Adds or disables certificate extensions in a pending certificate request.
Set-CertificateExtension [-Request] <Object> [-Extension] <Object[]> [-Remove] [<CommonParameters>]
Adds or disables certificate extensions in a pending certificate request.
Note: for this command to succeed, the certificate request must be pending.
Specifies the particular request object. Request objects can be retrieved by running Get-PendingRequest command.
Required? | True |
Position? | 0 |
Default value | |
Accept pipeline input? | true (ByValue, ByPropertyName) |
Accept wildcard characters? | False |
Specifies the extension to add or remove. Depending on a 'Remove' switch, the following object types are accepted:
-- if 'Remove' switch is set to $false, this parameter must be an array of System.Security.Cryptography.X509Certificates.X509Extension or single System.Security.Cryptography.X509Certificates.X509ExtensionCollection object. In this case, the specified extension or extenssions will be added.
-- if 'Remove' switch is set to $true, this parameter must be an array of System.Security.Cryptography.Oid objects, where each object identifier denotes the extension to disable.
Certificate extension object are constructed out-of-band by using native .NET or extended extension classes. .NET extensions classes are defined in X509Certificates namespace:
-- .NET native extensions: http://msdn.microsoft.com/en-us/library/System.Security.Cryptography.X509Certificates.aspx
-- extended extension classes: https://www.sysadmins.lv/library/pkix.net/html/N_System_Security_Cryptography_X509Certificates.htm
Required? | True |
Position? | 1 |
Default value | |
Accept pipeline input? | false |
Accept wildcard characters? | False |
Specifies whether to disable certificate extensions specified in the 'Extension' parameter. See 'Extension' parameter for this command behavior.
Required? | False |
Position? | named |
Default value | |
Accept pipeline input? | false |
Accept wildcard characters? | False |
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
SysadminsLV.PKI.Management.CertificateServices.Database.AdcsDbRow
SysadminsLV.PKI.Management.CertificateServices.Database.AdcsDbRow
Returned object can be piped to Approve-CertificateRequest command to approve pending request after modifying pending request extensions.
Author: Vadims Podans
Blog: https://www.sysadmins.lv
PS C:\> $altName1 = New-Object Security.Cryptography.X509Certificates.X509AlternativeName "DnsName","owa.company.com" PS C:\> $altName2 = New-Object Security.Cryptography.X509Certificates.X509AlternativeName "DnsName","www.company.com" PS C:\> $altNames = New-Object Security.Cryptography.X509Certificates.X509AlternativeNameCollection PS C:\> $altName1, $altName2 | %{[void]$altNames.Add($_)} PS C:\> $SAN = New-Object Security.Cryptography.X509Certificates.X509SubjectAlternativeNamesExtension $altNames, $flase PS C:\> Get-CertificationAuthority "ca01.company.com" | Get-PendingRequest -RequestID 1631 | Set-CertificateExtension -Extension $SAN | Approve-CertificateRequest
This example demonstrates general techniques to create X509Extension object. In a given example, we create subject alternative name (SAN) extension with two alternative names: DnsName=owa.company.com, DnsName=www.company.com. These alternative names are added to an alternative name collection. This collection is used to construct SAN extension. In the last line, new extension is added to a pending request with request ID=1631 and approves modified pending request. Issued certificate will contain new SAN extension.
PS C:\> Get-CertitificationAuthority "ca01.company.com" | Get-PendingRequest -RequestID 1632 | Set-CertificateExtension -Extension "Subject Alternative Name" -Remove | Approve-CertificateRequest
In this example, we assume that pending request has unwanted subject alternative name (SAN) extension. This command retrieves pending request object and disables (removes) unwanted extension and issues certificate. Issued certificate will not have request SAN extension.
Get-CertificationAuthority
Connect-CertificationAuthority
Get-PendingRequest
Approve-CertificateRequest