).</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Get</command:verb> <command:noun>CATemplate</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Retrieves certificate templates that are assigned to a specified Certification Authority (CA). CA server can issue certificates only based on assigned templates.</maml:para> <maml:para>Use this command to add and/or remove certificate template to specified certification authority.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Get-CATemplate</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the Certification Authority object. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateAuthority[]</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the Certification Authority object. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateAuthority[]</command:parameterValue> <dev:type> <maml:name>CertificateAuthority[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.CertificateAuthority</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_CertificateAuthority.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.CertificateServices.CATemplate</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_CATemplate.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name "Company CA01" | Get-CATemplate | Add-CATemplate -Name "SmartCardV2","OfflineComputer" | Set-CATemplate</dev:code> <dev:remarks> <maml:para>This command will add 'SmartCardV2' and 'OfflineComputer' templates (must be created by using Certificate Templates MMC snap-in by duplicating existing templates) and assigns them to a 'Company CA01' certification authority.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority | Get-CATemplate | Add-CATemplate -DisplayName "Computer V2", "CA Exchange" | Set-CATemplate</dev:code> <dev:remarks> <maml:para>This command will add templates with display names: 'Computer V2' (must be created by using Certificate Templates MMC snap-in by duplicating existing templates) and CA Exchange and assigns them to all Enterprise CAs in the forest.</maml:para> <maml:para>This example is useful to provide template redundancy, so clients are able to enroll for a certificate even one CA server is down.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 3 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> $Template = Get-CertificateTemplate -Name WebServer C:\PS>Get-CertificationAuthority ca01.company.com | Get-CATemplate | Add-CATemplate -Template $Template | Set-CATemplate</dev:code> <dev:remarks> <maml:para>In this example the first command retrieves template object by running Get-CertificateTemplate command. In the second line adds this template to a CA server running on 'ca01.company.com' server.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 4 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name "Company CA01" | Get-CATemplate | Remove-CATemplate -Name "Machine","WebServer" | Set-CATemplate</dev:code> <dev:remarks> <maml:para>This command will remove 'Machine' and 'WebServer' templates from 'Company CA01' CA server. CA server will unable to issue any certificates based on specified templates.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 5 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority | Get-CATemplate | Remove-CATemplate -DisplayName "Domain Controller" | Set-CATemplate</dev:code> <dev:remarks> <maml:para>This command will remove Domain Controller template from all Enterprise CAs in the forest.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 6 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> $Template = Get-CertificateTemplate -DisplayName "Key Recovery Agent" C:\PS>Get-CertificationAuthority ca01.company.com | Get-CATemplate | Remove-CATemplate -Template $Template | Set-CATemplate</dev:code> <dev:remarks> <maml:para>In this example first command retrieves 'Key Recovery Agent' template object. In the second line specified template will be removed from CA server running on 'ca01.company.com' server.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Get-CATemplate.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Add-CATemplate</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Remove-CATemplate</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Set-CATemplate</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificateTemplate</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Get-CertificateRevocationListFlag</command:name> <maml:description> <maml:para>Retrieves Active Directory Certificate Services (AD CS) certificate revocation list (CRL) settings.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Get</command:verb> <command:noun>CertificateRevocationListFlag</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Retrieves Active Directory Certificate Services (AD CS) certificate revocation list (CRL) settings. These flags affects only to a CA server where they are defined.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Get-CertificateRevocationListFlag</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the Certification Authority object. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateAuthority[]</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the Certification Authority object. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateAuthority[]</command:parameterValue> <dev:type> <maml:name>CertificateAuthority[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.CertificateAuthority</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_CertificateAuthority.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.CertificateServices.Flags.CRLFlag</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_Flags_CRLFlag.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -name "company-CA1" | Get-CertificateRevocationListFlag</dev:code> <dev:remarks> <maml:para>The command retrieves CRL flags for 'company-CA1' CA server.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Get-CertificateRevocationListFlag.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Enable-CertificateRevocationListFlag</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Disable-CertificateRevocationListFlag</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Restore-CertificateRevocationListFlagDefault</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Get-CertificateTemplate</command:name> <maml:description> <maml:para>Retrieves registered certificate templates from Active Directory.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Get</command:verb> <command:noun>CertificateTemplate</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Retrieves registered certificate templates from Active Directory.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Get-CertificateTemplate</maml:name> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"> <maml:name>Name</maml:name> <maml:description> <maml:para>Specifies common name of a template to retrieve. You can specify multiple template names by separating them with comma character (,).</maml:para> <maml:para>Note: this parameter don't accept wildcards</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">String[]</command:parameterValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Get-CertificateTemplate</maml:name> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"> <maml:name>DisplayName</maml:name> <maml:description> <maml:para>Specifies display name of a template to get. You can specify multiple display names by separating them with comma character (,).</maml:para> <maml:para>Note: this parameter don't accept wildcards</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">String[]</command:parameterValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Get-CertificateTemplate</maml:name> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"> <maml:name>OID</maml:name> <maml:description> <maml:para>Specifies object identifier (OID) of a template to get. You can specify multiple template OIDs by separating them with comma character (,).</maml:para> <maml:para>Note: this parameter don't accept wildcards</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">String[]</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"> <maml:name>Name</maml:name> <maml:description> <maml:para>Specifies common name of a template to retrieve. You can specify multiple template names by separating them with comma character (,).</maml:para> <maml:para>Note: this parameter don't accept wildcards</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"> <maml:name>DisplayName</maml:name> <maml:description> <maml:para>Specifies display name of a template to get. You can specify multiple display names by separating them with comma character (,).</maml:para> <maml:para>Note: this parameter don't accept wildcards</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue>*</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="named"> <maml:name>OID</maml:name> <maml:description> <maml:para>Specifies object identifier (OID) of a template to get. You can specify multiple template OIDs by separating them with comma character (,).</maml:para> <maml:para>Note: this parameter don't accept wildcards</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>None.</maml:name> <maml:uri></maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.CertificateTemplates.CertificateTemplate</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateTemplates_CertificateTemplate.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificateTemplate</dev:code> <dev:remarks> <maml:para>Retrieves all registered certificate templates from Active Directory.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificateTemplate -DisplayName Computer</dev:code> <dev:remarks> <maml:para>Retrieves only certificate template with display name 'Computer'.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 3 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificateTemplate -Name WebServer, CrossCA</dev:code> <dev:remarks> <maml:para>Retrieves certificate templates with common names 'WebServer' (Web Server) and 'CrossCA' (Cross Certification Authority).</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 4 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificateTemplate -OID 1.3.6.1.4.1.311.21.8.149510.7314491.15746959.9320746.3700693.37.1.14</dev:code> <dev:remarks> <maml:para>Retrieves certificate template that has assigned OID = 1.3.6.1.4.1.311.21.8.149510.7314491.15746959.9320746.3700693.37.1.14 (default Machine/Computer template).</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Get-CertificateTemplate.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Remove-CertificateTemplate</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Get-CertificateTemplateAcl</command:name> <maml:description> <maml:para>Gets the security descriptor for a certificate template.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Get</command:verb> <command:noun>CertificateTemplateAcl</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>The Get-CertificateTemplateAcl command gets objects that represent the security descriptor of a certificate template. The security descriptor contains the access control lists (ACLs) of the resource. The ACL specifies the permissions that users and user groups have to access the resource.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Get-CertificateTemplateAcl</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>Template</maml:name> <maml:description> <maml:para>Specifies the CertificateTemplate object. This object can be retrieved by running Get-CertificateTemplate cmdlet.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateTemplate[]</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>Template</maml:name> <maml:description> <maml:para>Specifies the CertificateTemplate object. This object can be retrieved by running Get-CertificateTemplate cmdlet.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateTemplate[]</command:parameterValue> <dev:type> <maml:name>CertificateTemplate[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateTemplates.CertificateTemplate</maml:name> <maml:uri></maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.Security.SecurityDescriptor</maml:name> <maml:uri></maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificateTemplate -Name WebServer | Get-CertificateTemplate | Add-CertificateTemplateAcl -User WebServerGroup -AccessType Allow -AccessMask Read, Enroll | Set-CertificateTemplateAcl</dev:code> <dev:remarks> <maml:para>This example adds 'WebServerGroup' security group to the certificate template 'WebServer' and grants Read and Enroll permissions. After that, a new ACL is written to the actual object.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificateTemplate -Name WebServer | Get-CertificateTemplateAcl | Remove-CertificateTemplateAcl -User OldWebServer -AccessType Allow | Set-CertificateTemplateAcl</dev:code> <dev:remarks> <maml:para>This example removes all granted permissions for 'OldWebServer' account from 'WebServer' certificate template ACL. After that, a new ACL will be written to the actual certificate template object (Set-CertificateTemplateAcl).</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Get-CertificateTemplateAcl.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificateTemplate</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Add-CertificateTemplateAcl</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Remove-CertificateTemplateAcl</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Set-CertificateTemplateAcl</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Get-CertificateValidityPeriod</command:name> <maml:description> <maml:para>Retrives the maximum validity period value for issued certificates.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Get</command:verb> <command:noun>CertificateValidityPeriod</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Retrieves maximum validity period for issued certificates. Though this setting is not absolute. Certificate actual validity period is the lesser value of the following: for Standalone CA: - estimated CA certificate validity period - ValidityPeriod parameter value.</maml:para> <maml:para>for Enterprise CA: - estimated CA certificate validity period - certificate template validity period value - ValidityPeriod parameter value.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Get-CertificateValidityPeriod</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the Certification Authority object. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateAuthority[]</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the Certification Authority object. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateAuthority[]</command:parameterValue> <dev:type> <maml:name>CertificateAuthority[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.CertificateAuthority</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_CertificateAuthority.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.CertificateServices.CertValidityPeriod</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_CertValiditySetting.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name Company-CA | Get-CertificateValidityPeriod</dev:code> <dev:remarks> <maml:para>Returns validity period settings for 'Company-CA' CA server.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority | Get-CertificateValidityPeriod</dev:code> <dev:remarks> <maml:para>Returns validity period settings for all Enterprise CA servers.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 3 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name Company-CA | Get-CertificateValidityPeriod | Set-CertificateValidityPeriod "10 years" -RestartCA</dev:code> <dev:remarks> <maml:para>Sets certificate issued certificate validity period to '10 years'. After configuration is changed, the command will restart certificate services to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 4 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority | Get-CertificateValidityPeriod | Set-CertificateValidityPeriod "5 years" -RestartCA</dev:code> <dev:remarks> <maml:para>Sets certificate issued certificate validity period to '5 years' for all Enterprise CAs in the current forest and restarts CA service. After configuration is changed, the command will restart certificate services to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Get-CertificateValidityPeriod.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Set-CertificateValidityPeriod</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Get-CertificationAuthority</command:name> <maml:description> <maml:para>Retrieves all Enterprise Certification Authorities from a current Active Directory forest.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Get</command:verb> <command:noun>CertificationAuthority</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Retrieves all Enterprise Certification Authorities from a current Active Directory forest.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Get-CertificationAuthority</maml:name> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0"> <maml:name>ComputerName</maml:name> <maml:description> <maml:para>Specifies Certification Authority computer name. (default)</maml:para> <maml:para>This parameter accepts the following wildcard characters: ? - for single wildcard character matching * - for multiple wildcard character matching</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Get-CertificationAuthority</maml:name> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0"> <maml:name>Name</maml:name> <maml:description> <maml:para>Specifies the particular Certification Authority display name.</maml:para> <maml:para>This parameter accepts the following wildcard characters: ? - for single wildcard character matching * - for multiple wildcard character matching.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0"> <maml:name>ComputerName</maml:name> <maml:description> <maml:para>Specifies Certification Authority computer name. (default)</maml:para> <maml:para>This parameter accepts the following wildcard characters: ? - for single wildcard character matching * - for multiple wildcard character matching</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue>*</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0"> <maml:name>Name</maml:name> <maml:description> <maml:para>Specifies the particular Certification Authority display name.</maml:para> <maml:para>This parameter accepts the following wildcard characters: ? - for single wildcard character matching * - for multiple wildcard character matching.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue>*</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>None.</maml:name> <maml:uri></maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.CertificateServices.CertificateAuthority[]</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_CertificateAuthority.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority</dev:code> <dev:remarks> <maml:para>Returns all Enterprise Certification Authorities objects in current forest.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name "RootCa"</dev:code> <dev:remarks> <maml:para>Returns specified Certification Authority object.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 3 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority "ca01*"</dev:code> <dev:remarks> <maml:para>Retrieves all Enterprise Certification Authorities which server name starts with 'ca01'. Wildcards are useful when your infrastructure uses complex naming convention. You can put wildcards at any point in the string.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Get-CertificationAuthority.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Get-CRLDistributionPoint</command:name> <maml:description> <maml:para>Retrieves specified Certification Authority Certificate Distribution Points (CDP) URLs</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Get</command:verb> <command:noun>CRLDistributionPoint</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Retrieves specified Certification Authority Certificate Distribution Points (CDP) URLs.</maml:para> <maml:para>CDP extension is used by certificate chaining engine (CCE) to determine particular certificate revocation status. CDP extension consist of two parts:</maml:para> <maml:para>- physical path that is used by Certification Authority (CA) to publish CRL files. These paths are not published in the certificate CDP extension. - URL (URI) that is used by CA to publish in issued certificates for CRL retrieval.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Get-CRLDistributionPoint</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue)" position="0"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the particular Certification Authority. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateAuthority[]</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue)" position="0"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the particular Certification Authority. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateAuthority[]</command:parameterValue> <dev:type> <maml:name>CertificateAuthority[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.CertificateAuthority</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_CertificateAuthority.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.CertificateServices.CRLDistributionPoint</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_CRLDistributionPoint.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name RootCA | Get-CrlDistributionPoint</dev:code> <dev:remarks> <maml:para>Retrieves CRL distribution points from 'RootCA' Certification Authority.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority | Get-CrlDistributionPoint</dev:code> <dev:remarks> <maml:para>Retrieves CDP info from all Certification Authorities in the current forest.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 3 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority RootCA | Get-CrlDistributionPoint | Add-CrlDistributionPoint -NewURI "6:http://crl.domain.com/%3%8%9.crl" | Set-CrlDistributionPoint -RestartCA</dev:code> <dev:remarks> <maml:para>This example will add new CDP URI to certificate CDP for 'RootCA' CA server. Also this will add new URI in Freshest CRL in CRL CDP to locate corresponding Delta CRL. After command completion CA services will be restarted to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 4 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority | Get-CrlDistributionPoint | Add-CrlDistributionPoint -NewURI "65:\\ServerName\crlfile%9.crl", "65:C:\CertData\%3%8%9.crl" | Set-CrlDistributionPoint -RestartCA</dev:code> <dev:remarks> <maml:para>This example will add new paths for Base and Delta CRL file publication for all CAs in the current forest. This will not add any new URIs in certificate CDP extension, but instructs CA to publish physical CRL files to specified locations. After command completion CA services will be restarted to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 5 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name MyCA | Get-CrlDistributionPoint | Remove-CrlDistributionPoint -URI "*c:\windows*" | Set-CrlDistributionPoint -RestartCA</dev:code> <dev:remarks> <maml:para>This example will remove all CDP URIs that contains "c:\windows" pattern. After command completion certificate services will be restarted to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 6 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name MyCA | Get-CrlDistributionPoint | Remove-CrlDistributionPoint -URI "*ldap://*" | Set-CrlDistributionPoint -RestartCA</dev:code> <dev:remarks> <maml:para>This example will remove all URIs that are used for CRL file publication and/or retrieval from Active Directory. After command completion certificate services will be restarted to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Get-CRLDistributionPoint.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Add-CRLDistributionPoint</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Remove-CRLDistributionPoint</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Set-CRLDistributionPoint</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Get-CRLValidityPeriod</command:name> <maml:description> <maml:para>Retrieves CRL validity period.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Get</command:verb> <command:noun>CRLValidityPeriod</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Retrieves CRL validity period and overlap settings. Overlap settings allows extension of CRL validity period for a certain time when you experience large (several hours) AD/DFS replication delays.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Get-CRLValidityPeriod</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the particular Certification Authority. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateAuthority[]</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the particular Certification Authority. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateAuthority[]</command:parameterValue> <dev:type> <maml:name>CertificateAuthority[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.CertificateAuthority</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_CertificateAuthority.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.CertificateServices.CRLValidityPeriod</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_CRLValiditySetting.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name "Company-CA" | Get-CRLValidityPeriod</dev:code> <dev:remarks> <maml:para>Returns CRL validity period settings for 'Company-CA' CA server.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority | Get-CRLValidityPeriod</dev:code> <dev:remarks> <maml:para>Returns CRL validity period settings for all Enterprise CA servers.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 3 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name Company-CA | Get-CRLValidityPeriod | Set-CRLValidityPeriod -BaseCRL "22 weeks" -BaseCRLOverlap "2 days" -RestartCA</dev:code> <dev:remarks> <maml:para>Sets Base CRL publishing period as 22 weeks and overlap delay as 2 days. After configuration is changed, the command will restart certificate services to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 4 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name Company-CA | Get-CRLValidityPeriod | Set-CRLValidityPeriod -DeltaCRL "0 days" -RestartCA</dev:code> <dev:remarks> <maml:para>Disables Delta CRL publishing for all Certification Authorities in current forest. After configuration is changed, the command will restart certificate services to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Get-CRLValidityPeriod.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Set-CRLValidityPeriod</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Get-AdcsDatabaseRow</command:name> <maml:description> <maml:para>Gets CA database row from a specified table.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Get</command:verb> <command:noun>DatabaseRow</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Gets CA database row from a specified table.</maml:para> <maml:para>This command is a generic function to access any CA database row. This command allows to access all CA database tables. Although, this command can access any database row, for 'Request' table the use of predefined Get-RevokedRequest, Get-IssuedRequest, Get-PendingRequest and Get-FailedRequest is recommended over this command. Use this caommand to access non-Request tables.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Get-AdcsDatabaseRow</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the Certification Authority to process. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateAuthority[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="1"> <maml:name>Table</maml:name> <maml:description> <maml:para>Specifies the CA database view table to query. The following view tables are supported:</maml:para> <maml:para>-Request - queries entire request table. -Revoked - queries revoked certificates table. -Issued - queries issued certificates table. -Pending - queries pending request table. -Failed - queries failed and denied request table. -Extension - queries extensions table associated with issued certificates. -Attribute - queries attributes table associated with issued certificates. -CRL - queries certificate revocation list (CRL) table.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">AdcsDbViewTableName</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="2"> <maml:name>RowID</maml:name> <maml:description> <maml:para>Specifies the database row ID or IDs to retrieve.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">Int32[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="3"> <maml:name>Page</maml:name> <maml:description> <maml:para>Specifies the page number to read from CA database. This parameter is part of CA database paging functionality and works in conjunction with 'PageSize' parameter.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="4"> <maml:name>PageSize</maml:name> <maml:description> <maml:para>Specifies the page size to load from CA database. This parameter can limit the number of database rows returned by this command at once. When not specified, no limits are set and CA will return all rows associated with the query.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="5"> <maml:name>Property</maml:name> <maml:description> <maml:para>By default, the command returns only common certificate request properties (database columns). Use this parameter to show additional properties if necessary. List of possible properties depends on CA server operating system version. To retrieve valid property list run Get-CASchema command.</maml:para> <maml:para>In order to display all properties for output objects set this parameter to asterisk '*'. However, all property retrieval may affect Certification Authority's performance.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">String[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="6"> <maml:name>Filter</maml:name> <maml:description> <maml:para>Specifies the query filter to restrict output objects to ones that matches query filter rule. Query filter rule consist of three components: <RequestProperty>, <comparison operator> and <value>. Query filter is composed in the following format: "<RequestProperty> <comparison operator> <value>" where: <RequestProperty> - is a certificate request property name. To retrieve valid property list run Get-CASchema command. <comparison operator> - specifies the logical operator of the data-query qualifier for the column. <value> - specifies the data query qualifier applied to the certificate request property.</maml:para> <maml:para>Possible operators are: -eq (equal to) - the value in the <value> field equals to a value stored in the certificate request property. -le (less or equal to) - the value in the <value> field is less or equal to a value stored in the certificate request property. See below about operator behavior with string qualifiers. -lt (less than) - the value in the <value> field is less then a value stored in the certificate request property. See below about operator behavior with string qualifiers. -ge (greater or equal to) - the value in the <value> field is greater or equal to a value stored in the certificate request property. See below about operator behavior with string qualifiers. -gt (greater than) - the value in the <value> field is greater than a value stored in the certificate request property. See below about operator behavior with string qualifiers.</maml:para> <maml:para>There are special rules when processing the following operators: '-ge', '-gt', '-le' and '-lt' with string qualifiers. In this case, CA server performs binary comparison between strings (column value and qualifier value). For example, "A" is less than "B" ("A" is placed before "B", therefore "B" is greater than "A"), "AC" is greater than "AB", "ABC" is less than "BRC". If column value length is larger than qualifier string, a wild card is virtually added to the query qualifier value. For example, column value is "a large string" and qualifier value is "a large", then column value is greater than qualifier value. In other words, "AA" > "A" and "A" < "AA".</maml:para> <maml:para>An example of the filter: Request.RequesterName -eq domain\username this filter returnes requests that were requested by 'domain\username' user account. See examples section for more filter examples.</maml:para> <maml:para>You can specify multiple filters. All filters are applied to requests with logical AND operator. This means that output requests must match all filters.</maml:para> <maml:para>Note: wildcard characters are not supported.</maml:para> <maml:para>Note: if 'RequestID' parameter is specified, all filters are ignored.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">String[]</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the Certification Authority to process. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateAuthority[]</command:parameterValue> <dev:type> <maml:name>CertificateAuthority[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="2"> <maml:name>RowID</maml:name> <maml:description> <maml:para>Specifies the database row ID or IDs to retrieve.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">Int32[]</command:parameterValue> <dev:type> <maml:name>Int32[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="5"> <maml:name>Property</maml:name> <maml:description> <maml:para>By default, the command returns only common certificate request properties (database columns). Use this parameter to show additional properties if necessary. List of possible properties depends on CA server operating system version. To retrieve valid property list run Get-CASchema command.</maml:para> <maml:para>In order to display all properties for output objects set this parameter to asterisk '*'. However, all property retrieval may affect Certification Authority's performance.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="6"> <maml:name>Filter</maml:name> <maml:description> <maml:para>Specifies the query filter to restrict output objects to ones that matches query filter rule. Query filter rule consist of three components: <RequestProperty>, <comparison operator> and <value>. Query filter is composed in the following format: "<RequestProperty> <comparison operator> <value>" where: <RequestProperty> - is a certificate request property name. To retrieve valid property list run Get-CASchema command. <comparison operator> - specifies the logical operator of the data-query qualifier for the column. <value> - specifies the data query qualifier applied to the certificate request property.</maml:para> <maml:para>Possible operators are: -eq (equal to) - the value in the <value> field equals to a value stored in the certificate request property. -le (less or equal to) - the value in the <value> field is less or equal to a value stored in the certificate request property. See below about operator behavior with string qualifiers. -lt (less than) - the value in the <value> field is less then a value stored in the certificate request property. See below about operator behavior with string qualifiers. -ge (greater or equal to) - the value in the <value> field is greater or equal to a value stored in the certificate request property. See below about operator behavior with string qualifiers. -gt (greater than) - the value in the <value> field is greater than a value stored in the certificate request property. See below about operator behavior with string qualifiers.