Comments on this page are supposed to improve article content and no technical support is provided. For technical questions, please visit project home page at: https://pspki.codeplex.com/

Set-CertificateExtension

[This command requires installed Remote Server Administration Tools (RSAT)]

Set-CertificateExtension

Synopsis

Adds or disables certificate extensions in a pending certificate request.

Syntax

Set-CertificateExtension [-Request] <Object> [-Extension] <Object[]> [-Remove] [<CommonParameters>]

Description

Adds or disables certificate extensions in a pending certificate request.

Note: for this command to succeed, the certificate request must be pending.

Parameters

-Request <Object>

Specifies the particular request object. Request objects can be retrieved by running Get-PendingRequest command.

Required? True
Position? 0
Default value  
Accept pipeline input? true (ByValue, ByPropertyName)
Accept wildcard characters? False

-Extension <Object[]>

Specifies the extension to add or remove. Depending on a 'Remove' switch, the following object types are accepted:

-- if 'Remove' switch is set to $false, this parameter must be an array of System.Security.Cryptography.X509Certificates.X509Extension or single System.Security.Cryptography.X509Certificates.X509ExtensionCollection object. In this case, the specified extension or extenssions will be added.
-- if 'Remove' switch is set to $true, this parameter must be an array of System.Security.Cryptography.Oid objects, where each object identifier denotes the extension to disable.

Certificate extension object are constructed out-of-band by using native .NET or extended extension classes. .NET extensions classes are defined in X509Certificates namespace:
-- .NET native extensions: http://msdn.microsoft.com/en-us/library/System.Security.Cryptography.X509Certificates.aspx
-- extended extension classes: http://pkix2.sysadmins.lv/library/html/N_System_Security_Cryptography_X509Certificates.htm

Required? True
Position? 1
Default value  
Accept pipeline input? false
Accept wildcard characters? False

-Remove <SwitchParameter>

Specifies whether to disable certificate extensions specified in the 'Extension' parameter. See 'Extension' parameter for this command behavior.

Required? False
Position? named
Default value  
Accept pipeline input? false
Accept wildcard characters? False

<CommonParameters>

This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216).

Inputs

PKI.CertificateServices.DB.RequestRow

Outputs

PKI.CertificateServices.DB.RequestRow

Returned object can be piped to Approve-CertificateRequest command to approve pending request after modifying pending request extensions.

Notes

Author: Vadims Podans
Blog: https://www.sysadmins.lv

Examples

Example 1

PS C:\> $altName = New-Object Security.Cryptography.X509Certificates.X509AlternativeName "DnsName","owa.company.com"
PS C:\> $altNames = New-Object Security.Cryptography.X509Certificates.X509AlternativeName "DnsName","www.company.com"
PS C:\> $altNames = New-Object Security.Cryptography.X509Certificates.X509AlternativeNameCollection
PS C:\> $altName, $altName2 | %{[void]$altNames.Add($_)}
PS C:\> $SAN = New-Object Security.Cryptography.X509Certificates.X509SubjectAlternativeNameExtension
PS C:\> Get-CertificationAuthority "ca01.company.com" | Get-PendingRequest -RequestID 1631 | Set-CertificateExtension -Extension $SAN | Approve-CertificateRequest

This example demonstrates general techniques to create X509Extension object. In a given example, we create subject alternative name (SAN) extension with two alternative names: DnsName=owa.company.com, DnsName=www.company.com. These alternative names are added to an alternative name collection. This collection is used to construct SAN extension. In the last line, new extension is added to a pending request with request ID=1631 and approves modified pending request. Issued certificate will contain new SAN extension.

Example 2

PS C:\> Get-CertitificationAuthority "ca01.company.com" | Get-PendingRequest -RequestID 1632 | Set-CertificateExtension -Extension "Subject Alternative Name" -Remove | Approve-CertificateRequest

In this example, we assume that pending request has unwanted subject alternative name (SAN) extension. This command retrieves pending request object and disables (removes) unwanted extension and issues certificate. Issued certificate will not have request SAN extension.

Related links

Get-CertificationAuthority
Connect-CertificationAuthority
Get-PendingRequest
Approve-CertificateRequest

PowerShell Support

  • PowerShell 3.0

Operating System Support

  • Windows Server 2003 all editions
  • Windows Server 2008 all editions
  • Windows Server 2008 R2 all editions
  • Windows Server 2012 all editions
  • Windows Server 2012 R2 all editions

Comments:

Ernest
Ernest 30.06.2017 21:57 (GMT+3)

Hello Vadims, thanks for posting

Is it correct to say that the Policy Module must support the Extension you are trying to add to the certificate, in other words if I wanted to add a certificate extension call MyCustomExtension with some OID e.g. 1.1.1.1.1.1.1.1.1.1.1 added this to the pending request then tried to process the request the Policy Module would drop the extension if it did not understand it e.g. was not written to process they type of extension when the Policy module was created?

Thanks very much

Captcha