Set-CertificateExtension
Synopsis
Adds or disables certificate extensions in a pending certificate request.
Syntax
Set-CertificateExtension [-Request] <Object> [-Extension] <Object[]> [-Remove] [<CommonParameters>]
Description
Adds or disables certificate extensions in a pending certificate request.
Note: for this command to succeed, the certificate request must be pending.
Parameters
-Request <Object>
Specifies the particular request object. Request objects can be retrieved by running Get-PendingRequest command.
| Required? | True |
| Position? | 0 |
| Default value | |
| Accept pipeline input? | True |
| Accept wildcard characters? | False |
-Extension <Object[]>
Specifies the extension to add or remove. Depending on a 'Remove' switch, the following object types are accepted:
-- if 'Remove' switch is set to $false, this parameter must be an array of System.Security.Cryptography.X509Certificates.X509Extension or single System.Security.Cryptography.X509Certificates.X509ExtensionCollection object. In this case, the specified extension or extenssions will be added.
-- if 'Remove' switch is set to $true, this parameter must be an array of System.Security.Cryptography.Oid objects, where each object identifier denotes the extension to disable.
Certificate extension object are constructed out-of-band by using native .NET or extended extension classes. .NET extensions classes are defined in X509Certificates namespace:
-- .NET native extensions: http://msdn.microsoft.com/en-us/library/System.Security.Cryptography.X509Certificates.aspx
-- extended extension classes: https://www.sysadmins.lv/apidocs/pki/html/N_System_Security_Cryptography_X509Certificates.htm
| Required? | True |
| Position? | 1 |
| Default value | |
| Accept pipeline input? | False |
| Accept wildcard characters? | False |
-Remove <SwitchParameter>
Specifies whether to disable certificate extensions specified in the 'Extension' parameter. See 'Extension' parameter for this command behavior.
| Required? | False |
| Position? | named |
| Default value | |
| Accept pipeline input? | False |
| Accept wildcard characters? | False |
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216)
Inputs
SysadminsLV.PKI.Management.CertificateServices.Database.AdcsDbRow
Outputs
SysadminsLV.PKI.Utils.IServiceOperationResult
Notes
Examples
Example 1
PS C:\> $altName = New-Object Security.Cryptography.X509Certificates.X509AlternativeName "DnsName","owa.company.com"
PS C:\> $altNames = New-Object Security.Cryptography.X509Certificates.X509AlternativeName "DnsName","www.company.com"
PS C:\> $altNames = New-Object Security.Cryptography.X509Certificates.X509AlternativeNameCollection
PS C:\> $altName, $altName2 | %{[void]$altNames.Add($_)}
PS C:\> $SAN = New-Object Security.Cryptography.X509Certificates.X509SubjectAlternativeNameExtension
PS C:\> Get-CertificationAuthority "ca01.company.com" | Get-PendingRequest -RequestID 1631 | Set-CertificateExtension -Extension $SAN | Approve-CertificateRequest
This example demonstrates general techniques to create X509Extension object. In a given example, we create subject alternative name (SAN) extension with two alternative names: DnsName=owa.company.com, DnsName=www.company.com. These alternative names are added to an alternative name collection. This collection is used to construct SAN extension. In the last line, new extension is added to a pending request with request ID=1631 and approves modified pending request. Issued certificate will contain new SAN extension.
Example 2
PS C:\> Get-CertitificationAuthority "ca01.company.com" | Get-PendingRequest -RequestID 1632 | Set-CertificateExtension -Extension "Subject Alternative Name" -Remove | Approve-CertificateRequest
In this example, we assume that pending request has unwanted subject alternative name (SAN) extension. This command retrieves pending request object and disables (removes) unwanted extension and issues certificate. Issued certificate will not have request SAN extension.
Related links
- Get-CertificationAuthority
- Connect-CertificationAuthority
- Get-PendingRequest
- Approve-CertificateRequest
Minimum PowerShell version support
- Windows PowerShell 3.0
Operating System Support
- Windows 7
- Windows 8
- Windows 8.1
- Windows 10
- Windows 11
- Windows Server 2008 R2 all editions
- Windows Server 2012 all editions
- Windows Server 2012 R2 all editions
- Windows Server 2016 all editions
- Windows Server 2019 all editions
- Windows Server 2022 all editions
- Windows Server 2025 all editions