Comments on this page are supposed to improve article content and no technical support is provided. For technical questions, please visit project home page at: https://pspki.codeplex.com/

Set-CAKRACertificate

[This command is not available in non-domain environments]

[This command requires installed Remote Server Administration Tools (RSAT)]

Set-CAKRACertificate

Synopsis

Sets new key recovery agent certificate set to a specified Certification Authority (CA).

Syntax

Set-CAKRACertificate [-InputObject] <KRA[]> [-RestartCA] [<CommonParameters>]

Description

Sets new key recovery agent certificate set to a specified Certification Authority (CA).

Key Recovery Agent certificate is used to encrypt user's certificate private key and store it in CA database. In the case when user cannot access his or her certificate private key it is possible to recover it by Key Recovery Agent if Key Archival procedure was taken against particular certificate.

This command don't perform key recovery agent certificate validation. Once new KRA certificates are applied, this command will instruct CA server to use all of them for key archival process. In this case CA server will encrypt archived private key with each KRA certificate public key. This will ensure that any assigned key recovery agent will be able to perform key recovery.

Note that if only one certificate is assigned and it is invalid, all requests that require key archival will fail.

Parameters

-InputObject <KRA[]>

Specifies KRA object to process. This object can be retrieved by running Add-CAKRACertificate or Remove-CAKRACertificate command.

Required? True
Position? 0
Default value  
Accept pipeline input? true (ByValue, ByPropertyName)
Accept wildcard characters? False

-RestartCA <SwitchParameter>

Restarts CA service on the specified CA server to immediately apply changes.

Required? False
Position? named
Default value  
Accept pipeline input? false
Accept wildcard characters? False

<CommonParameters>

This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216).

Inputs

PKI.CertificateServices.KRA

Outputs

PKI.CertificateServices.KRA

Notes

Author: Vadims Podans
Blog: https://www.sysadmins.lv

Examples

Example 1

PS C:\> $KRACerts = Get-ADKRACertificate -Subject "CN=Key Recovery*"
C:\PS>Get-CertificationAuthority -Name MyCA | Get-CAKRACertificate | Add-CAKRACertificate -Certificate $certs | Set-CAKRACertificate -RestartCA

First command retrieves from Active Directory all KRA certificates where subject field starts with 'CN=Key Recovery' (in DN format). Second command will retrieve currently assigned KRA certificates to 'MyCA' CA server and adds new certificates obtained in first command. After configuration is changed, the command will restart certificate services to immediately apply changes.

Example 2

PS C:\> $Certs = Get-ADKRACertificate -ShowUI -Multipick
C:\PS>Get-CertificationAuthority | Get-CAKRACertificate | Add-CAKRACertificate $Certs | Set-Certificate -RestartCA

In this example first command will display certificate selection UI where you can select available KRA certificates. Second command will add selected (in previous command) certificates to currently assigned certificates and writes new certificate list back to a CA server. After configuration is changed, the command will restart certificate services to immediately apply changes.

Example 3

PS C:\> Get-CertificationAuthority -Name MyCA | Get-CAKRACertificate | Remove-CAKRACertificate -Thumbprint "70144A763E3A662756898C3160297C8CBCD244DC" | Set-CAKRACertificate -RestartCA

This example will remove key recovery agent certificate with thumbprint '70144A763E3A662756898C3160297C8CBCD244DC' from 'MyCA' CA server. After command completion certificate services will be restarted to immediately apply changes.

Example 4

PS C:\> Get-CertificationAuthority | Get-CAKRACertificate | Remove-CAKRACertificate -InvalidOnly | Set-CAKRACertificate -RestartCA

This example will remove invalid KRA certificates from all CA servers in the current forest. After command completion certificate services will be restarted to immediately apply changes.

Example 5

PS C:\> Get-CertificationAuthority -Name Company-CA | Get-CAKRACertificate | Remove-CAKRACertificate -ShowUI | Set-CAKRACertificate -RestartCA

This example will retrieve currently assigned KRA certificates and displays certificate selection UI where you can select certificates to remove and writes new KRA certificate list back to a Company-CA CA server. After command completion certificate services will be restarted to immediately apply changes.

Related links

Get-CertificationAuthority
Connect-CertificationAuthority
Get-ADKRACertificate
Get-CAKRACertificate
Add-CAKRACertificate
Remove-CAKRACertificate

PowerShell Support

  • PowerShell 3.0

Operating System Support

  • Windows Server 2003 Enterprise
  • Windows Server 2003 Datacenter
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Datacenter
  • Windows Server 2008 R2 all editions
  • Windows Server 2012 all editions
  • Windows Server 2012 R2 all editions

Comments:

Captcha