PowerShell PKI Module Documentation
Documentation HomeThis command supports only Enterprise Certification Authorities
Remove-CAKRACertificate
Synopsis
Removes Key Recovery Agent (KRA) certificate from a specified Certification Authority (CA).
Syntax
Remove-CAKRACertificate [-InputObject] <KRA[]> [[-Thumbprint] <String[]>] [-ShowUI] [-InvalidOnly] [<CommonParameters>]
Description
Removes key recovery agent certificate from a specified Certification Authority (CA). This command doesn't change actual settings, but just prepares KRA object. To change KRAs on CA use this command in conjunction with Set-CAKRACertificate command.
Key Recovery Agent certificate is used to encrypt user's certificate private key and store it in CA database. In the case when user cannot access his or her certificate private key it is possible to recover it by Key Recovery Agent if Key Archival procedure was taken against particular certificate.
Parameters
-InputObject <KRA[]>
Specifies the KRA object to process. This object can be retrieved by running Get-CAKRACertificate command.
Required? | True |
Position? | 0 |
Default value | |
Accept pipeline input? | true (ByValue, ByPropertyName) |
Accept wildcard characters? | False |
-Thumbprint <String[]>
Specifies one or more KRA certificate thumbprint to remove. Parameter also accepts thumbprint strings in 'certutil' style (when all characters are in lowercase and each octet is divided by space character), for example: '70 14 4a 76 3e 3a 66 27 56 89 8c 31 60 29 7c 8c bc d2 44 dc'.
Required? | False |
Position? | 1 |
Default value | |
Accept pipeline input? | false |
Accept wildcard characters? | False |
-ShowUI <SwitchParameter>
This parameter displays existing assigned KRA certificates in a UI form. Select one or more KRA certificates to remove and click Ok.
If this parameter is specified, all other parameters are ignored.
Required? | False |
Position? | named |
Default value | |
Accept pipeline input? | false |
Accept wildcard characters? | False |
-InvalidOnly <SwitchParameter>
This parameter will remove all currently assigned KRA certificates that doesn't met at least one of the following requirements:
— is time valid;
— is not revoked;
— issued by trusted certification authority;
— intended for key archival purposes.
This parameter is useful for sanity and health checking's that assigns only valid key recovery agent certificates.
Required? | False |
Position? | named |
Default value | |
Accept pipeline input? | false |
Accept wildcard characters? | False |
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
Inputs
Outputs
Notes
Examples
Example 1
PS C:\> Get-CertificationAuthority -Name MyCA | Get-CAKRACertificate | Remove-CAKRACertificate -Thumbprint "70144A763E3A662756898C3160297C8CBCD244DC" | Set-CAKRACertificate -RestartCA
This example will remove key recovery agent certificate with thumbprint '70144A763E3A662756898C3160297C8CBCD244DC' from 'MyCA' CA server. After command completion certificate services will be restarted to immediately apply changes.
Example 2
PS C:\> Get-CertificationAuthority | Get-CAKRACertificate | Remove-CAKRACertificate -InvalidOnly | Set-CAKRACertificate -RestartCA
This example will remove invalid KRA certificates from all CA servers in the current forest. After command completion certificate services will be restarted to immediately apply changes.
Example 3
PS C:\> Get-CertificationAuthority -Name Company-CA | Get-CAKRACertificate | Remove-CAKRACertificate -ShowUI | Set-CAKRACertificate -RestartCA
This example will retrieve currently assigned KRA certificates and displays certificate selection UI where you can select certificates to remove and writes new KRA certificate list back to a Company-CA CA server. After command completion certificate services will be restarted to immediately apply changes.
Related links
Get-CertificationAuthority
Connect-CertificationAuthority
Get-CAKRACertificate
Add-CAKRACertificate
Set-CAKRACertificate
Minimum PowerShell version support
- Windows PowerShell 3.0
Operating System Support
- Windows 7
- Windows 8
- Windows 8.1
- Windows 10
- Windows 11
- Windows Server 2008 R2 all editions
- Windows Server 2012 all editions
- Windows Server 2012 R2 all editions
- Windows Server 2016 all editions
- Windows Server 2019 all editions
- Windows Server 2022 all editions