PowerShell PKI Module

This module is intended to simplify various PKI and Active Directory Certificate Services management tasks by using automation with Windows PowerShell. The module provides features and capabilities for managing and configuring Certification Authorities.

Download Now Go to GitHub

Schedule a Demo

Module Requirements

Windows PowerShell 3.0 or higher
.NET Framework 4.7.2 or higher
Windows Server 2008 R2/2012/2012 R2/2016/2019/2022
Windows 7*/8*/8.1*/10*/11*

* — with installed RSAT-ADCS (Active Directory Certificate Services Remote System Administration Tools)

Certification Authority requirements

This module supports Enterprise or Standalone Certification Authority servers that are running one of the following operating systems:

Windows Server 2003/2003 R2
Windows Server 2008 (including Server Core)
Windows Server 2008 R2 (including Server Core)
Windows Server 2012 (including Server Core)
Windows Server 2012 R2 (including Server Core)
Windows Server 2016 (including Server Core)
Windows Server 2019 (including Server Core)
Windows Server 2022 (including Server Core)

Release notes

Version 4.2.0 (current)

Command list:

Full command list for the latest release:

Add-AdCertificate
Add-AdCertificateRevocationList (Alias: Add-AdCrl)
Add-AuthorityInformationAccess (Alias: Add-AIA)
Add-CAKRACertificate
Add-CATemplate
Add-CertificateTemplateAcl
Add-CertificationAuthorityAcl (Alias: Add-CAAccessControlEntry Add-CAACL)
Add-CRLDistributionPoint (Alias: Add-CDP)
Add-ExtensionList
Add-OnlineResponderAcl (Alias: Add-OCSPACL)
Add-OnlineResponderArrayMember
Add-OnlineResponderLocalCrlEntry
Add-OnlineResponderRevocationConfiguration
Approve-CertificateRequest
Connect-CertificationAuthority (Alias: Connect-CA)
Connect-OnlineResponder
Convert-PemToPfx
Convert-PfxToPem
Deny-CertificateRequest
Disable-CertificateRevocationListFlag (Alias: Disable-CRLFlag)
Disable-InterfaceFlag
Disable-KeyRecoveryAgentFlag (Alias: Disable-KRAFlag)
Disable-PolicyModuleFlag
Enable-CertificateRevocationListFlag (Alias: Enable-CRLFlag)
Enable-InterfaceFlag
Enable-KeyRecoveryAgentFlag (Alias: Enable-KRAFlag)
Enable-PolicyModuleFlag
Get-AdcsDatabaseRow
Get-ADKRACertificate
Get-AdPkiContainer
Get-AuthorityInformationAccess (Alias: Get-AIA)
Get-CACryptographyConfig
Get-CAExchangeCertificate
Get-CAKRACertificate
Get-CATemplate
Get-CertificateContextProperty
Get-CertificateRequest
Get-CertificateRevocationList (Alias: Get-CRL)
Get-CertificateRevocationListFlag (Alias: Get-CRLFlag)
Get-CertificateTemplate
Get-CertificateTemplateAcl
Get-CertificateTrustList (Alias: Get-CTL)
Get-CertificateValidityPeriod
Get-CertificationAuthority (Alias: Get-CA)
Get-CertificationAuthorityAcl (Alias: Get-CAACL Get-CASecurityDescriptor)
Get-CertificationAuthorityDbSchema
Get-CryptographicServiceProvider (Alias: Get-Csp)
Get-CRLDistributionPoint (Alias: Get-CDP)
Get-CRLValidityPeriod
Get-EnrollmentPolicyServerClient
Get-EnterprisePKIHealthStatus
Get-ErrorMessage
Get-ExtensionList
Get-FailedRequest
Get-InterfaceFlag
Get-IssuedRequest
Get-KeyRecoveryAgentFlag (Alias: Get-KRAFlag)
Get-ObjectIdentifier (Alias: oid)
Get-ObjectIdentifierEx (Alias: oid2)
Get-OnlineResponderAcl (Alias: Get-OCSPACL)
Get-OnlineResponderRevocationConfiguration
Get-PendingRequest
Get-PolicyModuleFlag
Get-RequestArchivedKey
Get-RevokedRequest
Import-LostCertificate
Install-CertificateResponse
New-SelfSignedCertificateEx
Ping-ICertInterface
Publish-CRL
Receive-Certificate
Register-ObjectIdentifier
Remove-AdCertificate
Remove-AdCertificateRevocationList (Alias: Remove-AdCrl)
Remove-AdcsDatabaseRow (Alias: Remove-Request)
Remove-AuthorityInformationAccess (Alias: Remove-AIA)
Remove-CAKRACertificate
Remove-CATemplate
Remove-CertificatePrivateKey
Remove-CertificateTemplate
Remove-CertificateTemplateAcl
Remove-CertificationAuthorityAcl (Alias: Remove-CAAccessControlEntry Remove-CAACL)
Remove-CRLDistributionPoint (Alias: Remove-CDP)
Remove-ExtensionList
Remove-OnlineResponderAcl (Alias: Remove-OCSPACL)
Remove-OnlineResponderArrayMember
Remove-OnlineResponderLocalCrlEntry
Remove-OnlineResponderRevocationConfiguration
Restart-CertificationAuthority
Restart-OnlineResponder
Restore-CertificateRevocationListFlagDefault (Alias: Restore-CRLFlagDefault)
Restore-KeyRecoveryAgentFlagDefault (Alias: Restore-KRAFlagDefault)
Restore-PolicyModuleFlagDefault
Revoke-Certificate
Set-AuthorityInformationAccess (Alias: Set-AIA)
Set-CACryptographyConfig
Set-CAKRACertificate
Set-CATemplate
Set-CertificateExtension
Set-CertificateTemplateAcl
Set-CertificateValidityPeriod
Set-CertificationAuthorityAcl (Alias: Set-CAACL Set-CASecurityDescriptor)
Set-CRLDistributionPoint (Alias: Set-CDP)
Set-CRLValidityPeriod
Set-ExtensionList
Set-OnlineResponderAcl (Alias: Set-OCSPACL)
Set-OnlineResponderProperty
Set-OnlineResponderRevocationConfiguration
Show-Certificate
Show-CertificateRevocationList (Alias: Show-CRL)
Show-CertificateTrustList (Alias: Show-CTL)
Start-CertificationAuthority
Start-OnlineResponder
Stop-CertificationAuthority
Stop-OnlineResponder
Submit-CertificateRequest
Test-WebServerSSL
Unregister-ObjectIdentifier