</maml:para> <maml:para>There are special rules when processing the following operators: '-ge', '-gt', '-le' and '-lt' with string qualifiers. In this case, CA server performs binary comparison between strings (column value and qualifier value). For example, "A" is less than "B" ("A" is placed before "B", therefore "B" is greater than "A"), "AC" is greater than "AB", "ABC" is less than "BRC". If column value length is larger than qualifier string, a wild card is virtually added to the query qualifier value. For example, column value is "a large string" and qualifier value is "a large", then column value is greater than qualifier value. In other words, "AA" > "A" and "A" < "AA".</maml:para> <maml:para>An example of the filter: Request.RequesterName -eq domain\username this filter returnes requests that were requested by 'domain\username' user account. See examples section for more filter examples.</maml:para> <maml:para>You can specify multiple filters. All filters are applied to requests with logical AND operator. This means that output requests must match all filters.</maml:para> <maml:para>Note: wildcard characters are not supported.</maml:para> <maml:para>Note: if 'RequestID' parameter is specified, all filters are ignored.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="1"> <maml:name>Table</maml:name> <maml:description> <maml:para>Specifies the CA database view table to query. The following view tables are supported:</maml:para> <maml:para>-Request - queries entire request table. -Revoked - queries revoked certificates table. -Issued - queries issued certificates table. -Pending - queries pending request table. -Failed - queries failed and denied request table. -Extension - queries extensions table associated with issued certificates. -Attribute - queries attributes table associated with issued certificates. -CRL - queries certificate revocation list (CRL) table.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">AdcsDbViewTableName</command:parameterValue> <dev:type> <maml:name>AdcsDbViewTableName</maml:name> <maml:uri/> </dev:type> <dev:defaultValue>1</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="3"> <maml:name>Page</maml:name> <maml:description> <maml:para>Specifies the page number to read from CA database. This parameter is part of CA database paging functionality and works in conjunction with 'PageSize' parameter.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> <dev:type> <maml:name>Int32</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="4"> <maml:name>PageSize</maml:name> <maml:description> <maml:para>Specifies the page size to load from CA database. This parameter can limit the number of database rows returned by this command at once. When not specified, no limits are set and CA will return all rows associated with the query.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> <dev:type> <maml:name>Int32</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.CertificateAuthority</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_CertificateAuthority.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>SysadminsLV.PKI.Management.CertificateServices.Database.AdcsDbRow</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_SysadminsLV_PKI_Management_CertificateServices_Database_AdcsDbRow.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>Get-CA -Name "*company ca*" | Get-AdcsDatabaseRow -Table CRL -Filter "CRLNextUpdate -gt $(Get-Date)"</dev:code> <dev:remarks> <maml:para>This command returns all non-expired Base and Delta CRLs from CA database.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>Get-CA ca01.company.com | Get-AdcsDatabaseRow -Table Extension -RowID 87</dev:code> <dev:remarks> <maml:para>Retrieves certificate extensions associated with RequestID = 87.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 3 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>Get-CA ca01.company.com | Get-AdcsDatabaseRow -Table Attribute -RowID 87</dev:code> <dev:remarks> <maml:para>Retrieves certificate request attributes associated with RequestID = 87.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Get-DatabaseRow.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Remove-AdcsDatabaseRow</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Get-ExtensionList</command:name> <maml:description> <maml:para>Retrieves certificate enabled/disabled extension lists.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Get</command:verb> <command:noun>ExtensionList</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Retrieves certificate enabled/disabled extension lists. Extensions are separated in 3 categories:</maml:para> <maml:para>EnabledExtensionList - contains extensions that CA server will publish in each issued certificate upon request. OfflineExtensionList - contains allowed extension list that CA server will publish in issued certificates when offline request is used. DisabledExtensionList - contains extensions that will not be published in certificate even if this extension is specified in the request.</maml:para> <maml:para>Note: additional information can be found at: http://technet.microsoft.com/library/cc740063(WS.10).aspx</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Get-ExtensionList</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the Certification Authority object. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateAuthority[]</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the Certification Authority object. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateAuthority[]</command:parameterValue> <dev:type> <maml:name>CertificateAuthority[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.CertificateAuthority</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_CertificateAuthority.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.CertificateServices.PolicyModule.ExtensionList</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_PolicyModule_ExtensionList.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name Company-CA | Get-ExtensionList</dev:code> <dev:remarks> <maml:para>Returns ExtensionList object for specified CA server.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority | Get-ExtensionList</dev:code> <dev:remarks> <maml:para>Returns ExtensionList object for all CAs in the forest with separate object per CA.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 3 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name Company-CA | Get-ExtensionList | Add-ExtensionList -DisabledExtension "Certificate Template Name" | Set-ExtensionList -RestartCA</dev:code> <dev:remarks> <maml:para>This command will add the 'Certificate Template Name' extension to restricted extension list. As the result CA server will not publish this extension in issued certificates. After configuration is changed, the command will restart certificate services to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 4 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name Company-CA | Get-ExtensionList | Remove-ExtensionList -OfflineExtension "Subject Alternative Name" | Set-ExtensionList -RestartCA</dev:code> <dev:remarks> <maml:para>This will remove 'Subject Alternative Name' extension from allowed extensions in request. As the result CA server will ignore this extension in certificate request.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Get-ExtensionList.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Add-ExtensionList</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Remove-ExtensionList</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Set-ExtensionList</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Get-FailedRequest</command:name> <maml:description> <maml:para>Retrieves failed certificate requests from Certification Authority (CA) database.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Get</command:verb> <command:noun>FailedRequest</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Retrieves failed certificate requests from Certification Authority (CA) database. Failed requests are requests that were either manually denied by CA Administrator or CA Manager, or denied by policy module due to some error in submitted request.</maml:para> <maml:para>Since CA server may contain many failed certificate requests, you may specify various filters by using 'RequestID' or 'Filter' parameters.</maml:para> <maml:para>Note: certain output object properties may have dots, for example: $object.Request.RawRequest. In order to access property value, it must be enclosed in double quotes: $object."Request.RawRequest".</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Get-FailedRequest</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the Certification Authority to process. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateAuthority[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="1"> <maml:name>RequestID</maml:name> <maml:description> <maml:para>Use this parameter if you know desired request ID or IDs. You may specify more than one ID and command will return only failed requests with matching IDs.</maml:para> <maml:para>If this parameter is used, 'Filter' parameter is ignored.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">Int32[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="2"> <maml:name>Page</maml:name> <maml:description> <maml:para>Specifies the page number to read from CA database. This parameter is part of CA database paging functionality and works in conjunction with 'PageSize' parameter.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="3"> <maml:name>PageSize</maml:name> <maml:description> <maml:para>Specifies the page size to load from CA database. This parameter can limit the number of database rows returned by this command at once. When not specified, no limits are set and CA will return all rows associated with the query.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="4"> <maml:name>Property</maml:name> <maml:description> <maml:para>By default, the command returns only common certificate request properties (database columns). Use this parameter to show additional properties if necessary. List of possible properties depends on CA server operating system version. To retrieve valid property list run Get-CASchema command.</maml:para> <maml:para>In order to display all properties for output objects set this parameter to asterisk '*'. However, all property retrieval may affect Certification Authority's performance.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">String[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="5"> <maml:name>Filter</maml:name> <maml:description> <maml:para>Specifies the query filter to restrict output objects to ones that matches query filter rule. Query filter rule consist of three components: <RequestProperty>, <comparison operator> and <value>. Query filter is composed in the following format: "<RequestProperty> <comparison operator> <value>" where: <RequestProperty> - is a certificate request property name. To retrieve valid property list run Get-CASchema command. <comparison operator> - specifies the logical operator of the data-query qualifier for the column. <value> - specifies the data query qualifier applied to the certificate request property.</maml:para> <maml:para>Possible operators are: -eq (equal to) - the value in the <value> field equals to a value stored in the certificate request property. -le (less or equal to) - the value in the <value> field is less or equal to a value stored in the certificate request property. See below about operator behavior with string qualifiers. -lt (less than) - the value in the <value> field is less then a value stored in the certificate request property. See below about operator behavior with string qualifiers. -ge (greater or equal to) - the value in the <value> field is greater or equal to a value stored in the certificate request property. See below about operator behavior with string qualifiers. -gt (greater than) - the value in the <value> field is greater than a value stored in the certificate request property. See below about operator behavior with string qualifiers.</maml:para> <maml:para>There are special rules when processing the following operators: '-ge', '-gt', '-le' and '-lt' with string qualifiers. In this case, CA server performs binary comparison between strings (column value and qualifier value). For example, "A" is less than "B" ("A" is placed before "B", therefore "B" is greater than "A"), "AC" is greater than "AB", "ABC" is less than "BRC". If column value length is larger than qualifier string, a wild card is virtually added to the query qualifier value. For example, column value is "a large string" and qualifier value is "a large", then column value is greater than qualifier value. In other words, "AA" > "A" and "A" < "AA".</maml:para> <maml:para>An example of the filter: Request.RequesterName -eq domain\username this filter returnes requests that were requested by 'domain\username' user account. See examples section for more filter examples.</maml:para> <maml:para>You can specify multiple filters. All filters are applied to requests with logical AND operator. This means that output requests must match all filters.</maml:para> <maml:para>Note: wildcard characters are not supported.</maml:para> <maml:para>Note: if 'RequestID' parameter is specified, all filters are ignored.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">String[]</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the Certification Authority to process. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateAuthority[]</command:parameterValue> <dev:type> <maml:name>CertificateAuthority[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="1"> <maml:name>RequestID</maml:name> <maml:description> <maml:para>Use this parameter if you know desired request ID or IDs. You may specify more than one ID and command will return only failed requests with matching IDs.</maml:para> <maml:para>If this parameter is used, 'Filter' parameter is ignored.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">Int32[]</command:parameterValue> <dev:type> <maml:name>Int32[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="4"> <maml:name>Property</maml:name> <maml:description> <maml:para>By default, the command returns only common certificate request properties (database columns). Use this parameter to show additional properties if necessary. List of possible properties depends on CA server operating system version. To retrieve valid property list run Get-CASchema command.</maml:para> <maml:para>In order to display all properties for output objects set this parameter to asterisk '*'. However, all property retrieval may affect Certification Authority's performance.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="5"> <maml:name>Filter</maml:name> <maml:description> <maml:para>Specifies the query filter to restrict output objects to ones that matches query filter rule. Query filter rule consist of three components: <RequestProperty>, <comparison operator> and <value>. Query filter is composed in the following format: "<RequestProperty> <comparison operator> <value>" where: <RequestProperty> - is a certificate request property name. To retrieve valid property list run Get-CASchema command. <comparison operator> - specifies the logical operator of the data-query qualifier for the column. <value> - specifies the data query qualifier applied to the certificate request property.</maml:para> <maml:para>Possible operators are: -eq (equal to) - the value in the <value> field equals to a value stored in the certificate request property. -le (less or equal to) - the value in the <value> field is less or equal to a value stored in the certificate request property. See below about operator behavior with string qualifiers. -lt (less than) - the value in the <value> field is less then a value stored in the certificate request property. See below about operator behavior with string qualifiers. -ge (greater or equal to) - the value in the <value> field is greater or equal to a value stored in the certificate request property. See below about operator behavior with string qualifiers. -gt (greater than) - the value in the <value> field is greater than a value stored in the certificate request property. See below about operator behavior with string qualifiers.</maml:para> <maml:para>There are special rules when processing the following operators: '-ge', '-gt', '-le' and '-lt' with string qualifiers. In this case, CA server performs binary comparison between strings (column value and qualifier value). For example, "A" is less than "B" ("A" is placed before "B", therefore "B" is greater than "A"), "AC" is greater than "AB", "ABC" is less than "BRC". If column value length is larger than qualifier string, a wild card is virtually added to the query qualifier value. For example, column value is "a large string" and qualifier value is "a large", then column value is greater than qualifier value. In other words, "AA" > "A" and "A" < "AA".</maml:para> <maml:para>An example of the filter: Request.RequesterName -eq domain\username this filter returnes requests that were requested by 'domain\username' user account. See examples section for more filter examples.</maml:para> <maml:para>You can specify multiple filters. All filters are applied to requests with logical AND operator. This means that output requests must match all filters.</maml:para> <maml:para>Note: wildcard characters are not supported.</maml:para> <maml:para>Note: if 'RequestID' parameter is specified, all filters are ignored.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="2"> <maml:name>Page</maml:name> <maml:description> <maml:para>Specifies the page number to read from CA database. This parameter is part of CA database paging functionality and works in conjunction with 'PageSize' parameter.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> <dev:type> <maml:name>Int32</maml:name> <maml:uri/> </dev:type> <dev:defaultValue>1</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="3"> <maml:name>PageSize</maml:name> <maml:description> <maml:para>Specifies the page size to load from CA database. This parameter can limit the number of database rows returned by this command at once. When not specified, no limits are set and CA will return all rows associated with the query.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> <dev:type> <maml:name>Int32</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.CertificateAuthority</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_CertificateAuthority.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>SysadminsLV.PKI.Management.CertificateServices.Database.AdcsDbRow</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_SysadminsLV_PKI_Management_CertificateServices_Database_AdcsDbRow.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para>You can pipe this object to Remove-AdcsDatabaseRow to delete specified objects from CA database.</maml:para> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name "company-CA" | Get-FailedRequest</dev:code> <dev:remarks> <maml:para>Retrieves all failed certificate requests from "company-CA" certification authority.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name "company-CA" | Get-FailedRequest -RequestID 5,80,105 -Property "Request.RawRequest"</dev:code> <dev:remarks> <maml:para>Retrieves failed requests with RequestID equals to 5, 80 and 105. Also this command will add "Request.RawRequest" property for further request contents examination.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 3 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority | Get-FailedRequest -Filter "CertificateTemplate -eq WebServer", "Request.SubmittedWhen -gt $((Get-Date).AddHours(-1)" -Property "*"</dev:code> <dev:remarks> <maml:para>In this example, the command will return all failed requests from all enterprise certification authorities that were submitted within last hour and based on a "WebServer" certificate template. This example is useful, when user reports about unsuccessful attempts to enroll for a certificate. Returned objects can be used to determine exact reason why reqest was failed.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Get-FailedRequest.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CASchema</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-IssuedRequest</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-PendingRequest</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-RevokedRequest</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Remove-AdcsDatabaseRow</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Get-InterfaceFlag</command:name> <maml:description> <maml:para>Retrieves Active Directory Certificate Services (AD CS) management and request interface flags.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Get</command:verb> <command:noun>InterfaceFlag</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Retrieves Active Directory Certificate Services (AD CS) management and request interface flags.</maml:para> <maml:para>Management interface is implemented in ICertAdmin and request interface is implemented in ICertRequest. By using this (and related commands, such Enable-InterfaceFlag and Disable-InterfaceFlag) you can limit these interface usage. For example you can prevent AD CS remote management with ICertAdmin interface and allow AD CS management only locally.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Get-InterfaceFlag</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the Certification Authority object. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateAuthority[]</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the Certification Authority object. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateAuthority[]</command:parameterValue> <dev:type> <maml:name>CertificateAuthority[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.CertificateAuthority</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_CertificateAuthority.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.CertificateServices.Flags.InterfaceFlag</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_Flags_InterfaceFlag.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -name "company-CA1" | Get-InterfaceFlag</dev:code> <dev:remarks> <maml:para>Returns 'company-CA1' CA server management and enrollment interface settings.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority | Get-InterfaceFlag</dev:code> <dev:remarks> <maml:para>Returns management and enrollment interface settings for all Enterprise CA servers in the current Active Directory forest.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 3 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -name "company-CA01" | Get-InterfaceFlag | Disable-InterfaceFlag -Flag "NoLocalIcertRequest" -RestartCA</dev:code> <dev:remarks> <maml:para>This example removes local enrollment restriction for "company-CA01" CA server. After the configuration is changed, the command will restart certificate services to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 4 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority | Get-InterfaceFlag | Disable-InterfaceFlag -Flag "NoRemoteICertAdminBackup" -RestartCA</dev:code> <dev:remarks> <maml:para>This example removes remote backup restrictions for all Enterprise CAs in the current Active Directory forest. After the configuration is changed, the command will restart certificate services to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 5 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -name "company-CA01" | Get-InterfaceFlag | Enable-InterfaceFlag -Flag "NoRemoteIcertAdmin", "NoRemoteICertAdminBackup" -RestartCA</dev:code> <dev:remarks> <maml:para>This example restricts "company-CA01" CA server remote management and remote backup operations. After the configuration is changed, the command will restart certificate services to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 6 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority | Get-InterfaceFlag | Enable-InterfaceFlag -Flag "EnableAdminAsAuditor" -RestartCA</dev:code> <dev:remarks> <maml:para>This example grants CA Administrators CA Auditor role for all Enterprise CAs in the current forest. After the configuration is changed, the command will restart certificate services to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Get-InterfaceFlag.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Enable-InterfaceFlag</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Disable-InterfaceFlag</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Restore-InterfaceFlagDefault</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Get-IssuedRequest</command:name> <maml:description> <maml:para>Retrieves issued certificate requests from Certification Authority (CA) database.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Get</command:verb> <command:noun>IssuedRequest</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Retrieves issued certificate requests from Certification Authority (CA) database. Issued certificate requests contain only valid and unrevoked issued certificates.</maml:para> <maml:para>Since CA server may contain many issued certificates, you may specify various filters by using 'RequestID' or 'Filter' parameters.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Get-IssuedRequest</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the Certification Authority to process. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateAuthority[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="1"> <maml:name>RequestID</maml:name> <maml:description> <maml:para>Use this parameter if you know desired request ID or IDs. You may specify more than one ID and command will return only failed requests with matching IDs.</maml:para> <maml:para>If this parameter is used, 'Filter' parameter is ignored.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">Int32[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="2"> <maml:name>Page</maml:name> <maml:description> <maml:para>Specifies the page number to read from CA database. This parameter is part of CA database paging functionality and works in conjunction with 'PageSize' parameter.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="3"> <maml:name>PageSize</maml:name> <maml:description> <maml:para>Specifies the page size to load from CA database. This parameter can limit the number of database rows returned by this command at once. When not specified, no limits are set and CA will return all rows associated with the query.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="4"> <maml:name>Property</maml:name> <maml:description> <maml:para>By default, the command returns only common certificate request properties (database columns). Use this parameter to show additional properties if necessary. List of possible properties depends on CA server operating system version. To retrieve valid property list run Get-CASchema command.</maml:para> <maml:para>In order to display all properties for output objects set this parameter to asterisk '*'. However, all property retrieval may affect Certification Authority's performance.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">String[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="5"> <maml:name>Filter</maml:name> <maml:description> <maml:para>Specifies the query filter to restrict output objects to ones that matches query filter rule. Query filter rule consist of three components: <RequestProperty>, <comparison operator> and <value>. Query filter is composed in the following format: "<RequestProperty> <comparison operator> <value>" where: <RequestProperty> - is a certificate request property name. To retrieve valid property list run Get-CASchema command. <comparison operator> - specifies the logical operator of the data-query qualifier for the column. <value> - specifies the data query qualifier applied to the certificate request property.</maml:para> <maml:para>Possible operators are: -eq (equal to) - the value in the <value> field equals to a value stored in the certificate request property. -le (less or equal to) - the value in the <value> field is less or equal to a value stored in the certificate request property. See below about operator behavior with string qualifiers. -lt (less than) - the value in the <value> field is less then a value stored in the certificate request property. See below about operator behavior with string qualifiers. -ge (greater or equal to) - the value in the <value> field is greater or equal to a value stored in the certificate request property. See below about operator behavior with string qualifiers. -gt (greater than) - the value in the <value> field is greater than a value stored in the certificate request property. See below about operator behavior with string qualifiers.</maml:para> <maml:para>There are special rules when processing the following operators: '-ge', '-gt', '-le' and '-lt' with string qualifiers. In this case, CA server performs binary comparison between strings (column value and qualifier value). For example, "A" is less than "B" ("A" is placed before "B", therefore "B" is greater than "A"), "AC" is greater than "AB", "ABC" is less than "BRC". If column value length is larger than qualifier string, a wild card is virtually added to the query qualifier value. For example, column value is "a large string" and qualifier value is "a large", then column value is greater than qualifier value. In other words, "AA" > "A" and "A" < "AA".</maml:para> <maml:para>An example of the filter: Request.RequesterName -eq domain\username this filter returnes requests that were requested by 'domain\username' user account. See examples section for more filter examples.</maml:para> <maml:para>You can specify multiple filters. All filters are applied to requests with logical AND operator. This means that output requests must match all filters.</maml:para> <maml:para>Note: wildcard characters are not supported.</maml:para> <maml:para>Note: if 'RequestID' parameter is specified, all filters are ignored.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">String[]</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the Certification Authority to process. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateAuthority[]</command:parameterValue> <dev:type> <maml:name>CertificateAuthority[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="1"> <maml:name>RequestID</maml:name> <maml:description> <maml:para>Use this parameter if you know desired request ID or IDs. You may specify more than one ID and command will return only failed requests with matching IDs.</maml:para> <maml:para>If this parameter is used, 'Filter' parameter is ignored.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">Int32[]</command:parameterValue> <dev:type> <maml:name>Int32[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="4"> <maml:name>Property</maml:name> <maml:description> <maml:para>By default, the command returns only common certificate request properties (database columns). Use this parameter to show additional properties if necessary. List of possible properties depends on CA server operating system version. To retrieve valid property list run Get-CASchema command.</maml:para> <maml:para>In order to display all properties for output objects set this parameter to asterisk '*'. However, all property retrieval may affect Certification Authority's performance.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="5"> <maml:name>Filter</maml:name> <maml:description> <maml:para>Specifies the query filter to restrict output objects to ones that matches query filter rule. Query filter rule consist of three components: <RequestProperty>, <comparison operator> and <value>. Query filter is composed in the following format: "<RequestProperty> <comparison operator> <value>" where: <RequestProperty> - is a certificate request property name. To retrieve valid property list run Get-CASchema command. <comparison operator> - specifies the logical operator of the data-query qualifier for the column. <value> - specifies the data query qualifier applied to the certificate request property.</maml:para> <maml:para>Possible operators are: -eq (equal to) - the value in the <value> field equals to a value stored in the certificate request property. -le (less or equal to) - the value in the <value> field is less or equal to a value stored in the certificate request property. See below about operator behavior with string qualifiers. -lt (less than) - the value in the <value> field is less then a value stored in the certificate request property. See below about operator behavior with string qualifiers. -ge (greater or equal to) - the value in the <value> field is greater or equal to a value stored in the certificate request property. See below about operator behavior with string qualifiers. -gt (greater than) - the value in the <value> field is greater than a value stored in the certificate request property. See below about operator behavior with string qualifiers.</maml:para> <maml:para>There are special rules when processing the following operators: '-ge', '-gt', '-le' and '-lt' with string qualifiers. In this case, CA server performs binary comparison between strings (column value and qualifier value). For example, "A" is less than "B" ("A" is placed before "B", therefore "B" is greater than "A"), "AC" is greater than "AB", "ABC" is less than "BRC". If column value length is larger than qualifier string, a wild card is virtually added to the query qualifier value. For example, column value is "a large string" and qualifier value is "a large", then column value is greater than qualifier value. In other words, "AA" > "A" and "A" < "AA".</maml:para> <maml:para>An example of the filter: Request.RequesterName -eq domain\username this filter returnes requests that were requested by 'domain\username' user account. See examples section for more filter examples.</maml:para> <maml:para>You can specify multiple filters. All filters are applied to requests with logical AND operator. This means that output requests must match all filters.</maml:para> <maml:para>Note: wildcard characters are not supported.</maml:para> <maml:para>Note: if 'RequestID' parameter is specified, all filters are ignored.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="2"> <maml:name>Page</maml:name> <maml:description> <maml:para>Specifies the page number to read from CA database. This parameter is part of CA database paging functionality and works in conjunction with 'PageSize' parameter.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> <dev:type> <maml:name>Int32</maml:name> <maml:uri/> </dev:type> <dev:defaultValue>1</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="3"> <maml:name>PageSize</maml:name> <maml:description> <maml:para>Specifies the page size to load from CA database. This parameter can limit the number of database rows returned by this command at once. When not specified, no limits are set and CA will return all rows associated with the query.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> <dev:type> <maml:name>Int32</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.CertificateAuthority</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_CertificateAuthority.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>SysadminsLV.PKI.Management.CertificateServices.Database.AdcsDbRow</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_SysadminsLV_PKI_Management_CertificateServices_Database_AdcsDbRow.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para>You can pipe this object to Remove-AdcsDatabaseRow to delete specified objects from CA database.</maml:para> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name MyCA | Get-IssuedRequest -Filter "CertificateTemplate -eq WebServer", "CommonName -eq www.company.com"</dev:code> <dev:remarks> <maml:para>Retrieves only requests issued based on 'WebServer' template and which are issued to 'www.company.com' subject.