Get-QADCertificate
From PowerGUI Wiki
Retrieve X.509 certificates that match the desired conditions.
This cmdlet is part of the Quest ActiveRoles Server product. Use Get-QARSProductInfo to view information about ActiveRoles Server.
Contents |
Syntax
Get-QADCertificate [-Store] <X509CertificateStoreUI> [-AllEnhancedKeyUsages <string[]>] [-AllKeyUsages {None | EncipherOnly | CrlSign | KeyCertSign | KeyAgreement | DataEncipherment | KeyEncipherment | NonRepudiation | DigitalSignature | DecipherOnly}] [-AnyEnhancedKeyUsage <string[]>] [-AnyKeyUsage {None | EncipherOnly | CrlSign | KeyCertSign | KeyAgreement | DataEncipherment | KeyEncipherment | NonRepudiation | DigitalSignature | DecipherOnly}] [-CertificateAuthority] [-Expired] [-FriendlyName <string[]>] [-HasPrivateKey] [-IssuedBy <string[]>] [-IssuedTo <string[]>] [-IssuerDN <string[]>] [-KeyAlgorithm <string[]>] [-KeyAlgorithmParameters <string[]>] [-PrivateKeyExportable] [-PrivateKeyProtected] [-PublicKey <string[]>] [-Revoked] [-SerialNumber <string[]>] [-SignatureAlgorithm <string[]>] [-SubjectDN <string[]>] [-SubjectKeyIdentifier <string[]>] [-Template <string[]>] [-Thumbprint <string[]>] [-Valid] [-Version <int[]>] [<CommonParameters>]
Get-QADCertificate [-NativeCertificate] <X509Certificate2> [-AllEnhancedKeyUsages <string[]>] [-AllKeyUsages {None | EncipherOnly | CrlSign | KeyCertSign | KeyAgreement | DataEncipherment | KeyEncipherment | NonRepudiation | DigitalSignature | DecipherOnly}] [-AnyEnhancedKeyUsage <string[]>] [-AnyKeyUsage {None | EncipherOnly | CrlSign | KeyCertSign | KeyAgreement | DataEncipherment | KeyEncipherment | NonRepudiation | DigitalSignature | DecipherOnly}] [-CertificateAuthority] [-Expired] [-FriendlyName <string[]>] [-HasPrivateKey] [-IssuedBy <string[]>] [-IssuedTo <string[]>] [-IssuerDN <string[]>] [-KeyAlgorithm <string[]>] [-KeyAlgorithmParameters <string[]>] [-PrivateKeyExportable] [-PrivateKeyProtected] [-PublicKey <string[]>] [-Revoked] [-SerialNumber <string[]>] [-SignatureAlgorithm <string[]>] [-SubjectDN <string[]>] [-SubjectKeyIdentifier <string[]>] [-Template <string[]>] [-Thumbprint <string[]>] [-Valid] [-Version <int[]>] [<CommonParameters>]
Get-QADCertificate [-DirObj] <IGenericDirectoryObject> [-AllEnhancedKeyUsages <string[]>] [-AllKeyUsages {None | EncipherOnly | CrlSign | KeyCertSign | KeyAgreement | DataEncipherment | KeyEncipherment | NonRepudiation | DigitalSignature | DecipherOnly}] [-AnyEnhancedKeyUsage <string[]>] [-AnyKeyUsage {None | EncipherOnly | CrlSign | KeyCertSign | KeyAgreement | DataEncipherment | KeyEncipherment | NonRepudiation | DigitalSignature | DecipherOnly}] [-CertificateAuthority] [-Expired] [-FriendlyName <string[]>] [-HasPrivateKey] [-IssuedBy <string[]>] [-IssuedTo <string[]>] [-IssuerDN <string[]>] [-KeyAlgorithm <string[]>] [-KeyAlgorithmParameters <string[]>] [-PrivateKeyExportable] [-PrivateKeyProtected] [-PublicKey <string[]>] [-Revoked] [-SerialNumber <string[]>] [-SignatureAlgorithm <string[]>] [-SubjectDN <string[]>] [-SubjectKeyIdentifier <string[]>] [-Template <string[]>] [-Thumbprint <string[]>] [-Valid] [-Version <int[]>] [<CommonParameters>]
Get-QADCertificate [-Signature] <Signature> [-AllEnhancedKeyUsages <string[]>] [-AllKeyUsages {None | EncipherOnly | CrlSign | KeyCertSign | KeyAgreement | DataEncipherment | KeyEncipherment | NonRepudiation | DigitalSignature | DecipherOnly}] [-AnyEnhancedKeyUsage <string[]>] [-AnyKeyUsage {None | EncipherOnly | CrlSign | KeyCertSign | KeyAgreement | DataEncipherment | KeyEncipherment | NonRepudiation | DigitalSignature | DecipherOnly}] [-CertificateAuthority] [-Expired] [-FriendlyName <string[]>] [-HasPrivateKey] [-IssuedBy <string[]>] [-IssuedTo <string[]>] [-IssuerDN <string[]>] [-KeyAlgorithm <string[]>] [-KeyAlgorithmParameters <string[]>] [-PrivateKeyExportable] [-PrivateKeyProtected] [-PublicKey <string[]>] [-Revoked] [-SerialNumber <string[]>] [-SignatureAlgorithm <string[]>] [-SubjectDN <string[]>] [-SubjectKeyIdentifier <string[]>] [-Template <string[]>] [-Thumbprint <string[]>] [-Valid] [-Version <int[]>] [<CommonParameters>]
Detailed Description
Use this cmdlet to retrieve X.509 certificates from a certificate store or an Active Directory object. The cmdlet retrieves the certificates that satisfy the conditions you configure using the cmdlet parameters. Each of the output objects represents a certificate retrieved by this cmdlet, and can be passed to other cmdlets such as Export-QADCertificate, Edit-QADCertificate, or Show-QADCertificate.
