Retrieves default policy module flags.
Get-PolicyModuleFlag [-CertificationAuthority] <CertificateAuthority[]> [<CommonParameters>]
Retrieves default Policy Module flags. These flags are processed by policy module during certificate request processing.
Specifies the Certification Authority object. This object can be retrieved by running Get-CertificationAuthority command.
Required? | True |
Position? | 0 |
Default value | |
Accept pipeline input? | true (ByValue, ByPropertyName) |
Accept wildcard characters? | False |
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
PKI.CertificateServices.CertificateAuthority
PKI.CertificateServices.PolicyModule.EditFlag
Author: Vadims Podans
Blog: https://www.sysadmins.lv
PS C:\> Get-CertificationAuthority -Name Company-CA | Get-PolicyModuleFlag
Returns policy module enabled flags for specified CA server.
PS C:\> Get-CertificationAuthority | Get-PolicyModuleFlag
Returns policy module enabled flags for all CAs in the forest with separate object per CA.
PS C:\> Get-CertificationAuthority -Name Company-CA | Get-PolicyModuleFlag | Disable-PolicyModuleFlag AttributeSubjectAlternativeName -RestartCA
Disables 'Subject Alternative Name' attribute in a submitted certificate request and restarts certificate services. In order to issue a certificate with SAN extension, it must be a part of certificate request extensions. After command completion Company-CA CA server will be restarted to immediately apply changes.
PS C:\> Get-CertificationAuthority -Name Company-CA | Get-PolicyModuleFlag | Disable-PolicyModuleFlag EnableOCSPRevNoCheck, DisableExtensionList -RestartCA
Disables 'OCSP No Revocation Checking' extension and disables Disabled Certificate Extension list processing. This will prevent CA to issue OCSP Response Signing certificate and any previously disabled extension (see Add-ExtensionList) will be populated in the issued certificates. After command completion Company-CA CA server will be restarted to immediately apply changes.
PS C:\> Get-CertificationAuthority -Name Company-CA | Get-PolicyModuleFlag | Enable-PolicyModuleFlag AttributeSubjectAlternativeName -Restart CA
Enables 'Subject Alternative Name' attribute in a submitted certificate request. After command completion 'Company-CA' CA server will be restarted to immediately apply changes. Note: do not enable SAN attribute on Enterprise CAs if it is possible to include SAN as extension.
PS C:\> Get-CertificationAuthority -Name Company-CA | Get-PolicyModuleFlag | Enable-PolicyModuleFlag EnableOCSPRevNoCheck, DisableExtensionList -RestartCA
Enables 'OCSP No Revocation Checking' extension and disables Disabled Certificate Extension list processing. This will allow CA to issue OCSP Response Signing certificate and will instruct CA server to process disabled extension list (see Add-ExtensionList) and extensions in this list will be not populated in issued certificates. After command completion 'Company-CA' CA server will be restarted to immediately apply changes.
Get-CertificationAuthority
Connect-CertificationAuthority
Enable-PolicyModuleFlag
Disable-PolicyModuleFlag
Restore-PolicyModuleFlagDefault