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name MyCA | Get-IssuedRequest -RequestID 4,65,107 -Property "CertificateTemplate", "RawCertificate"</dev:code> <dev:remarks> <maml:para>Retrieves issued requests with RequestID equal to 4, 65 and 107. Also this command will add 'CertificateTemplate' and 'RawCertificate' properties. 'RawCertificate' contains issued certificate raw content and you can save it to a .cer file.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 3 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority | Get-IssuedRequest -Property "Request.RawRequest" -Filter "UPN -eq someone@company.com"</dev:code> <dev:remarks> <maml:para>Retieves issued requests that contains 'someone@company.com' in the Subject Alternative Names (SAN) extension. Also this command will add 'Request.RawRequest' property.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 4 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority ca01.company.com | Get-IssuedRequest -Filter "NotAfter -ge $(Get-Date)", "NotAfter -le $((Get-Date).AddMonths(2))"</dev:code> <dev:remarks> <maml:para>This command will retrieve certificates from CA server hosted on 'ca01.company.com' server, that will expire in next two months.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Get-IssuedRequest.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CASchema</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-RevokedRequest</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-PendingRequest</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-FailedRequest</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Revoke-Certificate</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Remove-AdcsDatabaseRow</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Get-KeyRecoveryAgentFlag</command:name> <maml:description> <maml:para>Retrieves Active Directory Certificate Services (AD CS) key recovery agent (KRA) settings.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Get</command:verb> <command:noun>KeyRecoveryAgentFlag</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Retrieves Active Directory Certificate Services (AD CS) key recovery agent (KRA) settings. Use this command in conjunction with Enable-KeyRecoveryAgentFlag and Disable-KeyRecoveryAgentFlag cmdlets to configure KRA settings.</maml:para> <maml:para>By default no KRA flags are defined.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Get-KeyRecoveryAgentFlag</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the Certification Authority object. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateAuthority[]</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the Certification Authority object. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateAuthority[]</command:parameterValue> <dev:type> <maml:name>CertificateAuthority[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.CertificateAuthority</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_CertificateAuthority.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.CertificateServices.Flags.KRAFlag</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_Flags_KRAFlag.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -name "company-CA01" | Get-KeyRecoveryAgentFlag</dev:code> <dev:remarks> <maml:para>The command retrieves KRA settings for 'company-CA01' CA server.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority | Get-KeyRecoveryAgentFlag</dev:code> <dev:remarks> <maml:para>The command retrieves KRA settings for all Enterprise CAs in the current Active Directory forest.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 3 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name "company-CA01" | Get-KeyRecoveryAgentFlag | Disable-KeyRecoveryAgentFlad -Flag "EnableForeign"</dev:code> <dev:remarks> <maml:para>This command disables key archival for keys that were issued (signed) by other (or 3rd party) CA server. After the configuration is changed, the command will restart certificate services to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 4 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority | Get-KeyRecoveryAgentFlag | Enable-KeyRecoveryAgentFlad -Flag "EnableForeign"</dev:code> <dev:remarks> <maml:para>This example allows the CA to archive public and private key pair that were issued (signed) by other (or 3rd party) CA. After the configuration is changed, the command will restart certificate services to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Get-KeyRecoveryAgentFlag.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Enable-KeyRecoveryAgentFlag</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Disable-KeyRecoveryAgentFlag</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Restore-KeyRecoveryAgentFlagDefault</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Get-PendingRequest</command:name> <maml:description> <maml:para>Retrieves pending certificate requests from Certification Authority (CA) database.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Get</command:verb> <command:noun>PendingRequest</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Retrieves pending certificate requests from Certification Authority (CA) database. Pending requests are requests that require manual CA Administrator or CA Manger approval. You must use this command in order to approve or deny pending request with Approve-PendingRequest or Deny-PendingRequest</maml:para> <maml:para>Since a CA server may contain many pending certificate requests, you may specify various filters by using 'RequestID' or 'Filter' parameters.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Get-PendingRequest</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the Certification Authority to process. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateAuthority[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="1"> <maml:name>RequestID</maml:name> <maml:description> <maml:para>Use this parameter if you know desired request ID or IDs. You may specify more than one ID and command will return only failed requests with matching IDs.</maml:para> <maml:para>If this parameter is used, 'Filter' parameter is ignored.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">Int32[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="2"> <maml:name>Page</maml:name> <maml:description> <maml:para>Specifies the page number to read from CA database. This parameter is part of CA database paging functionality and works in conjunction with 'PageSize' parameter.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="3"> <maml:name>PageSize</maml:name> <maml:description> <maml:para>Specifies the page size to load from CA database. This parameter can limit the number of database rows returned by this command at once. When not specified, no limits are set and CA will return all rows associated with the query.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="4"> <maml:name>Property</maml:name> <maml:description> <maml:para>By default, the command returns only common certificate request properties (database columns). Use this parameter to show additional properties if necessary. List of possible properties depends on CA server operating system version. To retrieve valid property list run Get-CASchema command.</maml:para> <maml:para>In order to display all properties for output objects set this parameter to asterisk '*'. However, all property retrieval may affect Certification Authority's performance.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">String[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="5"> <maml:name>Filter</maml:name> <maml:description> <maml:para>Specifies the query filter to restrict output objects to ones that matches query filter rule. Query filter rule consist of three components: <RequestProperty>, <comparison operator> and <value>. Query filter is composed in the following format: "<RequestProperty> <comparison operator> <value>" where: <RequestProperty> - is a certificate request property name. To retrieve valid property list run Get-CASchema command. <comparison operator> - specifies the logical operator of the data-query qualifier for the column. <value> - specifies the data query qualifier applied to the certificate request property.</maml:para> <maml:para>Possible operators are: -eq (equal to) - the value in the <value> field equals to a value stored in the certificate request property. -le (less or equal to) - the value in the <value> field is less or equal to a value stored in the certificate request property. See below about operator behavior with string qualifiers. -lt (less than) - the value in the <value> field is less then a value stored in the certificate request property. See below about operator behavior with string qualifiers. -ge (greater or equal to) - the value in the <value> field is greater or equal to a value stored in the certificate request property. See below about operator behavior with string qualifiers. -gt (greater than) - the value in the <value> field is greater than a value stored in the certificate request property. See below about operator behavior with string qualifiers.</maml:para> <maml:para>There are special rules when processing the following operators: '-ge', '-gt', '-le' and '-lt' with string qualifiers. In this case, CA server performs binary comparison between strings (column value and qualifier value). For example, "A" is less than "B" ("A" is placed before "B", therefore "B" is greater than "A"), "AC" is greater than "AB", "ABC" is less than "BRC". If column value length is larger than qualifier string, a wild card is virtually added to the query qualifier value. For example, column value is "a large string" and qualifier value is "a large", then column value is greater than qualifier value. In other words, "AA" > "A" and "A" < "AA".</maml:para> <maml:para>An example of the filter: Request.RequesterName -eq domain\username this filter returnes requests that were requested by 'domain\username' user account. See examples section for more filter examples.</maml:para> <maml:para>You can specify multiple filters. All filters are applied to requests with logical AND operator. This means that output requests must match all filters.</maml:para> <maml:para>Note: wildcard characters are not supported.</maml:para> <maml:para>Note: if 'RequestID' parameter is specified, all filters are ignored.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">String[]</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the Certification Authority to process. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateAuthority[]</command:parameterValue> <dev:type> <maml:name>CertificateAuthority[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="1"> <maml:name>RequestID</maml:name> <maml:description> <maml:para>Use this parameter if you know desired request ID or IDs. You may specify more than one ID and command will return only failed requests with matching IDs.</maml:para> <maml:para>If this parameter is used, 'Filter' parameter is ignored.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">Int32[]</command:parameterValue> <dev:type> <maml:name>Int32[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="4"> <maml:name>Property</maml:name> <maml:description> <maml:para>By default, the command returns only common certificate request properties (database columns). Use this parameter to show additional properties if necessary. List of possible properties depends on CA server operating system version. To retrieve valid property list run Get-CASchema command.</maml:para> <maml:para>In order to display all properties for output objects set this parameter to asterisk '*'. However, all property retrieval may affect Certification Authority's performance.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="5"> <maml:name>Filter</maml:name> <maml:description> <maml:para>Specifies the query filter to restrict output objects to ones that matches query filter rule. Query filter rule consist of three components: <RequestProperty>, <comparison operator> and <value>. Query filter is composed in the following format: "<RequestProperty> <comparison operator> <value>" where: <RequestProperty> - is a certificate request property name. To retrieve valid property list run Get-CASchema command. <comparison operator> - specifies the logical operator of the data-query qualifier for the column. <value> - specifies the data query qualifier applied to the certificate request property.</maml:para> <maml:para>Possible operators are: -eq (equal to) - the value in the <value> field equals to a value stored in the certificate request property. -le (less or equal to) - the value in the <value> field is less or equal to a value stored in the certificate request property. See below about operator behavior with string qualifiers. -lt (less than) - the value in the <value> field is less then a value stored in the certificate request property. See below about operator behavior with string qualifiers. -ge (greater or equal to) - the value in the <value> field is greater or equal to a value stored in the certificate request property. See below about operator behavior with string qualifiers. -gt (greater than) - the value in the <value> field is greater than a value stored in the certificate request property. See below about operator behavior with string qualifiers.</maml:para> <maml:para>There are special rules when processing the following operators: '-ge', '-gt', '-le' and '-lt' with string qualifiers. In this case, CA server performs binary comparison between strings (column value and qualifier value). For example, "A" is less than "B" ("A" is placed before "B", therefore "B" is greater than "A"), "AC" is greater than "AB", "ABC" is less than "BRC". If column value length is larger than qualifier string, a wild card is virtually added to the query qualifier value. For example, column value is "a large string" and qualifier value is "a large", then column value is greater than qualifier value. In other words, "AA" > "A" and "A" < "AA".</maml:para> <maml:para>An example of the filter: Request.RequesterName -eq domain\username this filter returnes requests that were requested by 'domain\username' user account. See examples section for more filter examples.</maml:para> <maml:para>You can specify multiple filters. All filters are applied to requests with logical AND operator. This means that output requests must match all filters.</maml:para> <maml:para>Note: wildcard characters are not supported.</maml:para> <maml:para>Note: if 'RequestID' parameter is specified, all filters are ignored.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="2"> <maml:name>Page</maml:name> <maml:description> <maml:para>Specifies the page number to read from CA database. This parameter is part of CA database paging functionality and works in conjunction with 'PageSize' parameter.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> <dev:type> <maml:name>Int32</maml:name> <maml:uri/> </dev:type> <dev:defaultValue>1</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="3"> <maml:name>PageSize</maml:name> <maml:description> <maml:para>Specifies the page size to load from CA database. This parameter can limit the number of database rows returned by this command at once. When not specified, no limits are set and CA will return all rows associated with the query.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> <dev:type> <maml:name>Int32</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.CertificateAuthority</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_CertificateAuthority.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>SysadminsLV.PKI.Management.CertificateServices.Database.AdcsDbRow</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_SysadminsLV_PKI_Management_CertificateServices_Database_AdcsDbRow.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para>You can pipe this object to Remove-AdcsDatabaseRow to delete specified objects from CA database.</maml:para> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name MyCA | Get-PendingRequest</dev:code> <dev:remarks> <maml:para>Retrieves all pending certificate requests from 'MyCA' certification Authority.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name MyCA | Get-PendingRequest -Property "CertificateTemplate", "Request.RawRequest"</dev:code> <dev:remarks> <maml:para>Retrieves all pending certificate requests from 'MyCA' CA server. Also this command adds 'CertificateTemplate' and 'Request.RawRequest' properties. 'Request.RawRequest' property contains original request that was submitted. You can save this property's value to a file for detailed request inspection.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 3 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name MyCA | Get-PendingRequest -Filter "Request.CommonName -eq www.company.com" | Approve-CertificateRequest</dev:code> <dev:remarks> <maml:para>The command retrieves all pending request from MyCA which were submitted for 'www.company.com' subject name and pipes it to Approve-CertificateRequest command to issue the certificate (complete certificate request). Additionally you can pipe the object to Deny-CertificateRequest command if you decided to not issue the certificate for the request.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Get-PendingRequest.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CASchema</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-IssuedRequest</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-RevokedRequest</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-FailedRequest</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Approve-CertificateRequest</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Deny-CertificateRequest</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Remove-AdcsDatabaseRow</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Get-PolicyModuleFlag</command:name> <maml:description> <maml:para>Retrieves default policy module flags.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Get</command:verb> <command:noun>PolicyModuleFlag</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Retrieves default Policy Module flags. These flags are processed by policy module during certificate request processing.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Get-PolicyModuleFlag</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the Certification Authority object. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateAuthority[]</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the Certification Authority object. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateAuthority[]</command:parameterValue> <dev:type> <maml:name>CertificateAuthority[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.CertificateAuthority</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_CertificateAuthority.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.CertificateServices.PolicyModule.EditFlag</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_PolicyModule_EditFlag.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name Company-CA | Get-PolicyModuleFlag</dev:code> <dev:remarks> <maml:para>Returns policy module enabled flags for specified CA server.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority | Get-PolicyModuleFlag</dev:code> <dev:remarks> <maml:para>Returns policy module enabled flags for all CAs in the forest with separate object per CA.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 3 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name Company-CA | Get-PolicyModuleFlag | Disable-PolicyModuleFlag AttributeSubjectAlternativeName -RestartCA</dev:code> <dev:remarks> <maml:para>Disables 'Subject Alternative Name' attribute in a submitted certificate request and restarts certificate services. In order to issue a certificate with SAN extension, it must be a part of certificate request extensions. After command completion Company-CA CA server will be restarted to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 4 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name Company-CA | Get-PolicyModuleFlag | Disable-PolicyModuleFlag EnableOCSPRevNoCheck, DisableExtensionList -RestartCA</dev:code> <dev:remarks> <maml:para>Disables 'OCSP No Revocation Checking' extension and disables Disabled Certificate Extension list processing. This will prevent CA to issue OCSP Response Signing certificate and any previously disabled extension (see Add-ExtensionList) will be populated in the issued certificates. After command completion Company-CA CA server will be restarted to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 5 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name Company-CA | Get-PolicyModuleFlag | Enable-PolicyModuleFlag AttributeSubjectAlternativeName -Restart CA</dev:code> <dev:remarks> <maml:para>Enables 'Subject Alternative Name' attribute in a submitted certificate request. After command completion 'Company-CA' CA server will be restarted to immediately apply changes.</maml:para> <maml:para>Note: do not enable SAN attribute on Enterprise CAs if it is possible to include SAN as extension.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 6 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name Company-CA | Get-PolicyModuleFlag | Enable-PolicyModuleFlag EnableOCSPRevNoCheck, DisableExtensionList -RestartCA</dev:code> <dev:remarks> <maml:para>Enables 'OCSP No Revocation Checking' extension and disables Disabled Certificate Extension list processing. This will allow CA to issue OCSP Response Signing certificate and will instruct CA server to process disabled extension list (see Add-ExtensionList) and extensions in this list will be not populated in issued certificates. After command completion 'Company-CA' CA server will be restarted to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Get-PolicyModuleFlag.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Enable-PolicyModuleFlag</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Disable-PolicyModuleFlag</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Restore-PolicyModuleFlagDefault</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Get-RevokedRequest</command:name> <maml:description> <maml:para>Retrieves revoked certificate requests from Certification Authority (CA) database.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Get</command:verb> <command:noun>RevokedRequest</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Retrieves revoked certificate requests from Certification Authority (CA) database.</maml:para> <maml:para>Since a CA server may contain many revoked certificates, you may specify various filters by using 'RequestID' or 'Filter' parameters.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Get-RevokedRequest</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the Certification Authority to process. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateAuthority[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="1"> <maml:name>RequestID</maml:name> <maml:description> <maml:para>Use this parameter if you know desired request ID or IDs. You may specify more than one ID and command will return only failed requests with matching IDs.</maml:para> <maml:para>If this parameter is used, 'Filter' parameter is ignored.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">Int32[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="2"> <maml:name>Page</maml:name> <maml:description> <maml:para>Specifies the page number to read from CA database. This parameter is part of CA database paging functionality and works in conjunction with 'PageSize' parameter.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="3"> <maml:name>PageSize</maml:name> <maml:description> <maml:para>Specifies the page size to load from CA database. This parameter can limit the number of database rows returned by this command at once. When not specified, no limits are set and CA will return all rows associated with the query.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="4"> <maml:name>Property</maml:name> <maml:description> <maml:para>By default, the command returns only common certificate request properties (database columns). Use this parameter to show additional properties if necessary. List of possible properties depends on CA server operating system version. To retrieve valid property list run Get-CASchema command.</maml:para> <maml:para>In order to display all properties for output objects set this parameter to asterisk '*'. However, all property retrieval may affect Certification Authority's performance.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">String[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="5"> <maml:name>Filter</maml:name> <maml:description> <maml:para>Specifies the query filter to restrict output objects to ones that matches query filter rule. Query filter rule consist of three components: <RequestProperty>, <comparison operator> and <value>. Query filter is composed in the following format: "<RequestProperty> <comparison operator> <value>" where: <RequestProperty> - is a certificate request property name. To retrieve valid property list run Get-CASchema command. <comparison operator> - specifies the logical operator of the data-query qualifier for the column. <value> - specifies the data query qualifier applied to the certificate request property.</maml:para> <maml:para>Possible operators are: -eq (equal to) - the value in the <value> field equals to a value stored in the certificate request property. -le (less or equal to) - the value in the <value> field is less or equal to a value stored in the certificate request property. See below about operator behavior with string qualifiers. -lt (less than) - the value in the <value> field is less then a value stored in the certificate request property. See below about operator behavior with string qualifiers. -ge (greater or equal to) - the value in the <value> field is greater or equal to a value stored in the certificate request property. See below about operator behavior with string qualifiers. -gt (greater than) - the value in the <value> field is greater than a value stored in the certificate request property. See below about operator behavior with string qualifiers.</maml:para> <maml:para>There are special rules when processing the following operators: '-ge', '-gt', '-le' and '-lt' with string qualifiers. In this case, CA server performs binary comparison between strings (column value and qualifier value). For example, "A" is less than "B" ("A" is placed before "B", therefore "B" is greater than "A"), "AC" is greater than "AB", "ABC" is less than "BRC". If column value length is larger than qualifier string, a wild card is virtually added to the query qualifier value. For example, column value is "a large string" and qualifier value is "a large", then column value is greater than qualifier value. In other words, "AA" > "A" and "A" < "AA".</maml:para> <maml:para>An example of the filter: Request.RequesterName -eq domain\username this filter returnes requests that were requested by 'domain\username' user account. See examples section for more filter examples.</maml:para> <maml:para>You can specify multiple filters. All filters are applied to requests with logical AND operator. This means that output requests must match all filters.</maml:para> <maml:para>Note: wildcard characters are not supported.</maml:para> <maml:para>Note: if 'RequestID' parameter is specified, all filters are ignored.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">String[]</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the Certification Authority to process. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateAuthority[]</command:parameterValue> <dev:type> <maml:name>CertificateAuthority[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="1"> <maml:name>RequestID</maml:name> <maml:description> <maml:para>Use this parameter if you know desired request ID or IDs. You may specify more than one ID and command will return only failed requests with matching IDs.</maml:para> <maml:para>If this parameter is used, 'Filter' parameter is ignored.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">Int32[]</command:parameterValue> <dev:type> <maml:name>Int32[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="4"> <maml:name>Property</maml:name> <maml:description> <maml:para>By default, the command returns only common certificate request properties (database columns). Use this parameter to show additional properties if necessary. List of possible properties depends on CA server operating system version. To retrieve valid property list run Get-CASchema command.</maml:para> <maml:para>In order to display all properties for output objects set this parameter to asterisk '*'. However, all property retrieval may affect Certification Authority's performance.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="5"> <maml:name>Filter</maml:name> <maml:description> <maml:para>Specifies the query filter to restrict output objects to ones that matches query filter rule. Query filter rule consist of three components: <RequestProperty>, <comparison operator> and <value>. Query filter is composed in the following format: "<RequestProperty> <comparison operator> <value>" where: <RequestProperty> - is a certificate request property name. To retrieve valid property list run Get-CASchema command. <comparison operator> - specifies the logical operator of the data-query qualifier for the column. <value> - specifies the data query qualifier applied to the certificate request property.</maml:para> <maml:para>Possible operators are: -eq (equal to) - the value in the <value> field equals to a value stored in the certificate request property. -le (less or equal to) - the value in the <value> field is less or equal to a value stored in the certificate request property. See below about operator behavior with string qualifiers. -lt (less than) - the value in the <value> field is less then a value stored in the certificate request property. See below about operator behavior with string qualifiers. -ge (greater or equal to) - the value in the <value> field is greater or equal to a value stored in the certificate request property. See below about operator behavior with string qualifiers. -gt (greater than) - the value in the <value> field is greater than a value stored in the certificate request property. See below about operator behavior with string qualifiers.</maml:para> <maml:para>There are special rules when processing the following operators: '-ge', '-gt', '-le' and '-lt' with string qualifiers. In this case, CA server performs binary comparison between strings (column value and qualifier value). For example, "A" is less than "B" ("A" is placed before "B", therefore "B" is greater than "A"), "AC" is greater than "AB", "ABC" is less than "BRC". If column value length is larger than qualifier string, a wild card is virtually added to the query qualifier value. For example, column value is "a large string" and qualifier value is "a large", then column value is greater than qualifier value. In other words, "AA" > "A" and "A" < "AA".</maml:para> <maml:para>An example of the filter: Request.RequesterName -eq domain\username this filter returnes requests that were requested by 'domain\username' user account. See examples section for more filter examples.</maml:para> <maml:para>You can specify multiple filters. All filters are applied to requests with logical AND operator. This means that output requests must match all filters.</maml:para> <maml:para>Note: wildcard characters are not supported.</maml:para> <maml:para>Note: if 'RequestID' parameter is specified, all filters are ignored.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="2"> <maml:name>Page</maml:name> <maml:description> <maml:para>Specifies the page number to read from CA database. This parameter is part of CA database paging functionality and works in conjunction with 'PageSize' parameter.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> <dev:type> <maml:name>Int32</maml:name> <maml:uri/> </dev:type> <dev:defaultValue>1</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="3"> <maml:name>PageSize</maml:name> <maml:description> <maml:para>Specifies the page size to load from CA database. This parameter can limit the number of database rows returned by this command at once. When not specified, no limits are set and CA will return all rows associated with the query.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> <dev:type> <maml:name>Int32</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.CertificateAuthority</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_CertificateAuthority.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>SysadminsLV.PKI.Management.CertificateServices.Database.AdcsDbRow</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_SysadminsLV_PKI_Management_CertificateServices_Database_AdcsDbRow.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para>You can pipe this object to Remove-AdcsDatabaseRow to delete specified objects from CA database.</maml:para> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name "company-CA" | Get-RevokedRequest</dev:code> <dev:remarks> <maml:para>Retrieves all revoked certificate requests from MyCA certification Authority.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name "company-CA" | Get-RevokedRequest -Property "CertificateTemplate", "RawCertificate" -Filter "RequestID -ge 100","Request.RequesterName -eq domain\administrator"</dev:code> <dev:remarks> <maml:para>Retrieves revoked requests with RequestID greater or equal to 100 and that was submitted by 'Domain\Administrator' user account. Also this command will add CertificateTemplate and RawCertificate properties.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 3 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority "ca01" | Get-RevokedRequest -Filter "NotAfter -lt $(Get-Date)" | Remove-Request</dev:code> <dev:remarks> <maml:para>The command will retrieve all expired revoked certificates from CA server hosted on 'ca01' server and pipes them to Remove-Request. This example can be useful, when you CA's database size is very large and you want to reduce it's size by removing already expired revoked certificate. However you must be careful and do not remove revoked signing certificates (which were used to sign data).</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Get-RevokedRequest.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CASchema</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-IssuedRequest</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-PendingRequest</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-FailedRequest</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Remove-AdcsDatabaseRow</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Import-LostCertificate</command:name> <maml:description> <maml:para>Imports previously issued certificate to a Certification Authority (CA) database</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Import</command:verb> <command:noun>LostCertificate</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Imports previously issued certificate to a Certification Authority (CA) database.</maml:para> <maml:para>In the case when CA server fails and you have backup taken certain time prior, CA server may issue certificates that are not included in the most recent backup tape. If a certificate is not on the backup tapes used to restore the certification authority but exists in a file, the certificate can be imported by means of this command.</maml:para> <maml:para>Note: the certificate being imported must have been previously issued by the certification authority specified in CA parameter. The restored certification authority will validate the certificate's signature, and if the signature is not valid, the command will throw error.