Parameters
| Name | Description | Required? | Pipeline Input | Default Value |
|---|---|---|---|---|
| AllEnhancedKeyUsages | Use this parameter to specify the object identifiers (OIDs) that indicate the intended purposes of the public key contained in the certificate to retrieve, in addition to or in place of the key usage setting. Parameter value can be one or more OIDs or OID friendly names separated by commas. A list of some enhanced key usage OIDs can be found in Microsoft's article "IX509ExtensionEnhancedKeyUsage Interface" at msdn.microsoft.com/en-us/library/aa378132.aspx
This parameter causes the cmdlet to retrieve a certificate if the intended purposes of the certificate's key match all of the OIDs specified. | false | false | |
| AllKeyUsages | Use this parameter to specify the key usage purpose for the certificates you want to retrieve. Parameter value can be any member of the X509KeyUsageFlags enumeration, such as EncipherOnly or DigitalSignature. For a complete list of the enumeration members, see the "X509KeyUsageFlags Enumeration" article in Microsoft's .NET Framework Class Library at msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509keyusageflags.aspx
You can supply multiple members as an attribute value, separating them by commas. In this case, the cmdlet retrieves a certificate if the certificate's key is intended for each of the purposes defined by the members you specified. The following values are permitted for this object type. | false | false | |
| AnyEnhancedKeyUsage | Use this parameter to specify the object identifiers (OIDs) that indicate the intended purposes of the public key contained in the certificate to retrieve, in addition to or in place of the key usage setting. Parameter value can be one or more OIDs or OID friendly names separated by commas. A list of some enhanced key usage OIDs can be found in Microsoft's article "IX509ExtensionEnhancedKeyUsage Interface" at msdn.microsoft.com/en-us/library/aa378132.aspx
This parameter causes the cmdlet to retrieve a certificate if the intended purposes of the certificate's key match any of the OIDs specified. | false | false | |
| AnyKeyUsage | Use this parameter to specify the key usage purpose for the certificates you want to retrieve. Parameter value can be any member of the X509KeyUsageFlags enumeration, such as EncipherOnly or DigitalSignature. For a complete list of the enumeration members, see the "X509KeyUsageFlags Enumeration" article in Microsoft's .NET Framework Class Library at msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509keyusageflags.aspx
You can supply multiple members as an attribute value, separating them by commas. In this case, the cmdlet retrieves a certificate if the certificate's key is intended for any of the purposes defined by the members you specified. The following values are permitted for this object type. | false | false | |
| CertificateAuthority | Supply this parameter to retrieve only certification authority (CA) certificates. (CA certificates are certificates that are issued by a CA to itself or to a second CA for the purpose of creating a defined relationship between the two certification authorities.) If you want to retrieve only the certificates that are not CA certificates, use the following syntax: -CertificateAuthority:$false. | false | false | |
| DirObj | Parameter value is an object representing the directory object, such as a user account, from which to retrieve certificates. To retrieve certificates that are assigned to a particular user in Active Directory, retrieve the corresponding user account by using Get-QADUser and then pass the output object to this parameter (see examples). | true | true (ByValue) | |
| Expired | Supply this parameter to retrieve only expired certificates (a certificate is considered expired after the certificate's expiration date). If you want to retrieve only the certificates that are not expired, use the following syntax: -Expired:$false. | false | false | |
| FriendlyName | Use this parameter to specify the friendly name associated with the certificate to retrieve. You can supply an array of strings each of which represents the friendly name of a single certificate, to retrieve the certificates that have any of the specified names.
