PKI Insights Webinar - Emerging PKI Threats for 2025 Jan 23rd - Register Today!

PowerShell PKI Module Documentation

Documentation Home
This command requires installed Remote Server Administration Tools (RSAT)

Set-CertificateExtension

Synopsis

Adds or disables certificate extensions in a pending certificate request.

Syntax

Set-CertificateExtension [-Request] <Object> [-Extension] <Object[]> [-Remove] [<CommonParameters>]

Description

Adds or disables certificate extensions in a pending certificate request.

Note: for this command to succeed, the certificate request must be pending.

Parameters

-Request <Object>

Specifies the particular request object. Request objects can be retrieved by running Get-PendingRequest command.

Required? True
Position? 0
Default value
Accept pipeline input? true (ByValue, ByPropertyName)
Accept wildcard characters? False

-Extension <Object[]>

Specifies the extension to add or remove. Depending on a 'Remove' switch, the following object types are accepted:

— if 'Remove' switch is set to $false, this parameter must be an array of System.Security.Cryptography.X509Certificates.X509Extension or single System.Security.Cryptography.X509Certificates.X509ExtensionCollection object. In this case, the specified extension or extenssions will be added.
— if 'Remove' switch is set to $true, this parameter must be an array of System.Security.Cryptography.Oid objects, where each object identifier denotes the extension to disable.

Certificate extension object are constructed out-of-band by using native .NET or extended extension classes. .NET extensions classes are defined in X509Certificates namespace:
— .NET native extensions: http://msdn.microsoft.com/en-us/library/System.Security.Cryptography.X509Certificates.aspx
— extended extension classes: https://www.pkisolutions.com/apidocs/pkix.net/html/N_System_Security_Cryptography_X509Certificates.htm

Required? True
Position? 1
Default value
Accept pipeline input? false
Accept wildcard characters? False

-Remove <SwitchParameter>

Specifies whether to disable certificate extensions specified in the 'Extension' parameter. See 'Extension' parameter for this command behavior.

Required? False
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? False

<CommonParameters>

This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).

Inputs

SysadminsLV.PKI.Management.CertificateServices.Database.AdcsDbRow

Outputs

SysadminsLV.PKI.Utils.IServiceOperationResult

Notes

Examples

Example 1

PS C:\> $altName = New-Object Security.Cryptography.X509Certificates.X509AlternativeName "DnsName","owa.company.com"
PS C:\> $altNames = New-Object Security.Cryptography.X509Certificates.X509AlternativeName "DnsName","www.company.com"
PS C:\> $altNames = New-Object Security.Cryptography.X509Certificates.X509AlternativeNameCollection
PS C:\> $altName, $altName2 | %{[void]$altNames.Add($_)}
PS C:\> $SAN = New-Object Security.Cryptography.X509Certificates.X509SubjectAlternativeNameExtension
PS C:\> Get-CertificationAuthority "ca01.company.com" | Get-PendingRequest -RequestID 1631 | Set-CertificateExtension -Extension $SAN | Approve-CertificateRequest

This example demonstrates general techniques to create X509Extension object. In a given example, we create subject alternative name (SAN) extension with two alternative names: DnsName=owa.company.com, DnsName=www.company.com. These alternative names are added to an alternative name collection. This collection is used to construct SAN extension. In the last line, new extension is added to a pending request with request ID=1631 and approves modified pending request. Issued certificate will contain new SAN extension.

Example 2

PS C:\> Get-CertitificationAuthority "ca01.company.com" | Get-PendingRequest -RequestID 1632 | Set-CertificateExtension -Extension "Subject Alternative Name" -Remove | Approve-CertificateRequest

In this example, we assume that pending request has unwanted subject alternative name (SAN) extension. This command retrieves pending request object and disables (removes) unwanted extension and issues certificate. Issued certificate will not have request SAN extension.

Related links

Get-CertificationAuthority
Connect-CertificationAuthority
Get-PendingRequest
Approve-CertificateRequest

Minimum PowerShell version support

  • Windows PowerShell 3.0

Operating System Support

  • Windows 7
  • Windows 8
  • Windows 8.1
  • Windows 10
  • Windows 11
  • Windows Server 2008 R2 all editions
  • Windows Server 2012 all editions
  • Windows Server 2012 R2 all editions
  • Windows Server 2016 all editions
  • Windows Server 2019 all editions
  • Windows Server 2022 all editions