</maml:para> <maml:para>Note: you cannot import a certificate if it already exists in the database. Each certificate in the database must be unique. The database ensures uniqueness by checking the certificate's serial number.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Import-LostCertificate</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="named"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the Certification Authority object. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">CertificateAuthority</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>Path</maml:name> <maml:description> <maml:para>Specifies the path to a certificate file. This parameter accepts only certificates saved in a DER or Base64 encoding without private key (with CER extension).</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Import-LostCertificate</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="named"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the Certification Authority object. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">CertificateAuthority</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>Certificate</maml:name> <maml:description> <maml:para>Specifies an existing X509Certificate2 object. This object can be retrieved from local store by searching through local store (Get-ChilItem cert:\CurrentUser\My) or obtained through other means as an X509Certificate2 object.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">X509Certificate2</command:parameterValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Import-LostCertificate</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="named"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the Certification Authority object. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">CertificateAuthority</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="named"> <maml:name>RawData</maml:name> <maml:description> <maml:para>Specifies a DER-encoded byte array of a target certificate. This byte array can be retrieved by searching through Active Directory user account published certificates stored in userCertificates attribute.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">Byte[]</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="named"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the Certification Authority object. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">CertificateAuthority</command:parameterValue> <dev:type> <maml:name>CertificateAuthority</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>Path</maml:name> <maml:description> <maml:para>Specifies the path to a certificate file. This parameter accepts only certificates saved in a DER or Base64 encoding without private key (with CER extension).</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>Certificate</maml:name> <maml:description> <maml:para>Specifies an existing X509Certificate2 object. This object can be retrieved from local store by searching through local store (Get-ChilItem cert:\CurrentUser\My) or obtained through other means as an X509Certificate2 object.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">X509Certificate2</command:parameterValue> <dev:type> <maml:name>X509Certificate2</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="named"> <maml:name>RawData</maml:name> <maml:description> <maml:para>Specifies a DER-encoded byte array of a target certificate. This byte array can be retrieved by searching through Active Directory user account published certificates stored in userCertificates attribute.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">Byte[]</command:parameterValue> <dev:type> <maml:name>Byte[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.CertificateAuthority</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_CertificateAuthority.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>System.Int64</maml:name> <maml:uri>http://msdn.microsoft.com/en-us/library/system.int64.aspx</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para>Return value specifies the row number in the database which holds imported certificate.</maml:para> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name MyCA | Import-LostCertificate -Path C:\lostcert.cer</dev:code> <dev:remarks> <maml:para>Imports certificate from a file and adds it to a CA database.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> $IssuedWhen = (Get-Date).AddDays(-1) C:\PS>$cert = Get-ChildItem cert:\CurrentUser\My | Where-Object {$_.NotBefore -gt $IssuedWhen} C:\PS>$cert | Foreach-Object {Get-CertificationAuthority ca01.company.com | Import-LostCertificate -Certificate $_}</dev:code> <dev:remarks> <maml:para>In this example we set a date when the last backup was taken. In the second line we search through current user Personal certificate store and select certificates was issued after the last backup was taken. The last command will import these certificates to a CA database by using Foreach-Object loop.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 3 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Import-Module ActiveDirectory C:\PS>$user = Get-ADUser vpodans -Properties "userCertificate" C:\PS>Get-CertificationAuthority MyCA | Import-LostCertificate -RawData @(,$user.userCertificate[0])</dev:code> <dev:remarks> <maml:para>In this example first command imports ActiveDirectory PowerShell module (available on domain controllers running Windows Server 2008 R2 or Windows 7 with installed RSAT). The second command retrieves specified user (vpodans) account with populated userCertificate property. The last command will import first published certificate to a CA database.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Import-LostCertificate.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Install-CertificationAuthority</command:name> <maml:description> <maml:para>Installs Active Directory Certificate Services role on local computer.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Install</command:verb> <command:noun>CertificationAuthority</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Installs Active Directory Certificate Services (AD CS) role on local computer. A user can choose different options, such Certification Authority (CA) type, key pair parameters, CA certificate validity and so on. The command supports Windows Server 2008 R2 Server Core installations.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Install-CertificationAuthority</maml:name> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>CAName</maml:name> <maml:description> <maml:para>Specifies a custom CA certificate name/subject (what you see in the certificate display UI). If not passed, a '<ComputerName>-CA' form is used for workgroup CAs and '<DomainName>-<ComputerName-CA>' form is used for domain CAs. The parameter supports Unicode names.</maml:para> <maml:para>Note: common name must not contain comma (,) character, because it is reserved as a RDN attribute delimeter.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>CADNSuffix</maml:name> <maml:description> <maml:para>Specifies a DN suffix to specify some additional information. For example, company name, country, city, etc. DN suffix is empty for workgroup CAs and includes current domain distinguished name (for example, 'DC=domain, DC=com'). The parameter accepts suffixes in a X500 form, for example: OU=Information Systems, O=Sysadmins LV, C=LV.</maml:para> <maml:para>Note: common name must use comma as RDN attribute separator. Commas inside the RDN attribute are not allowed.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>CAType</maml:name> <maml:description> <maml:para>Specifies CA type: Standalone Root, Standalone Subordinate, Enterprise Root, Enterprise Subordinate.</maml:para> <maml:para>If not passed, for non-domain environments or if you don't have Enterprise Admins rights, Standalone Root is used. If you have Enterprise Admins rights and your forest already has installed CAs, Enterprise Subordinate is used. If no Enterprise CAs installed in the forest, Enterprise Root is used.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>ParentCA</maml:name> <maml:description> <maml:para>This parameter allows you to specify parent CA location only if you install Enterprise Subordinate CA. For other CA types, the parameter is ignored. Parent CA information must be passed in the following form: CAComputerName\CASanitizedName. Sanitized name is a sanitized form of CA name (subject). Mostly sanitized name is the same as CA name (unless you use Unicode and/or special characters, that are disallowed in X500). If the parameter is not specified, a certificate request will be generated on the root of system drive. If selected CA type is Standalone Subordinate, the parameter is ignored. Request will be saved in a file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>CSP</maml:name> <maml:description> <maml:para>Specifies custom cryptographic service provider. By default 'RSA#Microsoft Software Key Storage Provider' is used (in most cases you will use default CSP). You need to explicitly specify custom CSP only when you setup completely CNG authority (CSPs with ECDSA prefix) or you use HSM. Each HSM uses its own custom CSP. You must install HSM middleware before CA installation.</maml:para> <maml:para>The full list of supported and available "by default" CSPs for Windows Server 2008+ is: Microsoft Base Cryptographic Provider v1.0 Microsoft Base DSS Cryptographic Provider Microsoft Base Smart Card Crypto Provider Microsoft Enhanced Cryptographic Provider v1.0 Microsoft Strong Cryptographic Provider RSA#Microsoft Software Key Storage Provider DSA#Microsoft Software Key Storage Provider ECDSA_P256#Microsoft Software Key Storage Provider ECDSA_P384#Microsoft Software Key Storage Provider ECDSA_P521#Microsoft Software Key Storage Provider RSA#Microsoft Smart Card Key Storage Provider ECDSA_P256#Microsoft Smart Card Key Storage Provider ECDSA_P384#Microsoft Smart Card Key Storage Provider ECDSA_P521#Microsoft Smart Card Key Storage Provider</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>KeyLength</maml:name> <maml:description> <maml:para>This parameter specifies the key length. If not specified, a 2048-bit key will be generated. There is a little trick: if you look to a CSP list (above), you will see that key length is specified for each ECDSA* provider. I've developed a script logic in that way,so the script ignores this parameter if one of ECDSA* CSP is explicitly chosen and uses key length that is supported by the CSP. Therefore you will not receive an error if you select 'ECDSA_P256#Microsoft Smart Card Key Storage Provider' CSP with 2048 key length. 256-bit key will be selected automatically.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>HashAlgorithm</maml:name> <maml:description> <maml:para>This parameter specifies hash algorithm that will be used for CA certificate/request hashing. Note that this is important for root CA installations. Subordinate CA certificates are hashed and signed by the parent CA with it's own settings. By default 'SHA1' issued (though this parameter is applicable for all CA installation types).</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>ValidForYears</maml:name> <maml:description> <maml:para>Specifies the validity for root CA installations. By default root CA certificates are valid for 5 years. You can increase this value to 10, 20, 50, whatever you need. For any subordinate CA types this parameter is silently ignored. This is because subordinate CAvalidity is determined by the parent CA. This parameter accepts integer values, assuming that the value is specified in years.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>RequestFileName</maml:name> <maml:description> <maml:para>If you setup any sort of subordinate (not root) CAs you can specify custom path to a request file. By default request file is generated in the root folder of system drive.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>DBDirectory</maml:name> <maml:description> <maml:para>Specifies the path to a folder to store CA database. If not specified, the default path: %windir%\System32\CertLog folder is used. If you need to specify custom path (for example, shared storage for CA clusters), you need to specify the next parameter too. The path must be valid.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>LogDirectory</maml:name> <maml:description> <maml:para>Specifies the path to a folder to store CA database log files. By default %windir%\System32\CertLog folder is used. If you use custom path for either database or log folders, you must explicitly specify both paths.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>OverwriteExisting</maml:name> <maml:description> <maml:para>Specifies, whether to overwrite any existing database files in the specified directories.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>AllowCSPInteraction</maml:name> <maml:description> <maml:para>Specifies, whether the cryptographic service provider (CSP) is allowed to interact with the desktop. This parameter should be used only if you use custom hardware-based CSP (HSM or smart card CSP). In other cases you don't need to allow CSP interactions.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>Force</maml:name> <maml:description> <maml:para>By default, the script explicitly prompts you whether you want to install Certification Authority with selected values. If you want to implement silent (quiet) installations — specify this parameter to suppress any prompts during role installation</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>WhatIf</maml:name> <maml:description> <maml:para>Describes what would happen if you executed the command without actually executing the command.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>Confirm</maml:name> <maml:description> <maml:para>Prompts you for confirmation before executing the command.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Install-CertificationAuthority</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>CACertFile</maml:name> <maml:description> <maml:para>Specifies the path to a PFX file with CA certificate. Relative paths are allowed. Setup API performs additional checks for the certificate. Therefore you must ensure if: this is CA certificate (but not EFS encryption ;)), CA certificate is trusted (for non-root certificates)and chains to trusted CA and CA certificate revocation checking can be performed. Otherwise you will unable to setup CA with that CA certificate.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">FileInfo</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>Password</maml:name> <maml:description> <maml:para>Specifies the password to open PFX file. The parameter supports only secure strings! You can't type a password as a simple text. This is made for security reasons. There are few ways to pass a password in a SecureString form: '$Password = Read-Host –a' or 'ConvertTo-SecureString <plaintext> –asplaintext –force'</maml:para> <maml:para>You can enclose last command in parentheses and pass directly as a parameter value.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">SecureString</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>DBDirectory</maml:name> <maml:description> <maml:para>Specifies the path to a folder to store CA database. If not specified, the default path: %windir%\System32\CertLog folder is used. If you need to specify custom path (for example, shared storage for CA clusters), you need to specify the next parameter too. The path must be valid.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>LogDirectory</maml:name> <maml:description> <maml:para>Specifies the path to a folder to store CA database log files. By default %windir%\System32\CertLog folder is used. If you use custom path for either database or log folders, you must explicitly specify both paths.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>OverwriteExisting</maml:name> <maml:description> <maml:para>Specifies, whether to overwrite any existing database files in the specified directories.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>AllowCSPInteraction</maml:name> <maml:description> <maml:para>Specifies, whether the cryptographic service provider (CSP) is allowed to interact with the desktop. This parameter should be used only if you use custom hardware-based CSP (HSM or smart card CSP). In other cases you don't need to allow CSP interactions.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>Force</maml:name> <maml:description> <maml:para>By default, the script explicitly prompts you whether you want to install Certification Authority with selected values. If you want to implement silent (quiet) installations — specify this parameter to suppress any prompts during role installation</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>WhatIf</maml:name> <maml:description> <maml:para>Describes what would happen if you executed the command without actually executing the command.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>Confirm</maml:name> <maml:description> <maml:para>Prompts you for confirmation before executing the command.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Install-CertificationAuthority</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>Thumbprint</maml:name> <maml:description> <maml:para>Specifies a thumbprint of the certificate to use. The certificate must be installed in Local Machine\Personal store and must be trusted (for non-root certificates) and must not be revoked (the issuer revocation information must be available).</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>DBDirectory</maml:name> <maml:description> <maml:para>Specifies the path to a folder to store CA database. If not specified, the default path: %windir%\System32\CertLog folder is used. If you need to specify custom path (for example, shared storage for CA clusters), you need to specify the next parameter too. The path must be valid.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>LogDirectory</maml:name> <maml:description> <maml:para>Specifies the path to a folder to store CA database log files. By default %windir%\System32\CertLog folder is used. If you use custom path for either database or log folders, you must explicitly specify both paths.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>OverwriteExisting</maml:name> <maml:description> <maml:para>Specifies, whether to overwrite any existing database files in the specified directories.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>AllowCSPInteraction</maml:name> <maml:description> <maml:para>Specifies, whether the cryptographic service provider (CSP) is allowed to interact with the desktop. This parameter should be used only if you use custom hardware-based CSP (HSM or smart card CSP). In other cases you don't need to allow CSP interactions.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>Force</maml:name> <maml:description> <maml:para>By default, the script explicitly prompts you whether you want to install Certification Authority with selected values. If you want to implement silent (quiet) installations — specify this parameter to suppress any prompts during role installation</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>WhatIf</maml:name> <maml:description> <maml:para>Describes what would happen if you executed the command without actually executing the command.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>Confirm</maml:name> <maml:description> <maml:para>Prompts you for confirmation before executing the command.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>CAName</maml:name> <maml:description> <maml:para>Specifies a custom CA certificate name/subject (what you see in the certificate display UI). If not passed, a '<ComputerName>-CA' form is used for workgroup CAs and '<DomainName>-<ComputerName-CA>' form is used for domain CAs. The parameter supports Unicode names.</maml:para> <maml:para>Note: common name must not contain comma (,) character, because it is reserved as a RDN attribute delimeter.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>CADNSuffix</maml:name> <maml:description> <maml:para>Specifies a DN suffix to specify some additional information. For example, company name, country, city, etc. DN suffix is empty for workgroup CAs and includes current domain distinguished name (for example, 'DC=domain, DC=com'). The parameter accepts suffixes in a X500 form, for example: OU=Information Systems, O=Sysadmins LV, C=LV.</maml:para> <maml:para>Note: common name must use comma as RDN attribute separator. Commas inside the RDN attribute are not allowed.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>CAType</maml:name> <maml:description> <maml:para>Specifies CA type: Standalone Root, Standalone Subordinate, Enterprise Root, Enterprise Subordinate.</maml:para> <maml:para>If not passed, for non-domain environments or if you don't have Enterprise Admins rights, Standalone Root is used. If you have Enterprise Admins rights and your forest already has installed CAs, Enterprise Subordinate is used. If no Enterprise CAs installed in the forest, Enterprise Root is used.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>ParentCA</maml:name> <maml:description> <maml:para>This parameter allows you to specify parent CA location only if you install Enterprise Subordinate CA. For other CA types, the parameter is ignored. Parent CA information must be passed in the following form: CAComputerName\CASanitizedName. Sanitized name is a sanitized form of CA name (subject). Mostly sanitized name is the same as CA name (unless you use Unicode and/or special characters, that are disallowed in X500). If the parameter is not specified, a certificate request will be generated on the root of system drive. If selected CA type is Standalone Subordinate, the parameter is ignored. Request will be saved in a file.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>CSP</maml:name> <maml:description> <maml:para>Specifies custom cryptographic service provider. By default 'RSA#Microsoft Software Key Storage Provider' is used (in most cases you will use default CSP). You need to explicitly specify custom CSP only when you setup completely CNG authority (CSPs with ECDSA prefix) or you use HSM. Each HSM uses its own custom CSP. You must install HSM middleware before CA installation.</maml:para> <maml:para>The full list of supported and available "by default" CSPs for Windows Server 2008+ is: Microsoft Base Cryptographic Provider v1.0 Microsoft Base DSS Cryptographic Provider Microsoft Base Smart Card Crypto Provider Microsoft Enhanced Cryptographic Provider v1.0 Microsoft Strong Cryptographic Provider RSA#Microsoft Software Key Storage Provider DSA#Microsoft Software Key Storage Provider ECDSA_P256#Microsoft Software Key Storage Provider ECDSA_P384#Microsoft Software Key Storage Provider ECDSA_P521#Microsoft Software Key Storage Provider RSA#Microsoft Smart Card Key Storage Provider ECDSA_P256#Microsoft Smart Card Key Storage Provider ECDSA_P384#Microsoft Smart Card Key Storage Provider ECDSA_P521#Microsoft Smart Card Key Storage Provider</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>KeyLength</maml:name> <maml:description> <maml:para>This parameter specifies the key length. If not specified, a 2048-bit key will be generated. There is a little trick: if you look to a CSP list (above), you will see that key length is specified for each ECDSA* provider. I've developed a script logic in that way,so the script ignores this parameter if one of ECDSA* CSP is explicitly chosen and uses key length that is supported by the CSP. Therefore you will not receive an error if you select 'ECDSA_P256#Microsoft Smart Card Key Storage Provider' CSP with 2048 key length. 256-bit key will be selected automatically.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> <dev:type> <maml:name>Int32</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>HashAlgorithm</maml:name> <maml:description> <maml:para>This parameter specifies hash algorithm that will be used for CA certificate/request hashing. Note that this is important for root CA installations. Subordinate CA certificates are hashed and signed by the parent CA with it's own settings. By default 'SHA1' issued (though this parameter is applicable for all CA installation types).</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>ValidForYears</maml:name> <maml:description> <maml:para>Specifies the validity for root CA installations. By default root CA certificates are valid for 5 years. You can increase this value to 10, 20, 50, whatever you need. For any subordinate CA types this parameter is silently ignored. This is because subordinate CAvalidity is determined by the parent CA. This parameter accepts integer values, assuming that the value is specified in years.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> <dev:type> <maml:name>Int32</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>RequestFileName</maml:name> <maml:description> <maml:para>If you setup any sort of subordinate (not root) CAs you can specify custom path to a request file. By default request file is generated in the root folder of system drive.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>DBDirectory</maml:name> <maml:description> <maml:para>Specifies the path to a folder to store CA database. If not specified, the default path: %windir%\System32\CertLog folder is used. If you need to specify custom path (for example, shared storage for CA clusters), you need to specify the next parameter too. The path must be valid.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>LogDirectory</maml:name> <maml:description> <maml:para>Specifies the path to a folder to store CA database log files. By default %windir%\System32\CertLog folder is used. If you use custom path for either database or log folders, you must explicitly specify both paths.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>OverwriteExisting</maml:name> <maml:description> <maml:para>Specifies, whether to overwrite any existing database files in the specified directories.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>AllowCSPInteraction</maml:name> <maml:description> <maml:para>Specifies, whether the cryptographic service provider (CSP) is allowed to interact with the desktop. This parameter should be used only if you use custom hardware-based CSP (HSM or smart card CSP). In other cases you don't need to allow CSP interactions.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>Force</maml:name> <maml:description> <maml:para>By default, the script explicitly prompts you whether you want to install Certification Authority with selected values. If you want to implement silent (quiet) installations — specify this parameter to suppress any prompts during role installation</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>WhatIf</maml:name> <maml:description> <maml:para>Describes what would happen if you executed the command without actually executing the command.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>Confirm</maml:name> <maml:description> <maml:para>Prompts you for confirmation before executing the command.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>CACertFile</maml:name> <maml:description> <maml:para>Specifies the path to a PFX file with CA certificate. Relative paths are allowed. Setup API performs additional checks for the certificate. Therefore you must ensure if: this is CA certificate (but not EFS encryption ;)), CA certificate is trusted (for non-root certificates)and chains to trusted CA and CA certificate revocation checking can be performed. Otherwise you will unable to setup CA with that CA certificate.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">FileInfo</command:parameterValue> <dev:type> <maml:name>FileInfo</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>Password</maml:name> <maml:description> <maml:para>Specifies the password to open PFX file. The parameter supports only secure strings! You can't type a password as a simple text. This is made for security reasons. There are few ways to pass a password in a SecureString form: '$Password = Read-Host –a' or 'ConvertTo-SecureString <plaintext> –asplaintext –force'</maml:para> <maml:para>You can enclose last command in parentheses and pass directly as a parameter value.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">SecureString</command:parameterValue> <dev:type> <maml:name>SecureString</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>Thumbprint</maml:name> <maml:description> <maml:para>Specifies a thumbprint of the certificate to use. The certificate must be installed in Local Machine\Personal store and must be trusted (for non-root certificates) and must not be revoked (the issuer revocation information must be available).</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>None.</maml:name> <maml:uri></maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>SysadminsLV.PKI.Utils.IServiceOperationResult</maml:name> <maml:uri></maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Install-CertificationAuthority -CAName "My Root CA" -CADNSuffix "OU=Information Systems, O=Sysadmins LV, C=LV" ` -CAType "Standalone Root" -ValidForYears 10</dev:code> <dev:remarks> <maml:para>In this scenario you setup new Standalone Root CA with 'CN=My Root CA, OU=Information Systems, O=Sysadmins LV, C=LV' subject, that will be valid for 10 years. The CA will use default paths to CA database and log files and certificate will use 'RSA#Microsoft Software Key Storage Provider' CSP with 2048-bit key and SHA1 hashing algorithm.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Install-CertificationAuthority -CAName "My Root CA" -CADNSuffix "OU=Information Systems, O=Sysadmins LV, C=LV" ` -CAType "Standalone Root" -ValidForYears 20 -CSP "ECDSA_P256#Microsoft Smart Card Key Storage Provider" ` -HashAlgorithm SHA512</dev:code> <dev:remarks> <maml:para>This example is similar to previous, with the exception that this CA will be completely CNG/SHA2 root. CA certificate will use CNG (not RSA) keys and hashing algorithm will be SHA512.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 3 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Install-CertificationAuthority -CAName "Clustered CA" -CADNSuffix "OU=Information Systems, O=Sysadmins LV, C=LV" ` -CAType "Enterprise Subordinate" -KeyLength 4096 -DBDirectory "S:\CertDB" -LogDirectory "S:\CertLog" ` -RequestFileName "S:\Clustered CA.req"</dev:code> <dev:remarks> <maml:para>This example assumes that you setup CA cluster first node (but not necessary). CA database will be stored on a shared storage (attached with S: drive letter). CA certificate will use default 'RSA#Microsoft Software Key Storage Provider' with 4096-bit key and default SHA1 hashing algorithm. CA certificate validity will be determined by the parent CA. In addition, CA certificate request will be stored on the shared storage.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 4 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> $Password = Read-Host -AsSecureString PS> Install-CertificationAuthority -CACertFile .\ClusteredCA.pfx -Password $Password ` -DBDirectory "S:\CertDB" -LogDirectory "S:\CertLog" -OverwriteExisting</dev:code> <dev:remarks> <maml:para>This is two-line example. Say, you have successfully installed CA cluster first node and have exported CA certificate to a PFX, and moved it to the second node (to the current directory). At first you will be prompted for a password. Since you type password to a secure string prompt, no characters will be displayed. After that you will specify relative path to a PFX file and specify shared storage to store CA database and log files. You overwrite database files that was created during first node installation. Actually this command installs CA cluster second node.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 5 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Install-CertificationAuthority -CAName "Company Enterprise CA-2" -CADNSuffix "O=Company, E=companypky@company.com" ` -CAType "Enterprise Subordinate" -ParentCA "ca01.company.com\Company Enterprise CA-1"</dev:code> <dev:remarks> <maml:para>From best-practices perspective this is not a very good example, because it assumes at least 2 tiers of Enterprise CAs. However, it is still common. In a given example, Enterprise Subordinate CA will be installed and certificate request will be sent directly to existing Enterprise CA — 'Company Enterprise CA-1' that is hosted on 'ca01.company.com'. Note that existing CA must be online and must issue 'Subordinate Certification Authority' template.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Install-CertificationAuthority.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Uninstall-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Publish-CRL</command:name> <maml:description> <maml:para>Instructs CA server to publish new CRL.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Publish</command:verb> <command:noun>CRL</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Instructs CA server to publish new either Base or Delta CRL, or just updates existing CRLs. If Base CRL is published, empty Delta CRL is published too.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Publish-CRL</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the particular Certification Authority. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateAuthority[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>DeltaOnly</maml:name> <maml:description> <maml:para>Instructs CA to publish only new Delta (incremental) CRL.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>UpdateFile</maml:name> <maml:description> <maml:para>Instructs CA to republish existing CRLs. No updates are performed in CRL table. This parameter just updates missing CRL files.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the particular Certification Authority. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateAuthority[]</command:parameterValue> <dev:type> <maml:name>CertificateAuthority[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>DeltaOnly</maml:name> <maml:description> <maml:para>Instructs CA to publish only new Delta (incremental) CRL.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>UpdateFile</maml:name> <maml:description> <maml:para>Instructs CA to republish existing CRLs. No updates are performed in CRL table. This parameter just updates missing CRL files.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.CertificateAuthority</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_CertificateAuthority.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>None.</maml:name> <maml:uri></maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority MyCA* | Publish-CRL</dev:code> <dev:remarks> <maml:para>Publishes new Base and empty Delta CRLs.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority MyCA* | Publish-CRL -DeltaOnly</dev:code> <dev:remarks> <maml:para>Publishes new Delta CRL.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 3 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority | Publish-CRL -UpdateFile</dev:code> <dev:remarks> <maml:para>Republishes existing CRLs for all CA servers in the forest.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Publish-CRL.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Remove-AuthorityInformationAccess</command:name> <maml:description> <maml:para>Removes existing Authority Information Access (AIA) URI from Certification Authority configuration.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Remove</command:verb> <command:noun>AuthorityInformationAccess</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Removes existing Authority Information Access (AIA) URI from Certification Authority configuration. This command doesn't change actual settings, but just prepares AIA URIs.