PowerShell PKI Module Documentation

Documentation Home
This command requires installed Remote Server Administration Tools (RSAT)

Disable-CertificateRevocationListFlag

Synopsis

Disables certificate revocation list settings (flag) for specified CA server.

Syntax

Disable-CertificateRevocationListFlag [-InputObject] <CRLFlag[]> [-Flag] <CRLFlagEnum> [-RestartCA] [<CommonParameters>]

Description

Disables certificate revocation list settings (flag) for a specified CA server. These flags affects only to a CA server where they are defined.

Parameters

-InputObject <CRLFlag[]>

Specifies the CRLFlag object to process. This object can be retrieved by running Get-CertificateRevocationListFlag command.

Required? True
Position? 0
Default value
Accept pipeline input? true (ByValue, ByPropertyName)
Accept wildcard characters? False

-Flag <CRLFlagEnum>

Specifies the flag to disable. The following flag (of flags) can be used:

DeltaUseOldestUnexpiredBase – the CA server will use oldest unexpired Base CRL for certificate revocation checking. Otherwise, the most recent Base CRL is used.
DeleteExpiredCRLs – deletes CRLs signed by the expired CA keys.
CRLNumberCritical – the CA server will mark CRL Number extension as critical. If a target application doesn't recognize this extension, a CRL will be rejected.
RevCheckIgnoreOffline – the CA cerver will ignore certificate revocation checking failures (not recommended).
IgnoreInvalidPolicies – the CA server will ignore invalid Certificate Policies extension in requests.
RebuildModifiedSubjectOnly – when a CA server is configured to use the unmodified subject that is supplied in the certificate request, the policy module should not make any changes to the subject that is in the certificate request
SaveFailedCerts – N/A
IgnoreUnknownCMCAttributes – the CA server ignores unknown CMC attributes in the request.
IgnoreCrossCertTrustError – the CA server ignores trust errors for cross-certificates during certificate chain building.
PublishExpiredCertCRLs – the CA will publish expired revoked certificates in CRLs.
EnforceEnrollmentAgent – the CA enforces enrollment agent restrictions.
DisableRDNReorder – the CA server will not re-order relative distinguished name (RDN) in the certificate request.
DisableRootCrossCerts – instruct Root CA server to not generate root cross-certificates after Root CA renewal with new key pair.
LogfullResponse – the CA will dump request response to console.
UseXCHGCertTemplate – instructs CA server to use CA Exchange template instead of using automatically generated short-lived certificates for key archival.
UseCrossCertTemplate – instruct Root CA server to use Cross Certification Authority template during Root CA renewal with new key pair, instead of using automatically generated cross-certificates.
AllowRequestAttributeSubject – the CA server will accept certificate subject submitted as a part of request attributes.
DisableChainVerification – the CA server will not try to build chain for a certificate.
RevCheckIgnoreNoRevCheck – the CA server ignores empty CRL Distribution Points (CDP) extension for non-root certificates.
PreserveExpiredCerts – the CA server will preserve CA certificate in database and certificate store even if the certificate is not timely valid.
PreserveRevokedCACerts – the CA server will preserve CA certificate in database and certificate store even if the certificate is revoked.
BuildRootCACRLEntriesBasedOnKey – N/A

Required? True
Position? 1
Default value
Accept pipeline input? false
Accept wildcard characters? False

-RestartCA <SwitchParameter>

Restarts CertSvc service on the specified CA server to immediately apply changes.

Required? False
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? False

<CommonParameters>

This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).

Inputs

PKI.CertificateServices.Flags.CRLFlag

Outputs

PKI.CertificateServices.Flags.CRLFlag

Notes

Examples

Example 1

PS C:\> Get-CertificationAuthority -Name "company-CA01" | Get-CRLFlag | Disable-CRLFlag "RevCheckIgnoreOffline", "RevCheckIgnoreNoRevCheck" -RestartCA

The command will instruct CA server to fail if certificate revocation status cannot be determined (aka "RevocationOffline") and/or non-root certificate has empty CDP extension (or CDP extension is not present). After the configuration is changed, the command will restart certificate services to immediately apply changes.

Related links

Get-CertificationAuthority
Connect-CertificationAuthority
Get-CertificateRevocationListFlag
Enable-CertificateRevocationListFlag
Restore-CertificateRevocationListFlagDefault

Minimum PowerShell version support

  • Windows PowerShell 3.0

Operating System Support

  • Windows 7
  • Windows 8
  • Windows 8.1
  • Windows 10
  • Windows 11
  • Windows Server 2008 R2 all editions
  • Windows Server 2012 all editions
  • Windows Server 2012 R2 all editions
  • Windows Server 2016 all editions
  • Windows Server 2019 all editions
  • Windows Server 2022 all editions