In the next days, I will show you how to perform specific tasks on your Microsoft PKI using Powershell.
In this post, you will be able to revoke a certificate that matches your criteria. In the following example, I will use the Powershell cmdlets :
- Get-CertificationAuthority
- Get-IssuedRequest
- Revoke-Certificate
The cmdlet Get-CertificationAuthority retrieves all Enterprise Certification Authorities from a current Active Directory forest.
If you have a two tiers infrastructure (one Enterprise Root CA and two Issuing CAs) the output of the command will be:
PS C:\> Get-CertificationAuthority DisplayName ComputerName IsAccessible ServiceStatus Type ----------- ------------ ------------ ------------- ---- subCA01 subCA01.domain.local True Running Enterprise Subordinate CA subCA02 subCA02.domain.local True Running Enterprise Subordinate CA
You can then select one of the subordinate CA listed above and list specific certificate using this command:
Get-CertificationAuthority -name "subCA01" | Get-IssuedRequest -filter "Request.RequesterName -eq DOMAIN\machinename$"
The output will show you all the certificate that have been requested by DOMAIN\machinename$
If you want to revoke them, type the following command:
Get-CertificationAuthority -name "subCA01" | Get-IssuedRequest -filter "Request.RequesterName -eq DOMAIN\machinename$" | Revoke-Certificate -Reason "Hold"
With the command above, the certificates will be revoked with the reason “Hold”. This reason can be used to “cancel” the revocation (unrevoke) and approve back the certificate.
The available reasons are the following :
- Unspecified – (default) is used if the certificate is revoked for a reason outside the scope of supported reasons.
- KeyCompromise – is used if the certificate private key was stolen or become known to an unauthorized entity.
- CACompromise – is used if the CA certificate private key was stolen or become known to an unauthorized entity.
- AffiliationChanged – is used when employee (or other entity) has changed its affiliation (job position) and current certificates are no longer required in new
- Superseded – is used when a new certificate version (for example with new issuance, application policy or with updated extensions) is available and previous (but
- CeaseOfOperation – is used when an employee leaves a company, or device is decommissioned.
- Hold – is used to temporarily revoke certificate. For example when an employee is in a vacation.
- Unrevoke – is used to release a certificate from CRL. If a certificate has been revoked with any reason code other than ‘Hold’, it cannot be reinstated.
position.
still valid) certificate must not be used.
My Powershell script categories
- Active Directory
- Cluster
- Database
- Exchange
- Files and folders
- Hardware
- Network
- Operating System
- PKI
- SCCM
- Service and process
- Tips
- VMWare