</maml:para> <maml:para>You should carefully choose URIs to remove. If you incorrectly remove working and used URIs issued certificates validation may fail and certificate will be rejected.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Remove-AuthorityInformationAccess</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies the AIA object to process. This object can be retrieved by running Get-AuthorityInformationAccess command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">AuthorityInformationAccess[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="1"> <maml:name>URI</maml:name> <maml:description> <maml:para>Specifies exact or partial pattern for URI to remove. This parameter accepts wildcards: '*' and '?'.</maml:para> <maml:para>* - is used as multiple character wildcard ? - is used as single character wildcard</maml:para> <maml:para>Note: be careful with this command. If you remove existing and working URLs certificate chain building may fail.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">String[]</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies the AIA object to process. This object can be retrieved by running Get-AuthorityInformationAccess command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">AuthorityInformationAccess[]</command:parameterValue> <dev:type> <maml:name>AuthorityInformationAccess[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="1"> <maml:name>URI</maml:name> <maml:description> <maml:para>Specifies exact or partial pattern for URI to remove. This parameter accepts wildcards: '*' and '?'.</maml:para> <maml:para>* - is used as multiple character wildcard ? - is used as single character wildcard</maml:para> <maml:para>Note: be careful with this command. If you remove existing and working URLs certificate chain building may fail.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.AuthorityInformationAccess</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_AuthorityInformationAccess.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.CertificateServices.AuthorityInformationAccess</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_AuthorityInformationAccess.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name MyCA | Get-AuthorityInformationAccess | Remove-AuthorityInformationAccess -URI "*c:\windows*" | Set-AuthorityInformationAccess -RestartCA</dev:code> <dev:remarks> <maml:para>This example will remove all AIA URIs that contains "c:\windows" pattern. After command completion certificate services will be restarted to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name MyCA | Get-AuthorityInformationAccess | Remove-AuthorityInformationAccess -URI "*ldap://*" | Set-AuthorityInformationAccess -RestartCA</dev:code> <dev:remarks> <maml:para>This example will remove all URIs that are used for CRT file publication and/or retrieval from Active Directory. After command completion certificate services will be restarted to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Remove-AithorityInformationAccess.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-AuthorityInformationAccess</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Add-AuthorityInformationAccess</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Set-AuthorityInformationAccess</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Remove-CAAccessControlEntry</command:name> <maml:description> <maml:para>Removes existing Access Control Entry (ACE) from a Certification Authority's Access Control List (ACL) for a specified user account or group.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Remove</command:verb> <command:noun>CAAccessControlEntry</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Removes existing Access Control Entry (ACE) from a Certification Authority's Access Control List (ACL) for a specified user account or group.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Remove-CAAccessControlEntry</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies the current access control list (ACL) object to modify. This object can be retrieved by running either, Get-CASecurityDescriptor or Add-CAAccessControlEntry commands.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CASecurityDescriptor[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="1"> <maml:name>User</maml:name> <maml:description> <maml:para>Specifies user or group account name to remove from ACL.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">NTAccount[]</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies the current access control list (ACL) object to modify. This object can be retrieved by running either, Get-CASecurityDescriptor or Add-CAAccessControlEntry commands.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CASecurityDescriptor[]</command:parameterValue> <dev:type> <maml:name>CASecurityDescriptor[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="1"> <maml:name>User</maml:name> <maml:description> <maml:para>Specifies user or group account name to remove from ACL.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">NTAccount[]</command:parameterValue> <dev:type> <maml:name>NTAccount[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.Security.AccessControl.CASecurityDescriptor</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_Security_AccessControl_CASecurityDescriptor.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.Security.AccessControl.CASecurityDescriptor</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_Security_AccessControl_CASecurityDescriptor.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority "ca01.company.com" | Get-CASecurityDescriptor | Remove-CAAccessControlEntry -User "jsmith","JohnWayne" | Set-CASecurityDescriptor -RestartCA</dev:code> <dev:remarks> <maml:para>This example retrieves current access control list from CA server installed on "ca01.company.com", removes all permissions explicitly granted to John Smith and John Wayne and writes modified ACL to CA configuration. After command completion CA services will be restarted to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> $ACE = New-Object PKI.Security.AccessControl.CertificationAuthorityAccessRule ([Security.Principal.NTAccount]"jsmith"), "ManageCA", "Allow") PS C:\> Get-CertificationAuthority "ca01.company.com" | Get-CASecurityDescriptor | Remove-CAAccessControlEntry -User "jsmith" | Add-CAAccessControlEntry -AccessControlEntry $ACE | Set-CASecurityDescriptor -RestartCA</dev:code> <dev:remarks> <maml:para>This example demonstrates techniques to change permissions explicitly granted to a user. In a given example, first line creates new access control entry for John Smith. Second line retrieves access control list from CA server, removes all permissions granted to John Smith and adds new access control entry.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Remove-CAAccessControlEntry.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CASecurityDescriptor</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Add-CAAccessControlEntry</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Set-CASecurityDescriptor</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Remove-CAKRACertificate</command:name> <maml:description> <maml:para>Removes Key Recovery Agent (KRA) certificate from a specified Certification Authority (CA).</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Remove</command:verb> <command:noun>CAKRACertificate</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Removes key recovery agent certificate from a specified Certification Authority (CA). This command doesn't change actual settings, but just prepares KRA object. To change KRAs on CA use this command in conjunction with Set-CAKRACertificate command.</maml:para> <maml:para>Key Recovery Agent certificate is used to encrypt user's certificate private key and store it in CA database. In the case when user cannot access his or her certificate private key it is possible to recover it by Key Recovery Agent if Key Archival procedure was taken against particular certificate.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Remove-CAKRACertificate</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies the KRA object to process. This object can be retrieved by running Get-CAKRACertificate command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">KRA[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="1"> <maml:name>Thumbprint</maml:name> <maml:description> <maml:para>Specifies one or more KRA certificate thumbprint to remove. Parameter also accepts thumbprint strings in 'certutil' style (when all characters are in lowercase and each octet is divided by space character), for example: '70 14 4a 76 3e 3a 66 27 56 89 8c 31 60 29 7c 8c bc d2 44 dc'.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">String[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>ShowUI</maml:name> <maml:description> <maml:para>This parameter displays existing assigned KRA certificates in a UI form. Select one or more KRA certificates to remove and click Ok.</maml:para> <maml:para>If this parameter is specified, all other parameters are ignored.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>InvalidOnly</maml:name> <maml:description> <maml:para>This parameter will remove all currently assigned KRA certificates that doesn't met at least one of the following requirements: -- is time valid; -- is not revoked; -- issued by trusted certification authority; -- intended for key archival purposes.</maml:para> <maml:para>This parameter is useful for sanity and health checking's that assigns only valid key recovery agent certificates.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies the KRA object to process. This object can be retrieved by running Get-CAKRACertificate command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">KRA[]</command:parameterValue> <dev:type> <maml:name>KRA[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="1"> <maml:name>Thumbprint</maml:name> <maml:description> <maml:para>Specifies one or more KRA certificate thumbprint to remove. Parameter also accepts thumbprint strings in 'certutil' style (when all characters are in lowercase and each octet is divided by space character), for example: '70 14 4a 76 3e 3a 66 27 56 89 8c 31 60 29 7c 8c bc d2 44 dc'.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>ShowUI</maml:name> <maml:description> <maml:para>This parameter displays existing assigned KRA certificates in a UI form. Select one or more KRA certificates to remove and click Ok.</maml:para> <maml:para>If this parameter is specified, all other parameters are ignored.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>InvalidOnly</maml:name> <maml:description> <maml:para>This parameter will remove all currently assigned KRA certificates that doesn't met at least one of the following requirements: -- is time valid; -- is not revoked; -- issued by trusted certification authority; -- intended for key archival purposes.</maml:para> <maml:para>This parameter is useful for sanity and health checking's that assigns only valid key recovery agent certificates.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.KRA</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_KRA.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.CertificateServices.KRA</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_KRA.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name MyCA | Get-CAKRACertificate | Remove-CAKRACertificate -Thumbprint "70144A763E3A662756898C3160297C8CBCD244DC" | Set-CAKRACertificate -RestartCA</dev:code> <dev:remarks> <maml:para>This example will remove key recovery agent certificate with thumbprint '70144A763E3A662756898C3160297C8CBCD244DC' from 'MyCA' CA server. After command completion certificate services will be restarted to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority | Get-CAKRACertificate | Remove-CAKRACertificate -InvalidOnly | Set-CAKRACertificate -RestartCA</dev:code> <dev:remarks> <maml:para>This example will remove invalid KRA certificates from all CA servers in the current forest. After command completion certificate services will be restarted to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 3 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name Company-CA | Get-CAKRACertificate | Remove-CAKRACertificate -ShowUI | Set-CAKRACertificate -RestartCA</dev:code> <dev:remarks> <maml:para>This example will retrieve currently assigned KRA certificates and displays certificate selection UI where you can select certificates to remove and writes new KRA certificate list back to a Company-CA CA server. After command completion certificate services will be restarted to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Remove-CAKRACertificate.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CAKRACertificate</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Add-CAKRACertificate</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Set-CAKRACertificate</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Remove-CATemplate</command:name> <maml:description> <maml:para>Removes certificate templates from list that can be issued by a specified Certification Authority (CA).</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Remove</command:verb> <command:noun>CATemplate</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Removes certificate templates from the list that can be issued by a specified Certification Authority (CA).</maml:para> <maml:para>This command actually just prepares a new template list to be added to CA server. In order to write the new list to CA server use Set-CATemplate command (see examples).</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Remove-CATemplate</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="named"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies the Certification Authority with assigned templates. This object can be retrieved by running Get-CATemplate command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CATemplate[]</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="named"> <maml:name>DisplayName</maml:name> <maml:description> <maml:para>Specifies template (or templates) display name to remove from a specified CA server.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">String[]</command:parameterValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Remove-CATemplate</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="named"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies the Certification Authority with assigned templates. This object can be retrieved by running Get-CATemplate command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CATemplate[]</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="named"> <maml:name>Name</maml:name> <maml:description> <maml:para>Specifies template (or templates) common name to remove from a specified CA server.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">String[]</command:parameterValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Remove-CATemplate</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="named"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies the Certification Authority with assigned templates. This object can be retrieved by running Get-CATemplate command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CATemplate[]</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="named"> <maml:name>Template</maml:name> <maml:description> <maml:para>Specifies template (or templates) object to remove from a specified CA server. Template object can be retrieved by running Get-CertificateTemplate command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateTemplate[]</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="named"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies the Certification Authority with assigned templates. This object can be retrieved by running Get-CATemplate command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CATemplate[]</command:parameterValue> <dev:type> <maml:name>CATemplate[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="named"> <maml:name>DisplayName</maml:name> <maml:description> <maml:para>Specifies template (or templates) display name to remove from a specified CA server.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="named"> <maml:name>Name</maml:name> <maml:description> <maml:para>Specifies template (or templates) common name to remove from a specified CA server.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="named"> <maml:name>Template</maml:name> <maml:description> <maml:para>Specifies template (or templates) object to remove from a specified CA server. Template object can be retrieved by running Get-CertificateTemplate command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateTemplate[]</command:parameterValue> <dev:type> <maml:name>CertificateTemplate[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.CATemplate</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_CertificateAuthority.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.CertificateServices.CATemplate</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_CertificateAuthority.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name "Company CA01" | Get-CATemplate | Remove-CATemplate -Name "Machine","WebServer" | Set-CATemplate</dev:code> <dev:remarks> <maml:para>This command will remove Machine and 'WebServer' templates from 'Company CA01' CA server. CA server will unable to issue any certificates based on specified templates.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority | Get-CATemplate | Remove-CATemplate -DisplayName "Domain Controller" | Set-CATemplate</dev:code> <dev:remarks> <maml:para>This command will remove Domain Controller template from all Enterprise CAs in the forest.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 3 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> $Template = Get-CertificateTemplate -DisplayName "Key Recovery Agent" C:\PS>Get-CertificationAuthority ca01.company.com | Get-CATemplate | Remove-CATemplate -Template $Template | Set-CATemplate</dev:code> <dev:remarks> <maml:para>In this example first command retrieves Key Recovery Agent template object. In the second line specified template will be removed from CA server running on ca01.company.com server.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Remove-CATemplate.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CATemplate</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Add-CATemplate</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Set-CATemplate</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificateTemplate</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Remove-CertificateEnrollmentPolicyService</command:name> <maml:description> <maml:para>Removes Certificate Enrollment Policy service instance from local computer.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Remove</command:verb> <command:noun>CertificateEnrollmentPolicyService</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Removes Certificate Enrollment Policy service (CEP) instance from local computer.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Remove-CertificateEnrollmentPolicyService</maml:name> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>Force</maml:name> <maml:description> <maml:para>Removes all CEP instances from local computer and removes role installation packages.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>Force</maml:name> <maml:description> <maml:para>Removes all CEP instances from local computer and removes role installation packages.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>None.</maml:name> <maml:uri></maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>SysadminsLV.PKI.Utils.IServiceOperationResult</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_SysadminsLV_PKI_Utils_IServiceOperationResult.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Remove-CertificateEnrollmentPolicyService</dev:code> <dev:remarks> <maml:para>Will remove all CEP instances but leaves installation packages.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Remove-CertificateEnrollmentPolicyService -Force</dev:code> <dev:remarks> <maml:para>Will remove all CEP instances and removes installation packages.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Remove-CertificateEnrollmentPolicyService.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Add-CertificateEnrollmentService</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Add-CertificateEnrollmentPolicyService</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Remove-CertificateEnrollmentService</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Remove-CertificateEnrollmentService</command:name> <maml:description> <maml:para>Removes Certificate Enrollment Service (CES) instance from local computer.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Remove</command:verb> <command:noun>CertificateEnrollmentService</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>This function removes Certificate Enrollment Service (CES) instance or instances if you wish to remove all CES instances from local computer.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Remove-CertificateEnrollmentService</maml:name> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0"> <maml:name>CAConfig</maml:name> <maml:description> <maml:para>Specifies certification authority configuration string in: CAComputerName\CASanitizedName format. CAComputerName may be either DNS or NetBIOS name. If this parameter is omitted, CA selection UI will be displayed during instance removal. If -Force switch is used, this parameter will be ignored and all CES instances will be removed from local computer.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="1"> <maml:name>Authentication</maml:name> <maml:description> <maml:para>Specifies authentication type to remove for specified instance. Possible values are: 'Kerberos', 'UsrPwd' or 'Certificate'. Kerberos is used by default. This parameter may be used if multiple instances are installed to work with the same CA server but they use different authentication types.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>Force</maml:name> <maml:description> <maml:para>Instructs to ignore CAConfig and Authentication parameters and remove all CES instances from local computer.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="0"> <maml:name>CAConfig</maml:name> <maml:description> <maml:para>Specifies certification authority configuration string in: CAComputerName\CASanitizedName format. CAComputerName may be either DNS or NetBIOS name. If this parameter is omitted, CA selection UI will be displayed during instance removal. If -Force switch is used, this parameter will be ignored and all CES instances will be removed from local computer.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="1"> <maml:name>Authentication</maml:name> <maml:description> <maml:para>Specifies authentication type to remove for specified instance. Possible values are: 'Kerberos', 'UsrPwd' or 'Certificate'. Kerberos is used by default. This parameter may be used if multiple instances are installed to work with the same CA server but they use different authentication types.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>Force</maml:name> <maml:description> <maml:para>Instructs to ignore CAConfig and Authentication parameters and remove all CES instances from local computer.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>None.</maml:name> <maml:uri></maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>SysadminsLV.PKI.Utils.IServiceOperationResult</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_SysadminsLV_PKI_Utils_IServiceOperationResult.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Remove-CertificateEnrollmentService -CAConfig "CA1\Contoso-CA"</dev:code> <dev:remarks> <maml:para>Will remove all CES instances that was configured for CA server named 'Contoso-CA' and that is hosted on 'CA1' computer.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Remove-CertificateEnrollmentService -Force</dev:code> <dev:remarks> <maml:para>Will remove all CES instances from local computer.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Remove-CertificateEnrollmentService.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Add-CertificateEnrollmentService</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Add-CertificateEnrollmentPolicyService</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Remove-CertificateEnrollmentPolicyService</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Remove-CertificateTemplate</command:name> <maml:description> <maml:para>Removes certificate template from Active Directory.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Remove</command:verb> <command:noun>CertificateTemplate</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Removes certificate template from Active Directory.</maml:para> <maml:para>Note: in order to remove certificate template objects, you must be granted for Enterprise Admins permissions or delegated permissions on 'Certificate Templates' and 'OID' Active Directory containers.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Remove-CertificateTemplate</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>Template</maml:name> <maml:description> <maml:para>Specifies certificate template object to remove. This object can be obtained by running Get-CertificateTemplate command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">CertificateTemplate</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>Template</maml:name> <maml:description> <maml:para>Specifies certificate template object to remove. This object can be obtained by running Get-CertificateTemplate command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">CertificateTemplate</command:parameterValue> <dev:type> <maml:name>CertificateTemplate</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateTemplates.CertificateTemplate</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateTemplates_CertificateTemplate.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>None.</maml:name> <maml:uri></maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificateTemplate "Temp Template" | Remove-CertificateTemplate</dev:code> <dev:remarks> <maml:para>Removes certificate template with display name 'TempTemplate' from Active Directory.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Remove-CertificateTemplate.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificateTemplate</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Remove-CertificateTemplateAcl</command:name> <maml:description> <maml:para>Removes an entity (user, computer, or security group) from the certificate template ACL.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Remove</command:verb> <command:noun>CertificateTemplateAcl</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Removes an entity (user, computer, or security group) from the certificate template ACL.</maml:para> <maml:para>This command only prepares new certificate template ACL object. In order to write it to the actual object use this command's result to Set-CertificateTemplateAcl cmdlet (see Examples section).</maml:para> <maml:para>Note: in order to edit certificate template ACL, you must be granted for Enterprise Admins permissions or delegated permissions on 'Certificate Templates' Active Directory container.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Remove-CertificateTemplateAcl</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies an ACL object of certificate template. This object can be retrieved by running Get-CertificateTemplateAcl command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">SecurityDescriptor2[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="1"> <maml:name>User</maml:name> <maml:description> <maml:para>Specifies an account (user, computer or security group) to remove from the certificate template ACL.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">NTAccount[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="2"> <maml:name>AccessType</maml:name> <maml:description> <maml:para>Specifies the AccessType to remove. The value can be either Allow or Deny. All Access Control Entries (ACE) with specified AccessType will be removed from ACL.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">AccessControlType</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies an ACL object of certificate template. This object can be retrieved by running Get-CertificateTemplateAcl command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">SecurityDescriptor2[]</command:parameterValue> <dev:type> <maml:name>SecurityDescriptor2[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="1"> <maml:name>User</maml:name> <maml:description> <maml:para>Specifies an account (user, computer or security group) to remove from the certificate template ACL.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">NTAccount[]</command:parameterValue> <dev:type> <maml:name>NTAccount[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="2"> <maml:name>AccessType</maml:name> <maml:description> <maml:para>Specifies the AccessType to remove. The value can be either Allow or Deny. All Access Control Entries (ACE) with specified AccessType will be removed from ACL.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">AccessControlType</command:parameterValue> <dev:type> <maml:name>AccessControlType</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.Security.SecurityDescriptor</maml:name> <maml:uri></maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.Security.SecurityDescriptor</maml:name> <maml:uri></maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificateTemplate -Name WebServer | Get-CertificateTemplateAcl | Remove-CertificateTemplateAcl -User OldWebServer -AccessType Allow | Set-CertificateTemplateAcl</dev:code> <dev:remarks> <maml:para>This command removes all granted permissions for 'OldWebServer' account from 'WebServer' certificate template ACL. After that, a new ACL will be written to the actual certificate template object (Set-CertificateTemplateAcl).</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Remove-CertificateTemplate.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificateTemplate</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificateTemplateAcl</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Add-CertificateTemplateAcl</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Set-CertificateTemplateAcl</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Remove-CRLDistributionPoint</command:name> <maml:description> <maml:para>Removes existing CRL distribution points (CDP) from Certification Authority configuration.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Remove</command:verb> <command:noun>CRLDistributionPoint</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Removes existing CRL distribution points (CDP) from Certification Authority configuration. This command doesn't change actual settings, but just prepares CDP URIs to pass to Set-CRLDistributionPoint command (see examples).</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Remove-CRLDistributionPoint</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies the CDP object to remove from CRL distribution points. This object can be retrieved by running Get-CRLDistributionPoint command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CRLDistributionPoint[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="1"> <maml:name>URI</maml:name> <maml:description> <maml:para>Specifies exact or partial pattern for URI to remove. This parameter accepts wildcards: '*' and '?'.</maml:para> <maml:para>* - is used as multiple character wildcard ? - is used as single character wildcard</maml:para> <maml:para>Note: be careful with this command. If you remove existing and working URLs certificate revocation checking may fail.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">String[]</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies the CDP object to remove from CRL distribution points. This object can be retrieved by running Get-CRLDistributionPoint command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CRLDistributionPoint[]</command:parameterValue> <dev:type> <maml:name>CRLDistributionPoint[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="1"> <maml:name>URI</maml:name> <maml:description> <maml:para>Specifies exact or partial pattern for URI to remove. This parameter accepts wildcards: '*' and '?'.</maml:para> <maml:para>* - is used as multiple character wildcard ? - is used as single character wildcard</maml:para> <maml:para>Note: be careful with this command. If you remove existing and working URLs certificate revocation checking may fail.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">String[]</command:parameterValue> <dev:type> <maml:name>String[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.CRLDistributionPoint</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_CRLDistributionPoint.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.CertificateServices.CRLDistributionPoint</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_CRLDistributionPoint.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name MyCA | Get-CrlDistributionPoint | Remove-CrlDistributionPoint -URI "*c:\windows*" | Set-CrlDistributionPoint -RestartCA</dev:code> <dev:remarks> <maml:para>This example will remove all CDP URIs that contains "c:\windows" pattern. After command completion certificate services will be restarted to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name MyCA | Get-CrlDistributionPoint | Remove-CrlDistributionPoint -URI "*ldap://*" | Set-CrlDistributionPoint -RestartCA</dev:code> <dev:remarks> <maml:para>This example will remove all URIs that are used for CRL file publication and/or retrieval from Active Directory. After command completion certificate services will be restarted to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Remove-CRLDistributionPoint.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CRLDistributionPoint</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Add-CRLDistributionPoint</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Set-CRLDistributionPoint</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Remove-AdcsDatabaseRow</command:name> <maml:description> <maml:para>Removes CA database rows individually or in a bulk based on removal filter.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Remove</command:verb> <command:noun>DatabaseRow</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Removes CA database rows individually or in a bulk based on removal filter. This command is mainly used to reduce CA database size by removing old and unnecessary database rows.</maml:para> <maml:para>Hint: when you remove large number of database rows, it is recommended to perform a full CA database backup and restore to efficiently re-allocate disk space and update database log files.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Remove-AdcsDatabaseRow</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="named"> <maml:name>Request</maml:name> <maml:description> <maml:para>Specifies the request row object to remove from database.</maml:para> <maml:para>Note: removal for database row objects that represent 'Attribute' or 'Extension' table is not supported. When database row from 'Request' table is removed, corresponding entries in 'Attribute' and 'Extension' tables are removed by CA server internally.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Remove-AdcsDatabaseRow</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="named"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the certification authority to process. This parameter works in conjunction with 'Filter' and 'RemoveBefore' parameters.