Start guide:

Run Windows PowerShell and Explore available commands:

Get-Command -Module PSPKI

Getting some help

If you don’t know how to use certain command and/or get help about certain parameters, examples you may run the following command:

# retrieve basic help
Get-Help CommandName
# retrieve detailed and full help content
Get-Help CommandName –Detailed
Get-Help CommandName –Full
# see help online:
Get-Help CommandName -Online
# retrieve help for particular parameter:
Get-Help CommandName –Parameter ParameterName
# retrieve command usage examples:
Get-Help CommandName –Examples

Useful tricks

Get-CertificationAuthority | Format-List *

Certain commands display only subset of predefined properties (like Get-CertificationAuthority). To show all of them use “Format-List *” command as follows:

Get-CertificationAuthority -Name MyCA | Get-PolicyModuleFlag | Select -ExpandProperty Flags

Even if you think that commands are too long for typing don’t forget about PowerShell command tab completion. You can type a part of command name and press tab button (for example Get-Ce). The same works for parameters (Get-Ce -N).

Module removal

If you wish to remove module from current PowerShell session run the following command:

Remove-Module PSPKI

However this command just unload module from a current session. You may re-load it by using Import-Module command.
To completely remove module from the system, uninstall installation package.

Installation

Option 1: The PowerShell PKI Module can be downloaded below or from the PowerShell Gallery

Option 2: In a PowerShell console by running the following command:

Install-Module -Name PSPKI

Download Now

Ready to dive into the PowerShell PKI Module? Just fill out your information and click the ‘Download’ button to get started!