Black Friday Special! Get 30% off Training Subscriptions with code BLACKFRIDAY30 at checkout!
Close

PowerShell PKI Module Documentation

Documentation Home
This command requires installed Remote Server Administration Tools (RSAT)

Add-ExtensionList

Synopsis

Adds certificate enabled/disabled extension lists.

Syntax

Add-ExtensionList [-InputObject] <ExtensionList[]> [[-EnabledExtension] <Oid[]>] [[-OfflineExtension] <Oid[]>] [[-DisabledExtension] <Oid[]>] [<CommonParameters>]

Description

Adds certificate enabled/disabled extension lists. Extensions are separated in 3 categories:

EnabledExtensionList – contains extensions that CA server will publish in each issued certificate upon request.
OfflineExtensionList – contains allowed extension list that CA server will publish in issued certificates when offline request is used.
DisabledExtensionList – contains extensions that will not be published in certificate even if this extension is specified in the request.

For more details see corresponding parameter description.

Note: additional information can be found at: http://technet.microsoft.com/library/cc740063(WS.10).aspx

Parameters

-InputObject <ExtensionList[]>

Specifies the ExtensionList object with configured extensions. This object can be retrieved by running Get-ExtensionList command.

Required? True
Position? 0
Default value
Accept pipeline input? true (ByValue, ByPropertyName)
Accept wildcard characters? False

-EnabledExtension <Oid[]>

Specifies the list of certificate extensions that are added to the issued certificate upon request. This list is processed by a policy module each time the request is resolved (produces issued certificate). You should carefully use this property and do not enable security-critical extension, like Subject Alternative Names (SAN). CA server performs additional extension processing by using 'OfflineExtension' parameter.

Required? False
Position? 1
Default value
Accept pipeline input? false
Accept wildcard characters? False

-OfflineExtension <Oid[]>

Specifies the list of certificate extensions that are added to the issued certificate against offline request. 'offline' request is such request which includes subject information and CA server do not use Active Directory to build certificate's subject. For example, requests based on default 'WebServer' certificate template are considered as 'offline', because the template is configured to build the subject from submitted request. If certificate template is configured to build the subject from Active Directory, OfflineExtensionList property has no effect and any extensions in the request are written to CA database, but not included in issued certificate.

For Standalone CAs, all requests are treated as 'offline'.

Required? False
Position? 2
Default value
Accept pipeline input? false
Accept wildcard characters? False

-DisabledExtension <Oid[]>

Add one or more extension friendly name or extension OID to prevent from publishing in certificate.

Required? False
Position? 3
Default value
Accept pipeline input? false
Accept wildcard characters? False

<CommonParameters>

This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).

Inputs

PKI.CertificateServices.PolicyModule.ExtensionList

Outputs

PKI.CertificateServices.PolicyModule.ExtensionList

Notes

Examples

Example 1

PS C:\> Get-CertificationAuthority -Name Company-CA | Get-ExtensionList | Add-ExtensionList -DisabledExtension "Certificate Template Name" | Set-ExtensionList -RestartCA

This example will add the 'Certificate Template Name' extension to restricted extension list. As the result CA server will not publish this extension in issued certificates. After configuration is changed, the command will restart certificate services to immediately apply changes.

Example 2

PS C:\> Get-CertificationAuthority -Name Company-CA | Get-ExtensionList | Add-ExtensionList -EnabledExtension "Certificate Policies" | Set-ExtensionList -RestartCA

Adds 'Certificate Policies' extension to a extension list that is allowed to be published in issued certificates. After configuration is changed, the command will restart certificate services to immediately apply changes.

Related links

Get-CertificationAuthority
Connect-CertificationAuthority
Get-ExtensionList
Remove-ExtensionList
Set-ExtensionList

Minimum PowerShell version support

  • Windows PowerShell 3.0

Operating System Support

  • Windows 7
  • Windows 8
  • Windows 8.1
  • Windows 10
  • Windows 11
  • Windows Server 2008 R2 all editions
  • Windows Server 2012 all editions
  • Windows Server 2012 R2 all editions
  • Windows Server 2016 all editions
  • Windows Server 2019 all editions
  • Windows Server 2022 all editions