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateAuthority[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>Filter</maml:name> <maml:description> <maml:para>Specifies the filter that is used to determine the type of database rows to be deleted. This parameter works in conjunction with 'RemoveBefore' and 'CertificationAuthority' parameters. The following filters are available: ExpiredCerts -- removes issued and revoked certificates that expired (based on NotAfter field value) before the date specified in the 'RemoveBefore' parameter. ExpiredFailedPending -- removes issued and revoked certificates that were last modified before the date specified in the 'RemoveBefore' parameter. Request -- combines previous two filters. CRL -- removes published CRLs that expired (base on NextPublish field value) before the date specified in the 'RemoveBefore' parameter.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>RemoveBefore</maml:name> <maml:description> <maml:para>Specifies an expiration date when deleting certificates or CRLs, and a last modified date when deleting certificate requests. This parameter has no effect when you pass individual row objects.</maml:para> <maml:para>Warning: if this parameter is not set, the command will remove all database rows specified by a filter! Think twice!</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">DateTime</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="named"> <maml:name>Request</maml:name> <maml:description> <maml:para>Specifies the request row object to remove from database.</maml:para> <maml:para>Note: removal for database row objects that represent 'Attribute' or 'Extension' table is not supported. When database row from 'Request' table is removed, corresponding entries in 'Attribute' and 'Extension' tables are removed by CA server internally.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>Filter</maml:name> <maml:description> <maml:para>Specifies the filter that is used to determine the type of database rows to be deleted. This parameter works in conjunction with 'RemoveBefore' and 'CertificationAuthority' parameters. The following filters are available: ExpiredCerts -- removes issued and revoked certificates that expired (based on NotAfter field value) before the date specified in the 'RemoveBefore' parameter. ExpiredFailedPending -- removes issued and revoked certificates that were last modified before the date specified in the 'RemoveBefore' parameter. Request -- combines previous two filters. CRL -- removes published CRLs that expired (base on NextPublish field value) before the date specified in the 'RemoveBefore' parameter.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="named"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the certification authority to process. This parameter works in conjunction with 'Filter' and 'RemoveBefore' parameters.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateAuthority[]</command:parameterValue> <dev:type> <maml:name>CertificateAuthority[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>RemoveBefore</maml:name> <maml:description> <maml:para>Specifies an expiration date when deleting certificates or CRLs, and a last modified date when deleting certificate requests. This parameter has no effect when you pass individual row objects.</maml:para> <maml:para>Warning: if this parameter is not set, the command will remove all database rows specified by a filter! Think twice!</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">DateTime</command:parameterValue> <dev:type> <maml:name>DateTime</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>SysadminsLV.PKI.Management.CertificateServices.Database.AdcsDbRow</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_SysadminsLV_PKI_Management_CertificateServices_Database_AdcsDbRow.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name> PKI.CertificateServices.CertificateAuthority</maml:name> <maml:uri> https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_CertificateAuthority.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>None.</maml:name> <maml:uri></maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority "ca01.company.com" | Get-PendingRequest -RequestID 15,63,112 | Remove-AdcsDatabaseRow</dev:code> <dev:remarks> <maml:para>In this example, pending requests with RequestID equals to 15, 63 and 112 will be removed from CA database.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority "ca01.company.com" | Get-FailedRequest | Remove-AdcsDatabaseRow</dev:code> <dev:remarks> <maml:para>This command will remove all failed request. Other request types and tables will be untouched.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 3 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority "ca01.company.com" | Remove-AdcsDatabaseRow -Filter "Request" -RemoveBefore $((Get-Date).AddYears(-1)) PS C:\> Get-CertificationAuthority "ca01.company.com" | Remove-AdcsDatabaseRow -Filter "CRL" -RemoveBefore $((Get-Date).AddYears(-1))</dev:code> <dev:remarks> <maml:para>In this example, two commands are used to perform a full CA database cleanup. All certificate reuqests and CRLs that expired (or last modified for pending and failed requests) one year ago.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Remove-AdcsDatabaseRow.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-RevokedRequest</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-IssuedRequest</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-PendingRequest</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-FailedRequest</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-AdcsDatabaseRow</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Remove-ExtensionList</command:name> <maml:description> <maml:para>Removes certificate enabled/disabled extension lists.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Remove</command:verb> <command:noun>ExtensionList</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Removes certificate enabled/disabled extension lists. Extensions are sorted in 3 categories:</maml:para> <maml:para>EnabledExtensionList - contains extensions that CA server will publish in each issued certificate upon request. OfflineExtensionList - contains allowed extension list that CA server will publish in issued certificates when offline request is used. DisabledExtensionList - contains extensions that will not be published in certificate even if this extension is specified in the request.</maml:para> <maml:para>For more details see corresponding parameter description.</maml:para> <maml:para>Note: additional information can be found at: http://technet.microsoft.com/library/cc740063(WS.10).aspx</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Remove-ExtensionList</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies existing ExtensionList object. This object can be retrieved by running Get-ExtensionList command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">ExtensionList[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="1"> <maml:name>EnabledExtension</maml:name> <maml:description> <maml:para>Specifies the list of certificate extensions to remove that are added to the issued certificate upon request. This list is processed by policy module each time the request is resolved (produces issued certificate). You should carefully use this property and do not enable security-critical extension, like Subject Alternative Names (SAN). CA server performs additional extension processing by using '-OfflineExtension' parameter.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">Oid[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="2"> <maml:name>OfflineExtension</maml:name> <maml:description> <maml:para>Specifies the list of certificate extensions to remove that are added to the issued certificate against offline request. 'offline' request is such request which includes subject information and CA server do not use Active Directory to build certificate's subject. For example, requests based on default 'WebServer' certificate template are considered as 'offline', because the template is configured to build the subject from submitted request. If certificate template is configured to build the subject from Active Directory, OfflineExtensionList property has no effect and any extensions in the request are written to CA database, but not included in issued certificate.</maml:para> <maml:para>For Standalone CAs, all requests are treated as 'offline'.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">Oid[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="3"> <maml:name>DisabledExtension</maml:name> <maml:description> <maml:para>Remove specified extension by it's friendly name or extension OID to prevent from publishing in issued certificates.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">Oid[]</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies existing ExtensionList object. This object can be retrieved by running Get-ExtensionList command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">ExtensionList[]</command:parameterValue> <dev:type> <maml:name>ExtensionList[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="1"> <maml:name>EnabledExtension</maml:name> <maml:description> <maml:para>Specifies the list of certificate extensions to remove that are added to the issued certificate upon request. This list is processed by policy module each time the request is resolved (produces issued certificate). You should carefully use this property and do not enable security-critical extension, like Subject Alternative Names (SAN). CA server performs additional extension processing by using '-OfflineExtension' parameter.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">Oid[]</command:parameterValue> <dev:type> <maml:name>Oid[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="2"> <maml:name>OfflineExtension</maml:name> <maml:description> <maml:para>Specifies the list of certificate extensions to remove that are added to the issued certificate against offline request. 'offline' request is such request which includes subject information and CA server do not use Active Directory to build certificate's subject. For example, requests based on default 'WebServer' certificate template are considered as 'offline', because the template is configured to build the subject from submitted request. If certificate template is configured to build the subject from Active Directory, OfflineExtensionList property has no effect and any extensions in the request are written to CA database, but not included in issued certificate.</maml:para> <maml:para>For Standalone CAs, all requests are treated as 'offline'.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">Oid[]</command:parameterValue> <dev:type> <maml:name>Oid[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="false" position="3"> <maml:name>DisabledExtension</maml:name> <maml:description> <maml:para>Remove specified extension by it's friendly name or extension OID to prevent from publishing in issued certificates.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">Oid[]</command:parameterValue> <dev:type> <maml:name>Oid[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.PolicyModule.ExtensionList</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_PolicyModule_ExtensionList.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.CertificateServices.PolicyModule.ExtensionList</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_PolicyModule_ExtensionList.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name Company-CA | Remove-ExtensionList -OfflineExtension "Subject Alternative Name" | Set-ExtensionList -RestartCA</dev:code> <dev:remarks> <maml:para>This example will remove 'Subject Alternative Name' extension from allowed extensions in request. As the result CA server will publish this extension in 'offline' certificate requests.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Remove-ExtensionList.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-ExtensionList</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Add-ExtensionList</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Set-ExtensionList</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Restart-CertificationAuthority</command:name> <maml:description> <maml:para>Restarts certificate services on specified Certification Authority.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Restart</command:verb> <command:noun>CertificationAuthority</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Restarts certificate services on specified Certification Authority</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Restart-CertificationAuthority</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the Certification Authority object to restart. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateAuthority[]</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the Certification Authority object to restart. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateAuthority[]</command:parameterValue> <dev:type> <maml:name>CertificateAuthority[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.CertificateAuthority</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_CertificateAuthority.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>None.</maml:name> <maml:uri></maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority ca01.company.com | Restart-CertificationAuthority</dev:code> <dev:remarks> <maml:para>Restarts certificates cervices on a CA server running on 'ca01.company.com'.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority | Restart-CertificationAuthority</dev:code> <dev:remarks> <maml:para>Restarts certificate services on all Certification Authorities in the forest</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Restart-CertificationAuthority.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Start-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Stop-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Restore-CertificateRevocationListFlagDefault</command:name> <maml:description> <maml:para>Restores default CA certificate revocation list (CRL) configuration flags.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Restore</command:verb> <command:noun>CertificateRevocationListFlagDefault</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Restores default CA certificate revocation list (CRL) configuration flags and discards any previous CRL flag modifications. This command is helpful in the case of incorrect configuration or you want to stay "default".</maml:para> <maml:para>By default only these flags are enabled: DeleteExpiredCRLs - deletes CRLs signed by the expired CA keys.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Restore-CertificateRevocationListFlagDefault</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies existing CRLFlag object. This object can be retrieved by running Get-CertificateRevocationListFlag command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CRLFlag[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>RestartCA</maml:name> <maml:description> <maml:para>Restarts CA service on the specified CA server to immediately apply changes.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies existing CRLFlag object. This object can be retrieved by running Get-CertificateRevocationListFlag command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CRLFlag[]</command:parameterValue> <dev:type> <maml:name>CRLFlag[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>RestartCA</maml:name> <maml:description> <maml:para>Restarts CA service on the specified CA server to immediately apply changes.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.Flags.CRLFlag</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_Flags_CRLFlag.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.CertificateServices.Flags.CRLFlag</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_Flags_CRLFlag.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority ca01.company.com | Get-CRLFlag | Restore-CRLFlagDefault -RestartCA</dev:code> <dev:remarks> <maml:para>The command restores default flags for CA CRL configuration for CA server running on ca01.company.com computer. After the configuration is changed, the command will restart certificate services to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Restore-CertificateRevocationListFlagDefault.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificateRevocationListFlag</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Enable-CertificateRevocationListFlag</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Disable-CertificateRevocationListFlag</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Restore-KeyRecoveryAgentFlagDefault</command:name> <maml:description> <maml:para>Restores Active Directory Certification Authority (AD CS) key recovery agent default flags.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Restore</command:verb> <command:noun>KeyRecoveryAgentFlagDefault</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Restores Active Directory Certification Authority (AD CS) key recovery agent default flags and discards any previous KRA flag modifications. This command is helpful in the case of incorrect configuration or you want to stay "default".</maml:para> <maml:para>By default no flags are enabled.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Restore-KeyRecoveryAgentFlagDefault</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies existing KRAFlag object. This object can be retrieved by running Get-KeyRecoveryAgentFlag command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">KRAFlag[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>RestartCA</maml:name> <maml:description> <maml:para>Restarts CA service on the specified CA server to immediately apply changes.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies existing KRAFlag object. This object can be retrieved by running Get-KeyRecoveryAgentFlag command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">KRAFlag[]</command:parameterValue> <dev:type> <maml:name>KRAFlag[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>RestartCA</maml:name> <maml:description> <maml:para>Restarts CA service on the specified CA server to immediately apply changes.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.Flags.KRAFlag</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_Flags_KRAFlag.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.CertificateServices.Flags.KRAFlag</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_Flags_KRAFlag.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority ca01.company.com | Get-KRAFlag | Restore-KRAFlag -RestartCA</dev:code> <dev:remarks> <maml:para>The command restores default KRA flag configuration for CA server running on 'ca01.company.com' computer. After the configuration is changed, the command will restart certificate services to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Restore-KeyRecoveryAgentFlagDefault.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-KeyRecoveryAgentFlag</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Enable-KeyRecoveryAgentFlag</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Disable-KeyRecoveryAgentFlag</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Restore-PolicyModuleFlagDefault</command:name> <maml:description> <maml:para>Restores default policy module flags.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Restore</command:verb> <command:noun>PolicyModuleFlagDefault</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Enables policy module flags. These flags are processed by policy module during certificate request processing. The following default flags are for: Enterprise CA ------------- RequestExtensionList DisableExtensionList AddOldKeyUsage BasicConstraintsCritical EnableAKIKeyID EnableDefaultSMIME EnableChaseClientDC</maml:para> <maml:para>Standalone CA ------------- RequestExtensionList DisableExtensionList AddOldKeyUsage AttributeEndDate BasicConstraintsCA EnableAKIKeyID AttributeCA AttributeEKU</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Restore-PolicyModuleFlagDefault</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies the object that contains existing CA Policy Module flags. The object can be retrieved by running Get-PolicyModuleFlag command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">EditFlag[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>RestartCA</maml:name> <maml:description> <maml:para>Restarts CA service on the specified CA server to immediately apply changes.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies the object that contains existing CA Policy Module flags. The object can be retrieved by running Get-PolicyModuleFlag command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">EditFlag[]</command:parameterValue> <dev:type> <maml:name>EditFlag[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>RestartCA</maml:name> <maml:description> <maml:para>Restarts CA service on the specified CA server to immediately apply changes.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.PolicyModule.EditFlag</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_PolicyModule_EditFlag.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.CertificateServices.PolicyModule.EditFlag</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_PolicyModule_EditFlag.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name Company-CA | Get-PolicyModuleFlag | Restore-PolicyModuleFlagDefault -RestartCA</dev:code> <dev:remarks> <maml:para>Restores default policy module flags on Company-CA CA server and restarts certificate services.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority | Get-PolicyModuleFlag | Restore-PolicyModuleFlagDefault -RestartCA</dev:code> <dev:remarks> <maml:para>Restores default policy module flags on all CA servers and restarts certificate services.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Restore-PolicyModuleFlagDefault.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-PolicyModuleFlag</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Disable-PolicyModuleFlag</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Enable-PolicyModuleFlag</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Revoke-Certificate</command:name> <maml:description> <maml:para>Revokes specified certificate request with a specified reason.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Revoke</command:verb> <command:noun>Certificate</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Revokes specified certificate request with a specified reason. A revoked certificate will appear in a subsequent certificate revocation lists (CRLs), provided the revocation date is effective at the time the CRL was published.</maml:para> <maml:para>It is possible to use this command more than once on the same certificate, which allows you to change the effective revocation date and revocation reason.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Revoke-Certificate</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>Request</maml:name> <maml:description> <maml:para>Specifies the particular request object. Request objects can be retrieved by running one of the following commands: Get-IssuedRequest Get-RevokedRequest</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="1"> <maml:name>Reason</maml:name> <maml:description> <maml:para>Specifies a reason why certificate was revoked. This parameter accepts one of the following values:</maml:para> <maml:para>Unspecified - (default) is used if the certificate is revoked for a reason outside the scope of supported reasons. KeyCompromise - is used if the certificate private key was stolen or become known to an unauthorized entity. CACompromise - is used if the CA certificate private key was stolen or become known to an unauthorized entity. AffiliationChanged - is used when employee (or other entity) has changed its affiliation (job position) and current certificates are no longer required in new position. Superseded - is used when a new certificate version (for example with new issuance, application policy or with updated extensions) is available and previous (but still valid) certificate must not be used. CeaseOfOperation - is used when an employee leaves a company, or device is decommissioned. Hold - is used to temporarily revoke certificate. For example when an employee is in a vacation. Unrevoke - is used to release a certificate from CRL. If a certificate has been revoked with any reason code other than 'Hold', it cannot be reinstated.</maml:para> <maml:para>Note: do not use 'Hold' reason, especially for signing certificates. This is because it is not possible to determine whether the certificate was valid at a signing time (determined by a timestamp in the signature).</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="2"> <maml:name>RevocationDate</maml:name> <maml:description> <maml:para>Provides the date on which it is known or suspected that the private key was compromised or that the certificate otherwise became invalid. This date may be earlier than the revocation date in the CRL entry, which is the date at which the CA processed the revocation. When a revocation is first posted by a CRL issuer in a CRL, the invalidity date may precede the date of issue of earlier CRLs, but the revocation date should not precede the date of issue of earlier CRLs.</maml:para> <maml:para>The parameter must be set as a valid datetime string. Valid string may vary depending on current regional settings. For example, the following format is used in Latvia:</maml:para> <maml:para>MM.dd.yyyy hh:mm:ss MM - month (2 digits) dd - day (2 digits) yyyy - year (4 digits) hh - hours (2 digits) mm - minutes (2 digits) ss - seconds (2 digits)</maml:para> <maml:para>For more details about datetime format in your region see more in Control Panel\Regional and Language applet.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">DateTime</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>Request</maml:name> <maml:description> <maml:para>Specifies the particular request object. Request objects can be retrieved by running one of the following commands: Get-IssuedRequest Get-RevokedRequest</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="1"> <maml:name>Reason</maml:name> <maml:description> <maml:para>Specifies a reason why certificate was revoked. This parameter accepts one of the following values:</maml:para> <maml:para>Unspecified - (default) is used if the certificate is revoked for a reason outside the scope of supported reasons. KeyCompromise - is used if the certificate private key was stolen or become known to an unauthorized entity. CACompromise - is used if the CA certificate private key was stolen or become known to an unauthorized entity. AffiliationChanged - is used when employee (or other entity) has changed its affiliation (job position) and current certificates are no longer required in new position. Superseded - is used when a new certificate version (for example with new issuance, application policy or with updated extensions) is available and previous (but still valid) certificate must not be used. CeaseOfOperation - is used when an employee leaves a company, or device is decommissioned. Hold - is used to temporarily revoke certificate. For example when an employee is in a vacation. Unrevoke - is used to release a certificate from CRL. If a certificate has been revoked with any reason code other than 'Hold', it cannot be reinstated.</maml:para> <maml:para>Note: do not use 'Hold' reason, especially for signing certificates. This is because it is not possible to determine whether the certificate was valid at a signing time (determined by a timestamp in the signature).</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="2"> <maml:name>RevocationDate</maml:name> <maml:description> <maml:para>Provides the date on which it is known or suspected that the private key was compromised or that the certificate otherwise became invalid. This date may be earlier than the revocation date in the CRL entry, which is the date at which the CA processed the revocation. When a revocation is first posted by a CRL issuer in a CRL, the invalidity date may precede the date of issue of earlier CRLs, but the revocation date should not precede the date of issue of earlier CRLs.</maml:para> <maml:para>The parameter must be set as a valid datetime string. Valid string may vary depending on current regional settings. For example, the following format is used in Latvia:</maml:para> <maml:para>MM.dd.yyyy hh:mm:ss MM - month (2 digits) dd - day (2 digits) yyyy - year (4 digits) hh - hours (2 digits) mm - minutes (2 digits) ss - seconds (2 digits)</maml:para> <maml:para>For more details about datetime format in your region see more in Control Panel\Regional and Language applet.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">DateTime</command:parameterValue> <dev:type> <maml:name>DateTime</maml:name> <maml:uri/> </dev:type> <dev:defaultValue>[DateTime]::Now</dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>SysadminsLV.PKI.Management.CertificateServices.Database.AdcsDbRow</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_SysadminsLV_PKI_Management_CertificateServices_Database_AdcsDbRow.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>None.</maml:name> <maml:uri></maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority CompanyCA | Get-IssuedRequest -Filter "CommonName -eq www.company.com" | Revoke-Certificate -Reason "CeaseOfOperation"</dev:code> <dev:remarks> <maml:para>Revokes all certificates issued to www.company.com. This will guarantee that no one will use decommissioned web server certificate to impersonate legitimate server.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority | Get-Issuedrequest -Filter "CommonName -gt users vpodans" | Revoke-Certificate -Reason "CeaseOfOperation" -RevocationDate "05.01.2011"</dev:code> <dev:remarks> <maml:para>Revokes all certificates issued to 'vpodans' user account stored in Users organizational unit and set revocation date to 01 May 2011.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 3 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority MyCA | Get-RevokedRequest -ID 17 | Revoke-Certificate -Reason "KeyCompromise"</dev:code> <dev:remarks> <maml:para>This command will update revocation reason for request with ID=17 and set reason to "KeyCompromise".</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Revoke-Certificate.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-IssuedRequest</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-RevokedRequest</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Set-AuthorityInformationAccess</command:name> <maml:description> <maml:para>Sets new Authority Information Access (AIA) for Certification Authority.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Set</command:verb> <command:noun>AuthorityInformationAccess</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Sets new Authority Information Access (AIA) for Certification Authority. This command will write new AIA URIs to Certification Authority (CA) configuration.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Set-AuthorityInformationAccess</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies existing object with configured AIA URLs. This object can be retrieved by running either Add-AuthorityInformationAccess or Remove-AuthorityInformationAccess command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">AuthorityInformationAccess[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>RestartCA</maml:name> <maml:description> <maml:para>Restarts CA service on the specified CA server to immediately apply changes.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies existing object with configured AIA URLs. This object can be retrieved by running either Add-AuthorityInformationAccess or Remove-AuthorityInformationAccess command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">AuthorityInformationAccess[]</command:parameterValue> <dev:type> <maml:name>AuthorityInformationAccess[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>RestartCA</maml:name> <maml:description> <maml:para>Restarts CA service on the specified CA server to immediately apply changes.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.AuthorityInformationAccess</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_AuthorityInformationAccess.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.CertificateServices.AuthorityInformationAccess</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_AuthorityInformationAccess.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name MyCA | Get-AIA | Add-AuthorityInformationAccess -URI "2:http://eu.company.com/MyCA%4.crt" | Set-AuthorityInformationAccess -RestartCA</dev:code> <dev:remarks> <maml:para>This command will retrieve AIA extension configuration from 'MyCA' CA server and adds new URI that will be published in all issued certificates. After configuration is changed, the command will restart certificate services to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name RootCA | Get-AuthorityInformationAccess | Add-AuthorityInformationAccess -URI "32:http://na.company.com/OCSP" | Set-AuthorityInformationAccess -RestartCA</dev:code> <dev:remarks> <maml:para>This command will retrieve AIA extension configuration from 'RootCA' CA server and adds new URI that will be published in all issued certificates as OCSP location. After configuration is changed, the command will restart certificate services to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 3 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name MyCA | Get-AuthorityInformationAccess | Remove-AuthorityInformationAccess -URI "*c:\windows*" | Set-AuthorityInformationAccess -RestartCA</dev:code> <dev:remarks> <maml:para>This will remove all AIA URIs that contains "c:\windows" pattern. After command completion certificate services will be restarted to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 4 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name MyCA | Get-AuthorityInformationAccess | Remove-AuthorityInformationAccess -URI "*ldap://*" | Set-AuthorityInformationAccess -RestartCA</dev:code> <dev:remarks> <maml:para>This will remove all URIs that are used for CRT file publication and/or retrieval from Active Directory. After command completion certificate services will be restarted to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Set-AuthorityInformationAccess.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-AuthorityInformationAccess</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Add-AuthorityInformationAccess</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Remove-AuthorityInformationAccess</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Set-CACryptographyConfig</command:name> <maml:description> <maml:para>Changes current Certification Authority (CA) cryptography settings.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Set</command:verb> <command:noun>CACryptographyConfig</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Changes current Certification Authority (CA) cryptography settings. The following settings can be modified by this command:</maml:para> <maml:para>Hashing Algorithm -- the algorithm that is used to hash and sign issued certificates and certificate revocation lists (CRLs). Pulbic Key Algorithm -- the asymmetric algorithm that is used to encrypt the signature of the certificate or CRL. For example, change RSA to ECDSA algorithm. Alternate Signature Algorithm -- instructs CA server to use PKCS#1 v2.1 signature format.</maml:para> <maml:para>Note: Public Key Algorithm and Alternatate Signature Algorithm are not supported by legacy cryptographic service providers (aka CryptoAPI CSP). Currently only CAPI2 (Key Storage) providers support these settings.