Retrieves Active Directory Certificate Services (AD CS) key recovery agent (KRA) settings.
Get-KeyRecoveryAgentFlag [-CertificationAuthority] <CertificateAuthority[]> [<CommonParameters>]
Retrieves Active Directory Certificate Services (AD CS) key recovery agent (KRA) settings. Use this command in conjunction with Enable-KeyRecoveryAgentFlag and Disable-KeyRecoveryAgentFlag cmdlets to configure KRA settings.
By default no KRA flags are defined.
Specifies the Certification Authority object. This object can be retrieved by running Get-CertificationAuthority command.
Required? | True |
Position? | 0 |
Default value | |
Accept pipeline input? | true (ByValue, ByPropertyName) |
Accept wildcard characters? | False |
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
PKI.CertificateServices.CertificateAuthority
PKI.CertificateServices.Flags.KRAFlag
Author: Vadims Podans
Blog: https://www.sysadmins.lv
PS C:\> Get-CertificationAuthority -name "company-CA01" | Get-KeyRecoveryAgentFlag
The command retrieves KRA settings for 'company-CA01' CA server.
PS C:\> Get-CertificationAuthority | Get-KeyRecoveryAgentFlag
The command retrieves KRA settings for all Enterprise CAs in the current Active Directory forest.
PS C:\> Get-CertificationAuthority -Name "company-CA01" | Get-KeyRecoveryAgentFlag | Disable-KeyRecoveryAgentFlad -Flag "EnableForeign"
This command disables key archival for keys that were issued (signed) by other (or 3rd party) CA server. After the configuration is changed, the command will restart certificate services to immediately apply changes.
PS C:\> Get-CertificationAuthority | Get-KeyRecoveryAgentFlag | Enable-KeyRecoveryAgentFlad -Flag "EnableForeign"
This example allows the CA to archive public and private key pair that were issued (signed) by other (or 3rd party) CA. After the configuration is changed, the command will restart certificate services to immediately apply changes.
Get-CertificationAuthority
Connect-CertificationAuthority
Enable-KeyRecoveryAgentFlag
Disable-KeyRecoveryAgentFlag
Restore-KeyRecoveryAgentFlagDefault