Comments on this page are supposed to improve article content and no technical support is provided. For technical questions, please visit project home page at:


[This command requires installed Remote Server Administration Tools (RSAT)]



Adds or disables certificate extensions in a pending certificate request.


Set-CertificateExtension [-Request] <Object> [-Extension] <Object[]> [-Remove] [<CommonParameters>]


Adds or disables certificate extensions in a pending certificate request.

Note: for this command to succeed, the certificate request must be pending.


-Request <Object>

Specifies the particular request object. Request objects can be retrieved by running Get-PendingRequest command.

Required? True
Position? 0
Default value  
Accept pipeline input? true (ByValue, ByPropertyName)
Accept wildcard characters? False

-Extension <Object[]>

Specifies the extension to add or remove. Depending on a 'Remove' switch, the following object types are accepted:

-- if 'Remove' switch is set to $false, this parameter must be an array of System.Security.Cryptography.X509Certificates.X509Extension or single System.Security.Cryptography.X509Certificates.X509ExtensionCollection object. In this case, the specified extension or extenssions will be added.
-- if 'Remove' switch is set to $true, this parameter must be an array of System.Security.Cryptography.Oid objects, where each object identifier denotes the extension to disable.

Certificate extension object are constructed out-of-band by using native .NET or extended extension classes. .NET extensions classes are defined in X509Certificates namespace:
-- .NET native extensions:
-- extended extension classes:

Required? True
Position? 1
Default value  
Accept pipeline input? false
Accept wildcard characters? False

-Remove <SwitchParameter>

Specifies whether to disable certificate extensions specified in the 'Extension' parameter. See 'Extension' parameter for this command behavior.

Required? False
Position? named
Default value  
Accept pipeline input? false
Accept wildcard characters? False


This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (





Returned object can be piped to Approve-CertificateRequest command to approve pending request after modifying pending request extensions.


Author: Vadims Podans


Example 1

PS C:\> $altName = New-Object Security.Cryptography.X509Certificates.X509AlternativeName "DnsName",""
PS C:\> $altNames = New-Object Security.Cryptography.X509Certificates.X509AlternativeName "DnsName",""
PS C:\> $altNames = New-Object Security.Cryptography.X509Certificates.X509AlternativeNameCollection
PS C:\> $altName, $altName2 | %{[void]$altNames.Add($_)}
PS C:\> $SAN = New-Object Security.Cryptography.X509Certificates.X509SubjectAlternativeNameExtension
PS C:\> Get-CertificationAuthority "" | Get-PendingRequest -RequestID 1631 | Set-CertificateExtension -Extension $SAN | Approve-CertificateRequest

This example demonstrates general techniques to create X509Extension object. In a given example, we create subject alternative name (SAN) extension with two alternative names:, These alternative names are added to an alternative name collection. This collection is used to construct SAN extension. In the last line, new extension is added to a pending request with request ID=1631 and approves modified pending request. Issued certificate will contain new SAN extension.

Example 2

PS C:\> Get-CertitificationAuthority "" | Get-PendingRequest -RequestID 1632 | Set-CertificateExtension -Extension "Subject Alternative Name" -Remove | Approve-CertificateRequest

In this example, we assume that pending request has unwanted subject alternative name (SAN) extension. This command retrieves pending request object and disables (removes) unwanted extension and issues certificate. Issued certificate will not have request SAN extension.

Related links


PowerShell Support

  • PowerShell 3.0

Operating System Support

  • Windows Server 2003 all editions
  • Windows Server 2008 all editions
  • Windows Server 2008 R2 all editions
  • Windows Server 2012 all editions
  • Windows Server 2012 R2 all editions
  • Windows Server 2016 all editions


Ernest 30.06.2017 21:57 (GMT+3)

Hello Vadims, thanks for posting

Is it correct to say that the Policy Module must support the Extension you are trying to add to the certificate, in other words if I wanted to add a certificate extension call MyCustomExtension with some OID e.g. added this to the pending request then tried to process the request the Policy Module would drop the extension if it did not understand it e.g. was not written to process they type of extension when the Policy module was created?

Thanks very much

Nat Hazlett
Nat Hazlett 26.04.2018 02:47 (GMT+3)

Hi There, 

This is a very impressive piece of work! thank you for sharing :)

Just a quick comment to say that the example here was exactly what I needed, but it doesn't work as there are a few typos in there, some of which took me a few hours to figure out how to correct (Classes confuse me, i'm not a programmer so it was quite a rabbit hole for me to fall into!). 

Hopefully this will help someone else out there who was looking for a way to automatically add the CN as a SAN :


#Get your pending certificate

$requestID = 65

$caName = ""

$pendingCert = Get-CertificationAuthority $caName | Get-PendingRequest -RequestID $requestID


#Take the common name and prepare the SAN extension

$altNames = New-Object Security.Cryptography.X509Certificates.X509AlternativeNameCollection

$altName = New-Object Security.Cryptography.X509Certificates.X509AlternativeName "DnsName","$($pendingCert.'Request.CommonName')"

$altName| %{[void]$altNames.Add($_)}

$SAN = New-Object Security.Cryptography.X509Certificates.X509SubjectAlternativeNamesExtension $altnames,0  #the boolean indicates critical or not.


#And finally, add the SAN to the certificate and issue

Get-CertificationAuthority $caName  | Get-PendingRequest -RequestID $RequestID | Set-CertificateExtension -Extension $SAN | Approve-CertificateRequest