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Set-CACryptographyConfig</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="named"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies existing CA cryptography configuration object. This object can be retrieved by running Get-CACryptographyConfig command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CACryptography[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="1"> <maml:name>HashingAlgorithm</maml:name> <maml:description> <maml:para>Specifies the new hashing and signature algorithm. You can pass either, Oid object that contains new algorithm information, algorithm friendly name or algorithm object identifier.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Oid</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="2"> <maml:name>EncryptionAlgorithm</maml:name> <maml:description> <maml:para>Specifies the new asymmetric algorithm. You can pass either, Oid object that contains new algorithm information, algorithm friendly name or algorithm object identifier.</maml:para> <maml:para>Note: if the 'ProviderIsCNG' property of the cryptography configuration object is set to False, this parameter is ignored.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Oid</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>AlternateSignatureAlgorithm</maml:name> <maml:description> <maml:para>Specifies whether the CA server should use PKCS#1 v2.1 signature format which causes signatures like RSASSA-PSS (1.2.840.113549.1.1.10) signature algorithm. Not all systems and applications may recognize this signature format.</maml:para> <maml:para>Note: if the 'ProviderIsCNG' property of the cryptography configuration object is set to False, this parameter is ignored.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>RestartCA</maml:name> <maml:description> <maml:para>Restarts CA service on the specified CA server to immediately apply changes.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="named"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies existing CA cryptography configuration object. This object can be retrieved by running Get-CACryptographyConfig command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CACryptography[]</command:parameterValue> <dev:type> <maml:name>CACryptography[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="1"> <maml:name>HashingAlgorithm</maml:name> <maml:description> <maml:para>Specifies the new hashing and signature algorithm. You can pass either, Oid object that contains new algorithm information, algorithm friendly name or algorithm object identifier.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Oid</command:parameterValue> <dev:type> <maml:name>Oid</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="2"> <maml:name>EncryptionAlgorithm</maml:name> <maml:description> <maml:para>Specifies the new asymmetric algorithm. You can pass either, Oid object that contains new algorithm information, algorithm friendly name or algorithm object identifier.</maml:para> <maml:para>Note: if the 'ProviderIsCNG' property of the cryptography configuration object is set to False, this parameter is ignored.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Oid</command:parameterValue> <dev:type> <maml:name>Oid</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>AlternateSignatureAlgorithm</maml:name> <maml:description> <maml:para>Specifies whether the CA server should use PKCS#1 v2.1 signature format which causes signatures like RSASSA-PSS (1.2.840.113549.1.1.10) signature algorithm. Not all systems and applications may recognize this signature format.</maml:para> <maml:para>Note: if the 'ProviderIsCNG' property of the cryptography configuration object is set to False, this parameter is ignored.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>RestartCA</maml:name> <maml:description> <maml:para>Restarts CA service on the specified CA server to immediately apply changes.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.CACryptography</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_CACryptography.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.CertificateServices.CACryptography</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_CACryptography.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name MyCA | Get-CACryptographyConfig | Set-CACryptographyConfig -HashingAlgorithm SHA256 -RestartCA</dev:code> <dev:remarks> <maml:para>This example retrieves existing CA cryptography configuration and changes hashing algorithm to 'SHA256'. After certificate service is restarted, all new issued certificates and CRLs will be signed by used a 'SHA256' signing algorithm.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name MyCA | Get-CACryptographyConfig | Set-CACryptographyConfig -HashingAlgorithm SHA256 -AlternateSignatureAlgorithm -RestartCA</dev:code> <dev:remarks> <maml:para>This example retrieves existing CA cryptography configuration and changes hashing algorithm to 'SHA256' and enforces CA server to use PKCS#1 v2.1 signature format. After certificate service is restarted, all new issued certificates and CRLs will be signed by used a PSS signing algorithm and the content will be hashed by using 'SHA256' hashing algorithm.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Set-CACryptographyConfig.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CACryptographyConfig</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Set-CAKRACertificate</command:name> <maml:description> <maml:para>Sets new key recovery agent certificate set to a specified Certification Authority (CA).</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Set</command:verb> <command:noun>CAKRACertificate</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Sets new key recovery agent certificate set to a specified Certification Authority (CA). </maml:para> <maml:para>Key Recovery Agent certificate is used to encrypt user's certificate private key and store it in CA database. In the case when user cannot access his or her certificate private key it is possible to recover it by Key Recovery Agent if Key Archival procedure was taken against particular certificate.</maml:para> <maml:para>This command don't perform key recovery agent certificate validation. Once new KRA certificates are applied, this command will instruct CA server to use all of them for key archival process. In this case CA server will encrypt archived private key with each KRA certificate public key. This will ensure that any assigned key recovery agent will be able to perform key recovery.</maml:para> <maml:para>Note that if only one certificate is assigned and it is invalid, all requests that require key archival will fail.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Set-CAKRACertificate</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies KRA object to process. This object can be retrieved by running Add-CAKRACertificate or Remove-CAKRACertificate command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">KRA[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>RestartCA</maml:name> <maml:description> <maml:para>Restarts CA service on the specified CA server to immediately apply changes.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies KRA object to process. This object can be retrieved by running Add-CAKRACertificate or Remove-CAKRACertificate command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">KRA[]</command:parameterValue> <dev:type> <maml:name>KRA[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>RestartCA</maml:name> <maml:description> <maml:para>Restarts CA service on the specified CA server to immediately apply changes.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.KRA</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_KRA.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.CertificateServices.KRA</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_KRA.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> $KRACerts = Get-ADKRACertificate -Subject "CN=Key Recovery*" C:\PS>Get-CertificationAuthority -Name MyCA | Get-CAKRACertificate | Add-CAKRACertificate -Certificate $certs | Set-CAKRACertificate -RestartCA</dev:code> <dev:remarks> <maml:para>First command retrieves from Active Directory all KRA certificates where subject field starts with 'CN=Key Recovery' (in DN format). Second command will retrieve currently assigned KRA certificates to 'MyCA' CA server and adds new certificates obtained in first command. After configuration is changed, the command will restart certificate services to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> $Certs = Get-ADKRACertificate -ShowUI -Multipick C:\PS>Get-CertificationAuthority | Get-CAKRACertificate | Add-CAKRACertificate $Certs | Set-Certificate -RestartCA</dev:code> <dev:remarks> <maml:para>In this example first command will display certificate selection UI where you can select available KRA certificates. Second command will add selected (in previous command) certificates to currently assigned certificates and writes new certificate list back to a CA server. After configuration is changed, the command will restart certificate services to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 3 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name MyCA | Get-CAKRACertificate | Remove-CAKRACertificate -Thumbprint "70144A763E3A662756898C3160297C8CBCD244DC" | Set-CAKRACertificate -RestartCA</dev:code> <dev:remarks> <maml:para>This example will remove key recovery agent certificate with thumbprint '70144A763E3A662756898C3160297C8CBCD244DC' from 'MyCA' CA server. After command completion certificate services will be restarted to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 4 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority | Get-CAKRACertificate | Remove-CAKRACertificate -InvalidOnly | Set-CAKRACertificate -RestartCA</dev:code> <dev:remarks> <maml:para>This example will remove invalid KRA certificates from all CA servers in the current forest. After command completion certificate services will be restarted to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 5 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name Company-CA | Get-CAKRACertificate | Remove-CAKRACertificate -ShowUI | Set-CAKRACertificate -RestartCA</dev:code> <dev:remarks> <maml:para>This example will retrieve currently assigned KRA certificates and displays certificate selection UI where you can select certificates to remove and writes new KRA certificate list back to a Company-CA CA server. After command completion certificate services will be restarted to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Set-CAKRACertificate.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-ADKRACertificate</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CAKRACertificate</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Add-CAKRACertificate</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Remove-CAKRACertificate</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Set-CASecurityDescriptor</command:name> <maml:description> <maml:para>Writes modified access control list (ACL) to Certification Authority configuration.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Set</command:verb> <command:noun>CASecurityDescriptor</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Writes modified access control list (ACL) to Certification Authority configuration.</maml:para> <maml:para>Note: new ACL will not have effect until CA service is restarted.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Set-CASecurityDescriptor</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies the current access control list (ACL) object to write. This object can be retrieved by running either, Add-CASecurityDescriptor or Remove-CAAccessControlEntry commands.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CASecurityDescriptor[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>RestartCA</maml:name> <maml:description> <maml:para>Restarts CA service on the specified CA server to immediately apply changes.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies the current access control list (ACL) object to write. This object can be retrieved by running either, Add-CASecurityDescriptor or Remove-CAAccessControlEntry commands.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CASecurityDescriptor[]</command:parameterValue> <dev:type> <maml:name>CASecurityDescriptor[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>RestartCA</maml:name> <maml:description> <maml:para>Restarts CA service on the specified CA server to immediately apply changes.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.Security.AccessControl.CASecurityDescriptor</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_Security_AccessControl_CASecurityDescriptor.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.Security.AccessControl.CASecurityDescriptor</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_Security_AccessControl_CASecurityDescriptor.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> $ACE = @(New-Object PKI.Security.AccessControl.CertificationAuthorityAccessRule ([Security.Principal.NTAccount]"JohnWayne"), "ManageCA", "Allow") PS C:\> $ACE += New-Object PKI.Security.AccessControl.CertificationAuthorityAccessRule ([Security.Principal.NTAccount]"jsmith"), "ManageCertificates", "Allow" PS C:\> Get-CertificationAuthority "ca01.company.com" | Get-CASecurityDescriptor | Add-CAAccessControlEntry -AccessControlEntry $ACE | Set-CASecurityDescriptor -RestartCA</dev:code> <dev:remarks> <maml:para>First two lines create new access control entries: -- first creates ACE for John Wayne and grants him CA manager permissions. -- second creates ACE for John Smith and grants him certificate manager permissions. Third line retrieves current ACL from CA server, adds new access control entries and writes them to CA configuration. After command completion CA services will be restarted to immediately apply changes.</maml:para> <maml:para>Note that if ACL already contains entry for user account to be added, new ACE will not be added. Instead, use techniques described in Example 4.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority "ca01.company.com" | Get-CASecurityDescriptor | Remove-CAAccessControlEntry -User "jsmith","JohnWayne" | Set-CASecurityDescriptor -RestartCA</dev:code> <dev:remarks> <maml:para>This example retrieves current access control list from CA server installed on "ca01.company.com", removes all permissions explicitly granted to John Smith and John Wayne and writes modified ACL to CA configuration. After command completion CA services will be restarted to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 3 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> $ACE = New-Object PKI.Security.AccessControl.CertificationAuthorityAccessRule ([Security.Principal.NTAccount]"jsmith"), "ManageCA", "Allow") PS C:\> Get-CertificationAuthority "ca01.company.com" | Get-CASecurityDescriptor | Remove-CAAccessControlEntry -User "jsmith" | Add-CAAccessControlEntry -AccessControlEntry $ACE | Set-CASecurityDescriptor -RestartCA</dev:code> <dev:remarks> <maml:para>This example demonstrates techniques to change permissions explicitly granted to a user. In a given example, first line creates new access control entry for John Smith. Second line retrieves access control list from CA server, removes all permissions granted to John Smith and adds new access control entry.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Set-CASecurityDescriptor.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CASecurityDescriptor</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Add-CAAccessControlEntry</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Remove-CAAccessControlEntry</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Set-CATemplate</command:name> <maml:description> <maml:para>Writes certificate templates to a specified Certification Authority (CA).</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Set</command:verb> <command:noun>CATemplate</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Writes certificate templates to a specified Certification Authority (CA). This command will rewrite all certificate templates assigned to a CA server with a new template list.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Set-CATemplate</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies the Certification Authority with assigned templates. This object can be retrieved by running either Add-CATemplate or Remove-CATemplate command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CATemplate[]</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies the Certification Authority with assigned templates. This object can be retrieved by running either Add-CATemplate or Remove-CATemplate command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CATemplate[]</command:parameterValue> <dev:type> <maml:name>CATemplate[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.CATemplate</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_CATemplate.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.CertificateServices.CATemplate</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_CATemplate.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name "Company CA01" | Get-CATemplate | Add-CATemplate -Name "SmartCardV2","OfflineComputer" | Set-CATemplate</dev:code> <dev:remarks> <maml:para>This command will add 'SmartCardV2' and 'OfflineComputer' templates (must be created by using Certificate Templates MMC snap-in by duplicating existing templates) and assigns them to a 'Company CA01' certification authority.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority | Get-CATemplate | Add-CATemplate -DisplayName "Computer V2", "CA Exchange" | Set-CATemplate</dev:code> <dev:remarks> <maml:para>This command will add templates with display names: 'Computer V2' (must be created by using Certificate Templates MMC snap-in by duplicating existing templates) and CA Exchange and assigns them to all Enterprise CAs in the forest.</maml:para> <maml:para>This example is useful to provide template redundancy, so clients are able to enroll for a certificate even one CA server is down.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 3 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> $Template = Get-CertificateTemplate -Name WebServer C:\PS>Get-CertificationAuthority ca01.company.com | Get-CATemplate | Add-CATemplate -Template $Template | Set-CATemplate</dev:code> <dev:remarks> <maml:para>In this example the first command retrieves template object by running Get-CertificateTemplate command. In the second line adds this template to a CA server running on 'ca01.company.com' server.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 4 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name "Company CA01" | Get-CATemplate | Remove-CATemplate -Name "Machine","WebServer" | Set-CATemplate</dev:code> <dev:remarks> <maml:para>This command will remove 'Machine' and 'WebServer' templates from 'Company CA01' CA server. CA server will unable to issue any certificates based on specified templates.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 5 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority | Get-CATemplate | Remove-CATemplate -DisplayName "Domain Controller" | Set-CATemplate</dev:code> <dev:remarks> <maml:para>This command will remove 'Domain Controller' template from all Enterprise CAs in the forest.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 6 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> $Template = Get-CertificateTemplate -DisplayName "Key Recovery Agent" C:\PS>Get-CertificationAuthority ca01.company.com | Get-CATemplate | Remove-CATemplate -Template $Template | Set-CATemplate</dev:code> <dev:remarks> <maml:para>In this example first command retrieves 'Key Recovery Agent' template object. In the second line specified template will be removed from CA server running on 'ca01.company.com' server.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Set-CATemplate.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CATemplate</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Add-CATemplate</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Remove-CATemplate</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Set-CertificateExtension</command:name> <maml:description> <maml:para>Adds or disables certificate extensions in a pending certificate request.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Set</command:verb> <command:noun>CertificateExtension</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Adds or disables certificate extensions in a pending certificate request.</maml:para> <maml:para>Note: for this command to succeed, the certificate request must be pending.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Set-CertificateExtension</maml:name> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>Request</maml:name> <maml:description> <maml:para>Specifies the particular request object. Request objects can be retrieved by running Get-PendingRequest command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="1"> <maml:name>Extension</maml:name> <maml:description> <maml:para>Specifies the extension to add or remove. Depending on a 'Remove' switch, the following object types are accepted:</maml:para> <maml:para>-- if 'Remove' switch is set to $false, this parameter must be an array of System.Security.Cryptography.X509Certificates.X509Extension or single System.Security.Cryptography.X509Certificates.X509ExtensionCollection object. In this case, the specified extension or extenssions will be added. -- if 'Remove' switch is set to $true, this parameter must be an array of System.Security.Cryptography.Oid objects, where each object identifier denotes the extension to disable.</maml:para> <maml:para>Certificate extension object are constructed out-of-band by using native .NET or extended extension classes. .NET extensions classes are defined in X509Certificates namespace: -- .NET native extensions: http://msdn.microsoft.com/en-us/library/System.Security.Cryptography.X509Certificates.aspx -- extended extension classes: https://www.sysadmins.lv/library/pkix.net/html/N_System_Security_Cryptography_X509Certificates.htm</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">Object[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>Remove</maml:name> <maml:description> <maml:para>Specifies whether to disable certificate extensions specified in the 'Extension' parameter. See 'Extension' parameter for this command behavior.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>Request</maml:name> <maml:description> <maml:para>Specifies the particular request object. Request objects can be retrieved by running Get-PendingRequest command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Object</command:parameterValue> <dev:type> <maml:name>Object</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="1"> <maml:name>Extension</maml:name> <maml:description> <maml:para>Specifies the extension to add or remove. Depending on a 'Remove' switch, the following object types are accepted:</maml:para> <maml:para>-- if 'Remove' switch is set to $false, this parameter must be an array of System.Security.Cryptography.X509Certificates.X509Extension or single System.Security.Cryptography.X509Certificates.X509ExtensionCollection object. In this case, the specified extension or extenssions will be added. -- if 'Remove' switch is set to $true, this parameter must be an array of System.Security.Cryptography.Oid objects, where each object identifier denotes the extension to disable.</maml:para> <maml:para>Certificate extension object are constructed out-of-band by using native .NET or extended extension classes. .NET extensions classes are defined in X509Certificates namespace: -- .NET native extensions: http://msdn.microsoft.com/en-us/library/System.Security.Cryptography.X509Certificates.aspx -- extended extension classes: https://www.sysadmins.lv/library/pkix.net/html/N_System_Security_Cryptography_X509Certificates.htm</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">Object[]</command:parameterValue> <dev:type> <maml:name>Object[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>Remove</maml:name> <maml:description> <maml:para>Specifies whether to disable certificate extensions specified in the 'Extension' parameter. See 'Extension' parameter for this command behavior.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>SysadminsLV.PKI.Management.CertificateServices.Database.AdcsDbRow</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_SysadminsLV_PKI_Management_CertificateServices_Database_AdcsDbRow.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>SysadminsLV.PKI.Management.CertificateServices.Database.AdcsDbRow</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_SysadminsLV_PKI_Management_CertificateServices_Database_AdcsDbRow.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para>Returned object can be piped to Approve-CertificateRequest command to approve pending request after modifying pending request extensions.</maml:para> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> $altName = New-Object Security.Cryptography.X509Certificates.X509AlternativeName "DnsName","owa.company.com" PS C:\> $altNames = New-Object Security.Cryptography.X509Certificates.X509AlternativeName "DnsName","www.company.com" PS C:\> $altNames = New-Object Security.Cryptography.X509Certificates.X509AlternativeNameCollection PS C:\> $altName, $altName2 | %{[void]$altNames.Add($_)} PS C:\> $SAN = New-Object Security.Cryptography.X509Certificates.X509SubjectAlternativeNameExtension PS C:\> Get-CertificationAuthority "ca01.company.com" | Get-PendingRequest -RequestID 1631 | Set-CertificateExtension -Extension $SAN | Approve-CertificateRequest</dev:code> <dev:remarks> <maml:para>This example demonstrates general techniques to create X509Extension object. In a given example, we create subject alternative name (SAN) extension with two alternative names: DnsName=owa.company.com, DnsName=www.company.com. These alternative names are added to an alternative name collection. This collection is used to construct SAN extension. In the last line, new extension is added to a pending request with request ID=1631 and approves modified pending request. Issued certificate will contain new SAN extension.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertitificationAuthority "ca01.company.com" | Get-PendingRequest -RequestID 1632 | Set-CertificateExtension -Extension "Subject Alternative Name" -Remove | Approve-CertificateRequest</dev:code> <dev:remarks> <maml:para>In this example, we assume that pending request has unwanted subject alternative name (SAN) extension. This command retrieves pending request object and disables (removes) unwanted extension and issues certificate. Issued certificate will not have request SAN extension.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Set-CertificateExtension.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-PendingRequest</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Approve-CertificateRequest</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Set-CertificateTemplateAcl</command:name> <maml:description> <maml:para>Changes the security descriptor of a certificate template.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Set</command:verb> <command:noun>CertificateTemplateAcl</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>The Set-CertificateTemplateAcl cmdlet writes the security descriptor of a specified certificate template to the actual certificate template object, to match the values in a security descriptor that you supply.</maml:para> <maml:para>Note: in order to edit certificate template ACL, you must be granted for Enterprise Admins permissions or delegated permissions on 'Certificate Templates' Active Directory container.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Set-CertificateTemplateAcl</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies an ACL object of certificate template. This object can be retrieved by running Add-CertificateTemplateAcl or Remove-CertificateTemplateAcl cmdlet.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">SecurityDescriptor2[]</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies an ACL object of certificate template. This object can be retrieved by running Add-CertificateTemplateAcl or Remove-CertificateTemplateAcl cmdlet.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">SecurityDescriptor2[]</command:parameterValue> <dev:type> <maml:name>SecurityDescriptor2[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.Security.SecurityDescriptor</maml:name> <maml:uri></maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.Security.SecurityDescriptor</maml:name> <maml:uri></maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificateTemplate -Name WebServer | Get-CertificateTemplate | Add-CertificateTemplateAcl -User WebServerGroup -AccessType Allow -AccessMask Read, Enroll | Set-CertificateTemplateAcl</dev:code> <dev:remarks> <maml:para>This commands adds 'WebServerGroup' security group to the certificate template 'WebServer' and grants Read and Enroll permissions. After that, a new ACL is written to the actual object.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificateTemplate -Name WebServer | Get-CertificateTemplateAcl | Remove-CertificateTemplateAcl -User OldWebServer -AccessType Allow | Set-CertificateTemplateAcl</dev:code> <dev:remarks> <maml:para>This commands removes all granted permissions for 'OldWebServer' account from 'WebServer' certificate template ACL. After that, a new ACL will be written to the actual certificate template object (Set-CertificateTemplateAcl).</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Set-CertificateTemplateAcl.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificateTemplate</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificateTemplateAcl</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Add-CertificateTemplateAcl</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Remove-CertificateTemplateAcl</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Set-CertificateValidityPeriod</command:name> <maml:description> <maml:para>Sets maximum validity period for issued certificates.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Set</command:verb> <command:noun>CertificateValidityPeriod</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Sets maximum validity period for issued certificates. This setting is not absolute. Certificate actual validity period is the lesser value of the following: for Standalone CA: - estimated CA certificate validity period - ValidityPeriod parameter value.</maml:para> <maml:para>for Enterprise CA: - estimated CA certificate validity period - certificate template validity period value - ValidityPeriod parameter value.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Set-CertificateValidityPeriod</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Must be existing CertValidityPeriod object that contains current issued certificate validity settings. This object can by retrieved by running Get-CertificateValidityPeriod command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertValiditySetting[]</command:parameterValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="1"> <maml:name>ValidityPeriod</maml:name> <maml:description> <maml:para>Specifies new issed certificate validity settings. Must be set in the format: 'Digit PeriodUnit'. For example, '5 years'. Possible values for PeriodUnit are: - Hours - Days - Weeks - Months - Years</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>RestartCA</maml:name> <maml:description> <maml:para>Restarts CA service on the specified CA server to immediately apply changes.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Must be existing CertValidityPeriod object that contains current issued certificate validity settings. This object can by retrieved by running Get-CertificateValidityPeriod command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertValiditySetting[]</command:parameterValue> <dev:type> <maml:name>CertValiditySetting[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="false" position="1"> <maml:name>ValidityPeriod</maml:name> <maml:description> <maml:para>Specifies new issed certificate validity settings. Must be set in the format: 'Digit PeriodUnit'. For example, '5 years'. Possible values for PeriodUnit are: - Hours - Days - Weeks - Months - Years</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>RestartCA</maml:name> <maml:description> <maml:para>Restarts CA service on the specified CA server to immediately apply changes.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.CertValidityPeriod</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_CertValiditySetting.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.CertificateServices.CertValidityPeriod</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_CertValiditySetting.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name Company-CA | Get-CertificateValidityPeriod | Set-CertificateValidityPeriod "10 years" -RestartCA</dev:code> <dev:remarks> <maml:para>Sets certificate issued certificate validity period to '10 years'. After configuration is changed, the command will restart certificate services to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority | Get-CertificateValidityPeriod | Set-CertificateValidityPeriod "5 years" -RestartCA</dev:code> <dev:remarks> <maml:para>Sets certificate issued certificate validity period to '5 years' for all Enterprise CAs in the current forest and restarts CA service. After configuration is changed, the command will restart certificate services to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Set-CertificateValidityPeriod.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificateValidityPeriod</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Set-CRLDistributionPoint</command:name> <maml:description> <maml:para>Set new CRL distribution points (CDP) for Certification Authority.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Set</command:verb> <command:noun>CRLDistributionPoint</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Set new CRL distribution points (CDP) for Certification Authority. This command will write new CDP URIs to Certification Authority (CA) configuration.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Set-CRLDistributionPoint</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies an existing CDP object to rewrite. This object can be retrieved by running either Add-CRLDistributionPoint or Remove-CRLDistributionPoint command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CRLDistributionPoint[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>RestartCA</maml:name> <maml:description> <maml:para>Restarts CA service on the specified CA server to immediately apply changes.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies an existing CDP object to rewrite. This object can be retrieved by running either Add-CRLDistributionPoint or Remove-CRLDistributionPoint command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CRLDistributionPoint[]</command:parameterValue> <dev:type> <maml:name>CRLDistributionPoint[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>RestartCA</maml:name> <maml:description> <maml:para>Restarts CA service on the specified CA server to immediately apply changes.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.CRLDistributionPoint</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_CRLDistributionPoint.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.CertificateServices.CRLDistributionPoint</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_CRLDistributionPoint.