Friendly name is an optional property of a certificate that can be set on an as-needed basis. It is possible to assign a friendly name to a certificate so the certificate can be easily identified. | false | false | |
| HasPrivateKey | Supply this parameter to retrieve only certificates containing a private key. With this parameter, the cmdlet retrieves a certificate only if the certificate has a private key associated with it. Without this parameter, the cmdlet does not consider the presence of a private key. If you want to retrieve only the certificates that do not contain a private key, use the following syntax: -HasPrivateKey:$false. | false | false | |
| IssuedBy | Use this parameter to specify the name of the certification authority (CA) that issued the certificate to retrieve. You can supply an array of strings each of which represents the name of a single CA, to retrieve the certificates that were issued by any of the certification authorities specified. | false | false | |
| IssuedTo | Use this parameter to specify the name of the principal to which the sought-for certificate was issued. You can supply an array of strings each of which represents a single principal's name, to retrieve the certificates that were issued to any of the principals specified. | false | false | |
| IssuerDN | Use this parameter to specify the issuer distinguished name of the certificate to retrieve. You can supply an array of strings each of which represents the distinguished name of a single certificate's issuer, to retrieve the certificates issued by any of the issuers specified.
The issuer distinguished name identifies the certification authority (CA) that issued the certificate. A distinguished name consists of name attributes, for example, "CN=Name,OU=OrgUnit,C=US". | false | false | |
| KeyAlgorithm | Use this parameter to specify the key algorithm information, in string format, for the certificate you want to retrieve. Parameter value is the object identifier (OID) or OID's friendly name that identifies the algorithm. You can specify an array of strings each of which identifies a certificate's key algorithm, to retrieve the certificates that use any of the specified key algorithms. | false | false | |
| KeyAlgorithmParameters | Use this parameter to specify the hexadecimal string representing the key algorithm parameters of the certificate to retrieve. You can supply an array of strings each of which represents the key algorithm parameters of a single certificate, to retrieve the certificates that have any of the specified key algorithm parameters. | false | false | |
| NativeCertificate | Parameter value is a native object provided by .NET Framework to represent X.509 certificates, such as an object of the X509Certificate2 class. The cmdlet retrieves the certificate data from that object if the certificate matches the conditions specified by the cmdlet parameters, and represents the certificate in the form of an object that could be recognized by ActiveRoles Management Shell cmdlets for certificate management. | true | true (ByValue) | |
| PrivateKeyExportable | Supply this parameter to retrieve certificates containing an exportable private key. With this parameter, the cmdlet retrieves a certificate if the private key associated with the certificate can be exported. Without this parameter, the cmdlet does not consider whether the private key can be exported. If you want to retrieve certificates whose private key cannot be exported, use the following syntax: -PrivateKeyExportable:$false. | false | false | |
| PrivateKeyProtected | Supply this parameter to retrieve certificates containing a protected private key. With this parameter, the cmdlet retrieves a certificate if the private key associated with the certificate is protected. Without this parameter, the cmdlet does not consider whether the private key is protected. If you want to retrieve certificates whose private key is not protected, use the following syntax: -PrivateKeyProtected:$false. | false | false | |
| PublicKey | Use this parameter to specify the hexadecimal string representing the public key of the certificate to retrieve. You can supply an array of strings each of which represents the public key associated with a single certificate, to retrieve the certificates that contain any of the keys specified. | false | false | |
| Revoked | Supply this parameter to retrieve only revoked certificates. If you want to retrieve only the certificates that are not revoked, use the following syntax: -Revoked:$false. | false | false | |
| SerialNumber | Use this parameter to specify the serial number of the certificate to retrieve. You can supply an array of strings each of which represents the serial number of a single certificate, to retrieve the certificates that have any of the specified serial numbers.
