Adds new Key Recovery Agent (KRA) certificate to a specified Certification Authority (CA).
Add-CAKRACertificate [-InputObject] <KRA[]> [-Certificate] <X509Certificate2[]> [<CommonParameters>]
Adds new Key Recovery Agent (KRA) certificate to a specified Certification Authority (CA).
This command doesn't change actual settings, but just prepares KRA object. To change KRAs on CA use this command in conjunction with Set-CAKRACertificate command.
Key Recovery Agent certificate is used to encrypt user certificate's private key and store it in the CA database in a encrypted form. In the case when user cannot access his or her certificate private key, it is possible to recover it by key recovery agent (if Key Archival procedure was taken against particular certificate).
Specifies the KRA object to process. This object can be retrieved by running Get-CAKRACertificate command.
Required? | True |
Position? | 0 |
Default value | |
Accept pipeline input? | true (ByValue, ByPropertyName) |
Accept wildcard characters? | False |
Specifies one or more X509Certificate2 objects that represent key recovery agent certificate(s). To retrieve a list of enterprise key recovery agent certificates use Get-ADKRACertificate command.
Required? | True |
Position? | 1 |
Default value | |
Accept pipeline input? | false |
Accept wildcard characters? | False |
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
Author: Vadims Podans
Blog: https://www.sysadmins.lv
PS C:\> $KRACerts = Get-ADKRACertificate -Subject "CN=Key Recovery*" C:\PS>Get-CertificationAuthority -Name MyCA | Get-CAKRACertificate | Add-CAKRACertificate -Certificate $certs | Set-CAKRACertificate -RestartCA
First command retrieves from Active Directory all KRA certificates where subject field starts with 'CN=Key Recovery' (in DN format). Second command will retrieve currently assigned KRA certificates to 'MyCA' CA server and adds new certificates obtained in first command. After configuration is changed, the command will restart certificate services to immediately apply changes.
PS C:\> $Certs = Get-ADKRACertificate -ShowUI -Multipick C:\PS>Get-CertificationAuthority | Get-CAKRACertificate | Add-CAKRACertificate $Certs | Set-Certificate -RestartCA
In this example first command will display certificate selection UI where you can select available KRA certificates. Second command will add selected (in previous command) certificates to currently assigned certificates and writes new certificate list back to a CA server. After configuration is changed, the command will restart certificate services to immediately apply changes.
Get-CertificationAuthority
Connect-CertificationAuthority
Get-ADKRACertificate
Get-CAKRACertificate
Remove-CAKRACertificate
Set-CAKRACertificate