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority RootCA | Get-CrlDistributionPoint | Add-CrlDistributionPoint -NewURI "6:http://crl.domain.com/%3%8%9.crl" | Set-CrlDistributionPoint -RestartCA</dev:code> <dev:remarks> <maml:para>This example will add new CDP URI to certificate CDP for 'RootCA' CA server. Also this will add new URI in Freshest CRL in CRL CDP to locate corresponding Delta CRL. After command completion CA services will be restarted to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority | Get-CrlDistributionPoint | Add-CrlDistributionPoint -NewURI "65:\\ServerName\crlfile%9.crl", "65:C:\CertData\%3%8%9.crl" | Set-CrlDistributionPoint -RestartCA</dev:code> <dev:remarks> <maml:para>This example will add new paths for Base and Delta CRL file publication for all CAs in the current forest. This will not add any new URIs in certificate CDP extension, but instructs CA to publish physical CRL files to specified locations. After command completion CA services will be restarted to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 3 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name MyCA | Get-CrlDistributionPoint | Remove-CrlDistributionPoint -URI "*c:\windows*" | Set-CrlDistributionPoint -RestartCA</dev:code> <dev:remarks> <maml:para>This example will remove all CDP URIs that contains "c:\windows" pattern. After command completion certificate services will be restarted to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 4 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name MyCA | Get-CrlDistributionPoint | Remove-CrlDistributionPoint -URI "*ldap://*" | Set-CrlDistributionPoint -RestartCA</dev:code> <dev:remarks> <maml:para>This example will remove all URIs that are used for CRL file publication and/or retrieval from Active Directory. After command completion certificate services will be restarted to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Set-CRLDistributionPoint.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CRLDistributionPoint</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Add-CRLDistributionPoint</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Remove-CRLDistributionPoint</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Set-CRLValidityPeriod</command:name> <maml:description> <maml:para>Sets CRL validity period setting.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Set</command:verb> <command:noun>CRLValidityPeriod</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Sets CRL validity period and overlap settings for both BaseCRL and DeltaCRL.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Set-CRLValidityPeriod</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="named"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Must be existing CRLValidityPeriod object that contains current issued certificate validity settings. This object can by retrieved by running Get-CRLValidityPeriod command</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CRLValiditySetting[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="1"> <maml:name>BaseCRL</maml:name> <maml:description> <maml:para>Specifies new CRL validity settings. Must be set in the format: '<Digit> <PeriodUnit>'. For example, '5 days'. Possible values for PeriodUnit are: -- Hours -- Days -- Weeks -- Months -- Years</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="2"> <maml:name>BaseCRLOverlap</maml:name> <maml:description> <maml:para>Specifies the time to extend Base CRL. For example if BaseCRL is published every 7 days with 1 day overlap the resulting validity period for Base CRL will be 8 days. But the CA server will still publish CRL evey 7 days, so administrators will have one day to distribute CRL to the target CRL publishing locations. For input format please refer to BaseCRL parameter.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="3"> <maml:name>DeltaCRL</maml:name> <maml:description> <maml:para>Specifies new Delta CRL validity settings. Delta CRL is an incremental CRL issued several times between Base CRL publishing and will contain only those certificates that was revoked since the last Base CRL was issued. Usually Delta CRLs are published quite frequently (for example, each 1-2 days) to keep certificate revocation status information up to date. For input format please refer to BaseCRL parameter.</maml:para> <maml:para>Note: if you wish to disable DeltaCRL publishing, set Digit value to zero (see examples).</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="4"> <maml:name>DeltaCRLOverlap</maml:name> <maml:description> <maml:para>Specifies the time to extend Delta CRL. For additional info refer to BaseCRLOverlap parameter. For input format please refer to BaseCRL parameter.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>RestartCA</maml:name> <maml:description> <maml:para>Restarts CA service on the specified CA server to immediately apply changes.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="named"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Must be existing CRLValidityPeriod object that contains current issued certificate validity settings. This object can by retrieved by running Get-CRLValidityPeriod command</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CRLValiditySetting[]</command:parameterValue> <dev:type> <maml:name>CRLValiditySetting[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="1"> <maml:name>BaseCRL</maml:name> <maml:description> <maml:para>Specifies new CRL validity settings. Must be set in the format: '<Digit> <PeriodUnit>'. For example, '5 days'. Possible values for PeriodUnit are: -- Hours -- Days -- Weeks -- Months -- Years</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="2"> <maml:name>BaseCRLOverlap</maml:name> <maml:description> <maml:para>Specifies the time to extend Base CRL. For example if BaseCRL is published every 7 days with 1 day overlap the resulting validity period for Base CRL will be 8 days. But the CA server will still publish CRL evey 7 days, so administrators will have one day to distribute CRL to the target CRL publishing locations. For input format please refer to BaseCRL parameter.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="3"> <maml:name>DeltaCRL</maml:name> <maml:description> <maml:para>Specifies new Delta CRL validity settings. Delta CRL is an incremental CRL issued several times between Base CRL publishing and will contain only those certificates that was revoked since the last Base CRL was issued. Usually Delta CRLs are published quite frequently (for example, each 1-2 days) to keep certificate revocation status information up to date. For input format please refer to BaseCRL parameter.</maml:para> <maml:para>Note: if you wish to disable DeltaCRL publishing, set Digit value to zero (see examples).</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="4"> <maml:name>DeltaCRLOverlap</maml:name> <maml:description> <maml:para>Specifies the time to extend Delta CRL. For additional info refer to BaseCRLOverlap parameter. For input format please refer to BaseCRL parameter.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">String</command:parameterValue> <dev:type> <maml:name>String</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>RestartCA</maml:name> <maml:description> <maml:para>Restarts CA service on the specified CA server to immediately apply changes.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.CRLValidityPeriod</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_CRLValiditySetting.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.CertificateServices.CRLValidityPeriod</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_CRLValiditySetting.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name Company-CA | Get-CRLValidityPeriod | Set-CRLValidityPeriod -BaseCRL "22 weeks" -BaseCRLOverlap "2 days" -RestartCA</dev:code> <dev:remarks> <maml:para>Sets Base CRL publishing period as 22 weeks and overlap delay as 2 days. After configuration is changed, the command will restart certificate services to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name Company-CA | Get-CRLValidityPeriod | Set-CRLValidityPeriod -DeltaCRL "0 days" -RestartCA</dev:code> <dev:remarks> <maml:para>Disables Delta CRL publishing for all Certification Authorities in current forest. After configuration is changed, the command will restart certificate services to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Set-CRLValidityPeriod.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CRLValidityPeriod</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Set-ExtensionList</command:name> <maml:description> <maml:para>Sets certificate enabled/disabled extension lists.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Set</command:verb> <command:noun>ExtensionList</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Sets certificate enabled/disabled extension lists.Extensions are sorted in 3 categories:</maml:para> <maml:para>EnabledExtensionList - contains extensions that CA server will publish in each issued certificate upon request. OfflineExtensionList - contains allowed extension list that CA server will publish in issued certificates when offline request is used. DisabledExtensionList - contains extensions that will not be published in certificate even if this extension is specified in the request.</maml:para> <maml:para>For more details see corresponding parameter description.</maml:para> <maml:para>Note: additional information can be found at: http://technet.microsoft.com/library/cc740063(WS.10).aspx</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Set-ExtensionList</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies existing ExtensionList object to process. This object can be retrieved by running either Add-ExtensionList or Remove-ExtensionList command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">ExtensionList[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>RestartCA</maml:name> <maml:description> <maml:para>Restarts CA service on the specified CA server to immediately apply changes.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>InputObject</maml:name> <maml:description> <maml:para>Specifies existing ExtensionList object to process. This object can be retrieved by running either Add-ExtensionList or Remove-ExtensionList command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">ExtensionList[]</command:parameterValue> <dev:type> <maml:name>ExtensionList[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>RestartCA</maml:name> <maml:description> <maml:para>Restarts CA service on the specified CA server to immediately apply changes.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.PolicyModule.ExtensionList</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_PolicyModule_ExtensionList.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.CertificateServices.PolicyModule.ExtensionList</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_PolicyModule_ExtensionList.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name Company-CA | Get-ExtensionList | Add-ExtensionList -DisabledExtension "Certificate Template Name" | Set-ExtensionList -RestartCA</dev:code> <dev:remarks> <maml:para>This command will add the 'Certificate Template Name' extension to restricted extension list. As the result CA server will not publish this extension in issued certificates. After configuration is changed, the command will restart certificate services to immediately apply changes.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority -Name Company-CA | Remove-ExtensionList -OfflineExtension "Subject Alternative Name" | Set-ExtensionList -RestartCA</dev:code> <dev:remarks> <maml:para>This will remove 'Subject Alternative Name' extension from allowed extensions in request. As the result CA server will ignore this extension in certificate request.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Set-ExtensionList.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-ExtensionList</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Remove-ExtensionList</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Add-ExtensionList</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Start-CertificationAuthority</command:name> <maml:description> <maml:para>Starts certificate services on specified Certification Authority.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Start</command:verb> <command:noun>CertificationAuthority</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Starts certificate services on specified Certification Authority.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Start-CertificationAuthority</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the particular Certification Authority. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateAuthority[]</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the particular Certification Authority. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateAuthority[]</command:parameterValue> <dev:type> <maml:name>CertificateAuthority[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.CertificateAuthority</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_CertificateAuthority.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>None.</maml:name> <maml:uri></maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority ca01.company.com | Start-CertificationAuthority</dev:code> <dev:remarks> <maml:para>Starts certificates cervices on a CA server hosted on 'ca01.company.com' server.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority | Start-CertificationAuthority</dev:code> <dev:remarks> <maml:para>Starts certificate services on all Certification Authorities in the current forest.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Start-CertificationAuthority.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Stop-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Restart-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Stop-CertificationAuthority</command:name> <maml:description> <maml:para>Stops certificate services on specified Certification Authority.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Stop</command:verb> <command:noun>CertificationAuthority</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Stops certificate services on specified Certification Authority.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Stop-CertificationAuthority</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the particular Certification Authority. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateAuthority[]</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="0"> <maml:name>CertificationAuthority</maml:name> <maml:description> <maml:para>Specifies the particular Certification Authority. This object can be retrieved by running Get-CertificationAuthority command.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateAuthority[]</command:parameterValue> <dev:type> <maml:name>CertificateAuthority[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.CertificateAuthority</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_CertificateAuthority.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>None.</maml:name> <maml:uri></maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority ca01.company.com | Stop-CertificationAuthority</dev:code> <dev:remarks> <maml:para>Stops certificates cervices on a CA server hosted on 'ca01.company.com' server.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Get-CertificationAuthority | Start-CertificationAuthority</dev:code> <dev:remarks> <maml:para>Stops certificate services on all Certifcation Authorities in the current forest.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Stop-CertificationAuthority.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Connect-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Start-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Restart-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Uninstall-CertificationAuthority</command:name> <maml:description> <maml:para>Uninstalls Active Directory Certificate Services role from the local computer.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Uninstall</command:verb> <command:noun>CertificationAuthority</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>Uninstalls Active Directory Certificate Services role from the local computer. The command supports Windows Server 2008 R2 Server Core installations.</maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Uninstall-CertificationAuthority</maml:name> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>AutoRestart</maml:name> <maml:description> <maml:para>Automatically restarts computer to complete CA role removal. Otherwise you will have to restart the server manually.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>Force</maml:name> <maml:description> <maml:para>By default, the commands prompts you whether you want to remove CA role. Use –Force switch to suppress all prompts.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>WhatIf</maml:name> <maml:description> <maml:para>Describes what would happen if you executed the command without actually executing the command.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>Confirm</maml:name> <maml:description> <maml:para>Prompts you for confirmation before executing the command.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>AutoRestart</maml:name> <maml:description> <maml:para>Automatically restarts computer to complete CA role removal. Otherwise you will have to restart the server manually.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>Force</maml:name> <maml:description> <maml:para>By default, the commands prompts you whether you want to remove CA role. Use –Force switch to suppress all prompts.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>WhatIf</maml:name> <maml:description> <maml:para>Describes what would happen if you executed the command without actually executing the command.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>Confirm</maml:name> <maml:description> <maml:para>Prompts you for confirmation before executing the command.</maml:para> </maml:description> <command:parameterValue required="false" variableLength="false">SwitchParameter</command:parameterValue> <dev:type> <maml:name>SwitchParameter</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>None.</maml:name> <maml:uri></maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>SysadminsLV.PKI.Utils.IServiceOperationResult</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_SysadminsLV_PKI_Utils_IServiceOperationResult.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>PS C:\> Uninstall-CertificationAuthority -AutoRestart -Force</dev:code> <dev:remarks> <maml:para>The command will uninstall CA role, suppresses all prompts and automatically restarts the server upon completion.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Uninstall-CertificationAuthority.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Install-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> <command:command xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:command="http://schemas.microsoft.com/maml/dev/command/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10" xmlns:MSHelp="http://msdn.microsoft.com/mshelp"> <!--Generated by PS Cmdlet Help Editor--> <command:details> <command:name>Get-EnterprisePKIHealthStatus</command:name> <maml:description> <maml:para>Get-EnterprisePKIHealthStatus command is an extended console version of Enterprise PKI Health Tool (pkiview.msc MMC snap-in). It is intended to perform Certification Authority health status checking by CA certificate chain status and validating all CRL Distribution Point (CDP) and Authority Information Access (AIA) URLs for each certificate in the chain.</maml:para> </maml:description> <maml:copyright> <maml:para /> </maml:copyright> <command:verb>Get</command:verb> <command:noun>EnterprisePKIHealthStatus</command:noun> <dev:version /> </command:details> <maml:description> <maml:para>This command is an extended console version of Enterprise PKI Health Tool (pkiview.msc MMC snap-in). It is intended to perform Certification Authority health status checking by CA certificate chain status and validating all CRL Distribution Point (CDP) and Authority Information Access (AIA) URLs for each certificate in the chain. Depending on a parameter set, different certificate retrieval methods are used.</maml:para> <maml:para>-- if '-CertificateAuthority' parameter is used, the command will attempt to retrieve the most recent "CA Exchange" certificate to use in the validation routine. -- if '-Certificate' parameter is used, the command will use passed certificates directly to use in the validation routine.</maml:para> <maml:para>The following validation procedures are used by the validation routine:</maml:para> <maml:para>1. Build certificate chain for each certificate to select trusted anchors and to go through the chain; 2. Retrieve all Issuer URLs from Authority Information Access extension; 2.1. Validate each url (must be either http or ldap) and attempt to download the contents; 2.2. If contents is downloaded, verify whether it is a certificate; 2.2.1. Verify if the downloaded certificate is an issuer for a current certificate; 2.2.2. Validate other certificate properties; 3. Extract URLs from CRL Distribution Points extension; 3.1. Validate each url (must be either http or ldap) and attempt to download the contents; 3.2. If contents is downloaded, verify whether it is a certificate revocation list; 3.2.1. Validate basic CRL properties, such as validity (not yet valid, expired, about to expire); 3.2.2. Validate whether the CRL has valid signature (against CA certificate); 3.3. Do the same for Delta CRLs (if applicable); 4. Extract all Online Certificate Status Protocols (OCSP) URLs from AIA extension; 4.1. Validate OCSP response by sending OCSP request and processing response; 5. Compose status report (managed, I maintain report object and you can access report properties); 6. Repeat steps 2-5 for each subsequent certificate in the chain up to root certificate; 7. Return an array of status objects. Single status object is generated for each certificate chain. </maml:para> </maml:description> <command:syntax> <command:syntaxItem> <maml:name>Get-EnterprisePKIHealthStatus</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="named"> <maml:name>CertificateAuthority</maml:name> <maml:description> <maml:para>Specifies one or more Enterprise Certification Authoity objects to verify. The command will attampt to download (or request a new one if necessarey) the most recent certificate based on "CA Exchange" certificate template. This certificate will be used to construct the chain, retrieve and validate CRL Distribution Points (CDP) and Authority Information Access (AIA) URLs for entire chain.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateAuthority[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>DownloadTimeout</maml:name> <maml:description> <maml:para>Specifies the URL download timeout in seconds. Default value is 15 seconds.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>CaCertExpirationThreshold</maml:name> <maml:description> <maml:para>Specifies the CA certificate expiration threshold in percents. If CA certificate validity reaches this threshold value, CA certificate status is marked "Expiring" which indicate that in near future it will expire, and CA server administrators should take care on CA certificate renewal or replacement.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>BaseCrlExpirationThreshold</maml:name> <maml:description> <maml:para>Specifies the Base CRL expiration threshold in percents. If Base CRL certificate validity reaches this threshold value, its status is marked "Expiring" which indicate that in near future CRL will expire. Enterprise CAs automatically renew their CRLs in the CRL distribution points and no additional steps are required.</maml:para> <maml:para>For Standlone, offline and 3rd party CAs, manual steps for Base CRL renewal and publication to defined CRL distribution points may be required.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>DeltaCrlExpirationThreshold</maml:name> <maml:description> <maml:para>Specifies the Delta CRL expiration threshold in percents. If Delta CRL certificate validity reaches this threshold value, its status is marked "Expiring" which indicate that in near future CRL will expire. Enterprise CAs automatically renew their CRLs in the CRL distribution points and no additional steps are required.</maml:para> <maml:para>For Standlone, offline and 3rd party CAs, manual steps for Delta CRL renewal and publication to defined CRL distribution points may be required.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>OcspCertExpirationThreshold</maml:name> <maml:description> <maml:para>Specifies the Online Cetificate Status Protocol (OCSP) signing certificate expiration threshold in percents. If OCSP certificate validity reaches this threshold value, CA certificate status is marked "Expiring" which indicate that in near future it will expire, and OCSP server administrators should take care on CA certificate renewal or replacement.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> </command:parameter> </command:syntaxItem> <command:syntaxItem> <maml:name>Get-EnterprisePKIHealthStatus</maml:name> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="named"> <maml:name>Certificate</maml:name> <maml:description> <maml:para>Specifies one or more certificate objects to verify. The command will use this certificate to construct the chain, retrieve and validate CRL Distribution Points (CDP) and Authority Information Access (AIA) URLs for entire certificate chain.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">X509Certificate2[]</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>DownloadTimeout</maml:name> <maml:description> <maml:para>Specifies the URL download timeout in seconds. Default value is 15 seconds.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>CaCertExpirationThreshold</maml:name> <maml:description> <maml:para>Specifies the CA certificate expiration threshold in percents. If CA certificate validity reaches this threshold value, CA certificate status is marked "Expiring" which indicate that in near future it will expire, and CA server administrators should take care on CA certificate renewal or replacement.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>BaseCrlExpirationThreshold</maml:name> <maml:description> <maml:para>Specifies the Base CRL expiration threshold in percents. If Base CRL certificate validity reaches this threshold value, its status is marked "Expiring" which indicate that in near future CRL will expire. Enterprise CAs automatically renew their CRLs in the CRL distribution points and no additional steps are required.</maml:para> <maml:para>For Standlone, offline and 3rd party CAs, manual steps for Base CRL renewal and publication to defined CRL distribution points may be required.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>DeltaCrlExpirationThreshold</maml:name> <maml:description> <maml:para>Specifies the Delta CRL expiration threshold in percents. If Delta CRL certificate validity reaches this threshold value, its status is marked "Expiring" which indicate that in near future CRL will expire. Enterprise CAs automatically renew their CRLs in the CRL distribution points and no additional steps are required.</maml:para> <maml:para>For Standlone, offline and 3rd party CAs, manual steps for Delta CRL renewal and publication to defined CRL distribution points may be required.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>OcspCertExpirationThreshold</maml:name> <maml:description> <maml:para>Specifies the Online Cetificate Status Protocol (OCSP) signing certificate expiration threshold in percents. If OCSP certificate validity reaches this threshold value, CA certificate status is marked "Expiring" which indicate that in near future it will expire, and OCSP server administrators should take care on CA certificate renewal or replacement.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> </command:parameter> </command:syntaxItem> </command:syntax> <command:parameters> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="true (ByValue, ByPropertyName)" position="named"> <maml:name>CertificateAuthority</maml:name> <maml:description> <maml:para>Specifies one or more Enterprise Certification Authoity objects to verify. The command will attampt to download (or request a new one if necessarey) the most recent certificate based on "CA Exchange" certificate template. This certificate will be used to construct the chain, retrieve and validate CRL Distribution Points (CDP) and Authority Information Access (AIA) URLs for entire chain.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">CertificateAuthority[]</command:parameterValue> <dev:type> <maml:name>CertificateAuthority[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>DownloadTimeout</maml:name> <maml:description> <maml:para>Specifies the URL download timeout in seconds. Default value is 15 seconds.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> <dev:type> <maml:name>Int32</maml:name> <maml:uri/> </dev:type> <dev:defaultValue>15</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>CaCertExpirationThreshold</maml:name> <maml:description> <maml:para>Specifies the CA certificate expiration threshold in percents. If CA certificate validity reaches this threshold value, CA certificate status is marked "Expiring" which indicate that in near future it will expire, and CA server administrators should take care on CA certificate renewal or replacement.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> <dev:type> <maml:name>Int32</maml:name> <maml:uri/> </dev:type> <dev:defaultValue>80</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>BaseCrlExpirationThreshold</maml:name> <maml:description> <maml:para>Specifies the Base CRL expiration threshold in percents. If Base CRL certificate validity reaches this threshold value, its status is marked "Expiring" which indicate that in near future CRL will expire. Enterprise CAs automatically renew their CRLs in the CRL distribution points and no additional steps are required.</maml:para> <maml:para>For Standlone, offline and 3rd party CAs, manual steps for Base CRL renewal and publication to defined CRL distribution points may be required.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> <dev:type> <maml:name>Int32</maml:name> <maml:uri/> </dev:type> <dev:defaultValue>80</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>DeltaCrlExpirationThreshold</maml:name> <maml:description> <maml:para>Specifies the Delta CRL expiration threshold in percents. If Delta CRL certificate validity reaches this threshold value, its status is marked "Expiring" which indicate that in near future CRL will expire. Enterprise CAs automatically renew their CRLs in the CRL distribution points and no additional steps are required.</maml:para> <maml:para>For Standlone, offline and 3rd party CAs, manual steps for Delta CRL renewal and publication to defined CRL distribution points may be required.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> <dev:type> <maml:name>Int32</maml:name> <maml:uri/> </dev:type> <dev:defaultValue>80</dev:defaultValue> </command:parameter> <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> <maml:name>OcspCertExpirationThreshold</maml:name> <maml:description> <maml:para>Specifies the Online Cetificate Status Protocol (OCSP) signing certificate expiration threshold in percents. If OCSP certificate validity reaches this threshold value, CA certificate status is marked "Expiring" which indicate that in near future it will expire, and OCSP server administrators should take care on CA certificate renewal or replacement.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="false">Int32</command:parameterValue> <dev:type> <maml:name>Int32</maml:name> <maml:uri/> </dev:type> <dev:defaultValue>80</dev:defaultValue> </command:parameter> <command:parameter required="true" variableLength="true" globbing="false" pipelineInput="false" position="named"> <maml:name>Certificate</maml:name> <maml:description> <maml:para>Specifies one or more certificate objects to verify. The command will use this certificate to construct the chain, retrieve and validate CRL Distribution Points (CDP) and Authority Information Access (AIA) URLs for entire certificate chain.</maml:para> </maml:description> <command:parameterValue required="true" variableLength="true">X509Certificate2[]</command:parameterValue> <dev:type> <maml:name>X509Certificate2[]</maml:name> <maml:uri/> </dev:type> <dev:defaultValue></dev:defaultValue> </command:parameter> </command:parameters> <command:inputTypes> <command:inputType> <dev:type> <maml:name>PKI.CertificateServices.CertificateAuthority[]</maml:name> <maml:uri>https://www.sysadmins.lv/library/pkix.net/html/T_PKI_CertificateServices_CertificateAuthority.htm</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para>This parameter set is used to validate existing Enterprise CA</maml:para> </maml:description> </command:inputType> <command:inputType> <dev:type> <maml:name>Security.Cryptography.X509Certificates.X509Certificate2[]</maml:name> <maml:uri>https://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509certificate2.aspx</maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para>This parameter set is used to validate Standalone and 3rd party CAs.</maml:para> </maml:description> </command:inputType> </command:inputTypes> <command:returnValues> <command:returnValue> <dev:type> <maml:name>PKI.EnterprisePKI.CAObject[]</maml:name> <maml:uri></maml:uri> <maml:description/> </dev:type> <maml:description> <maml:para /> </maml:description> </command:returnValue> </command:returnValues> <command:terminatingErrors></command:terminatingErrors> <command:nonTerminatingErrors></command:nonTerminatingErrors> <maml:alertSet> <maml:title></maml:title> <maml:alert> <maml:para>Author: Vadims Podans Blog: https://www.sysadmins.lv</maml:para> </maml:alert> </maml:alertSet> <command:examples> <command:example> <maml:title>-------------------------- Example 1 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>Get-CA | Get-EnterprisePKIHealthStatus</dev:code> <dev:remarks> <maml:para>This example will enumerate all Enterprise Certification Authorities in the Active Directory forest and validate their chains and CDP/AIA URLs for accessibility and validity.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> <command:example> <maml:title>-------------------------- Example 2 --------------------------</maml:title> <maml:introduction> <maml:paragraph>PS C:\></maml:paragraph> </maml:introduction> <dev:code>$cert = New-Object Security.Cryptography.X509Certificates.X509Certificate2 "C:\certs\leafcert.cer" PS C:\> Get-EnterprisePKIHealthStatus -Certificate $cert -CaCertExpirationThreshold 90 -BaseCrlExpirationThreshold 90 -DeltaCrlExpirationThreshold 70</dev:code> <dev:remarks> <maml:para>This example will instantiate an 'X509Certificate2' object from a certificate file and validate entire chain for validity and health. CA certificate and Base CRL will be considered 'Expiring' when certificate reaches 90% of its validity and Delta CRL when it reaches 70% of its validity.</maml:para> <maml:para /> <maml:para /> <maml:para></maml:para> </dev:remarks> <command:commandLines> <command:commandLine> <command:commandText> <maml:para /> </command:commandText> </command:commandLine> </command:commandLines> </command:example> </command:examples> <maml:relatedLinks> <maml:navigationLink> <maml:linkText>Online version:</maml:linkText> <maml:uri>https://www.sysadmins.lv/projects/pspki/Get-EnterprisePKIHealthStatus.aspx</maml:uri> </maml:navigationLink> <maml:navigationLink> <maml:linkText>Get-CertificationAuthority</maml:linkText> <maml:uri></maml:uri> </maml:navigationLink> </maml:relatedLinks> </command:command> </helpItems> |