The serial number of a certificate is a unique number assigned to the certificate by the certification authority (CA) that issued the certificate. | false | false | |
| Signature | This parameter is intended to receive output objects of the Get-AuthenticodeSignature cmdlet. You can use this parameter, in conjunction with Get-AuthenticodeSignature, to retrieve certificates that were used to sign particular files: get information about the Authenticode signature in a file and then pass the corresponding object to the Signature parameter, thereby identifying the certificate to find. | true | true (ByValue) | |
| SignatureAlgorithm | Use this parameter to specify the object identifier (OID) or OID's friendly name that identifies the type of the encryption algorithm used to create the signature of the certificate to retrieve. You can supply an array of strings each of which identifies a single certificate's signature algorithm, to retrieve the certificates that use any of the algorithms specified. | false | false | |
| Store | Parameter value is an object that identifies the certificate store from which to retrieve certificates. Normally, this is an output object of the Get-QADLocalCertificateStore cmdlet. | true | true (ByValue) | |
| SubjectDN | Use this parameter to specify the subject distinguished name of the certificate to retrieve. You can supply an array of strings each of which represents the distinguished name of a single certificate's subject, to retrieve the certificates issued to any of the subjects specified.
The subject distinguished name is a textual representation of the certificate's subject. This representation consists of name attributes, for example, "CN=Name,OU=OrgUnit,C=US". | false | false | |
| SubjectKeyIdentifier | Use this parameter to specify the subject key identifier (SKI) of the certificate to retrieve. You can supply an array of strings each of which represents a single certificate's SKI encoded in hexadecimal format.
The subject key identifier can be used to differentiate between multiple public keys held by the certificate subject. The SKI value is typically an SHA-1 hash of the key. | false | false | |
| Template | Use this parameter to specify the certificate template of the certificate to retrieve. Parameter value is the name of a certificate template. You can supply an array of strings each of which represents the name of a certificate template, to retrieve the certificates that are based on any of the templates specified. | false | false | |
| Thumbprint | Use this parameter to specify the thumbprint of the certificate to retrieve. You can supply an array of strings each of which represents the thumbprint of a single certificate, to retrieve multiple certificates at a time.
The thumbprint is a hash value generated using the SHA-1 algorithm that uniquely identifies the certificate. As such, the thumbprint of a certificate is commonly used to find the certificate in a certificate store. | false | false | |
| Valid | Supply this parameter to retrieve only valid certificates. If you want to retrieve only the certificates that are not valid, use the following syntax: -Valid:$false. | false | false | |
| Version | Parameter value is the X.509 format version of the certificates to retrieve. For example, to search for X.509 version 3 certificates, supply the parameter value of 3. An array of numbers causes the cmdlet to retrieve certificates whose X.509 format version matches any of the numbers specified. | false | false |
Input Type
Quest.ActiveRoles.ArsPowerShellSnapIn.X509CertificateStorageUI, Quest.ActiveRoles.ArsPowerShellSnapIn.UI.GenericDirectoryObject, System.Security.Cryptography.X509Certificates.X509Certificate2
Return Values
Quest.ActiveRoles.ArsPowerShellSnapIn.X509CertificateUI
Examples
EXAMPLE 1
Get-QADLocalCertificateStore Root | Get-QADCertificate
Description
Retrieve all certificates from the Trusted Root Certification Authorities certificate store in the CurrentUser store location.
EXAMPLE 2
Get-QADUser domainName\userName | Get-QADCertificate
Description
Retrieve all certificates that are mapped to the specified user account in Active Directory.
EXAMPLE 3
Get-QADUser | Get-QADCertificate -IssuerDN '*Micrsoft*','*VeriSign*'
Description
Retrieve all certificates issued by Microsoft or VeriSign that are mapped to user accounts in your Active Directory domain.
