Remove-ExtensionList

Synopsis

Removes certificate enabled/disabled extension lists.

Syntax

Remove-ExtensionList [-InputObject] <ExtensionList[]> [[-EnabledExtension] <Oid[]>] [[-OfflineExtension] <Oid[]>] [[-DisabledExtension] <Oid[]>] [<CommonParameters>]

Description

Removes certificate enabled/disabled extension lists. Extensions are sorted in 3 categories:

EnabledExtensionList – contains extensions that CA server will publish in each issued certificate upon request.
OfflineExtensionList – contains allowed extension list that CA server will publish in issued certificates when offline request is used.
DisabledExtensionList – contains extensions that will not be published in certificate even if this extension is specified in the request.

For more details see corresponding parameter description.

Note: additional information can be found at: http://technet.microsoft.com/library/cc740063(WS.10).aspx

Parameters

-InputObject <ExtensionList[]>

Specifies existing ExtensionList object. This object can be retrieved by running Get-ExtensionList command.

-EnabledExtension <Oid[]>

Specifies the list of certificate extensions to remove that are added to the issued certificate upon request. This list is processed by policy module each time the request is resolved (produces issued certificate). You should carefully use this property and do not enable security-critical extension, like Subject Alternative Names (SAN). CA server performs additional extension processing by using '-OfflineExtension' parameter.

-OfflineExtension <Oid[]>

Specifies the list of certificate extensions to remove that are added to the issued certificate against offline request. 'offline' request is such request which includes subject information and CA server do not use Active Directory to build certificate's subject. For example, requests based on default 'WebServer' certificate template are considered as 'offline', because the template is configured to build the subject from submitted request. If certificate template is configured to build the subject from Active Directory, OfflineExtensionList property has no effect and any extensions in the request are written to CA database, but not included in issued certificate.

For Standalone CAs, all requests are treated as 'offline'.

-DisabledExtension <Oid[]>

Remove specified extension by it's friendly name or extension OID to prevent from publishing in issued certificates.

<CommonParameters>

This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).

Inputs

PKI.CertificateServices.PolicyModule.ExtensionList

Outputs

PKI.CertificateServices.PolicyModule.ExtensionList

Notes

Examples

Example 1

PS C:\> Get-CertificationAuthority -Name Company-CA | Remove-ExtensionList -OfflineExtension "Subject Alternative Name" | Set-ExtensionList -RestartCA

This example will remove 'Subject Alternative Name' extension from allowed extensions in request. As the result CA server will publish this extension in 'offline' certificate requests.

Related links

Get-CertificationAuthority
Connect-CertificationAuthority
Get-ExtensionList
Add-ExtensionList
Set-ExtensionList

Minimum PowerShell version support

• Windows PowerShell 3.0

Operating System Support

• Windows 7
• Windows 8
• Windows 8.1
• Windows 10
• Windows 11
• Windows Server 2008 R2 all editions
• Windows Server 2012 all editions
• Windows Server 2012 R2 all editions
• Windows Server 2016 all editions
• Windows Server 2019 all editions
• Windows Server 2022 all editions