Revoke a certificate that has specific properties
Revoke a certificate that has specific properties

In the next days, I will show you how to perform specific tasks on your Microsoft PKI using Powershell.

In this post, you will be able to revoke a certificate that matches your criteria. In the following example, I will use the Powershell cmdlets :

  • Get-CertificationAuthority
  • Get-IssuedRequest
  • Revoke-Certificate

The cmdlet Get-CertificationAuthority retrieves all Enterprise Certification Authorities from a current Active Directory forest.
If you have a two tiers infrastructure (one Enterprise Root CA and two Issuing CAs) the output of the command will be:

PS C:\> Get-CertificationAuthority

DisplayName				ComputerName              IsAccessible ServiceStatus Type
-----------				------------              ------------ ------------- ----
subCA01					subCA01.domain.local      True         Running       Enterprise Subordinate CA
subCA02					subCA02.domain.local      True         Running       Enterprise Subordinate CA

You can then select one of the subordinate CA listed above and list specific certificate using this command:

Get-CertificationAuthority -name "subCA01" | Get-IssuedRequest -filter "Request.RequesterName -eq DOMAIN\machinename$"

The output will show you all the certificate that have been requested by DOMAIN\machinename$

If you want to revoke them, type the following command:

Get-CertificationAuthority -name "subCA01" | Get-IssuedRequest -filter "Request.RequesterName -eq DOMAIN\machinename$" | Revoke-Certificate -Reason "Hold"

With the command above, the certificates will be revoked with the reason “Hold”. This reason can be used to “cancel” the revocation (unrevoke) and approve back the certificate.
The available reasons are the following :

  • Unspecified – (default) is used if the certificate is revoked for a reason outside the scope of supported reasons.
  • KeyCompromise – is used if the certificate private key was stolen or become known to an unauthorized entity.
  • CACompromise – is used if the CA certificate private key was stolen or become known to an unauthorized entity.
  • AffiliationChanged – is used when employee (or other entity) has changed its affiliation (job position) and current certificates are no longer required in new
  • position.

  • Superseded – is used when a new certificate version (for example with new issuance, application policy or with updated extensions) is available and previous (but
  • still valid) certificate must not be used.

  • CeaseOfOperation – is used when an employee leaves a company, or device is decommissioned.
  • Hold – is used to temporarily revoke certificate. For example when an employee is in a vacation.
  • Unrevoke – is used to release a certificate from CRL. If a certificate has been revoked with any reason code other than ‘Hold’, it cannot be reinstated.

<>

My Powershell script categories

Revoke a certificate that has specific properties

Leave a Reply

Your email address will not be published.