Get-QADPKIObject
From PowerGUI Wiki
Retrieve objects from PKI-related containers in Active Directory, such as the Certification Authorities, AIA or CDP container, or NTAuthCertificates object.
This cmdlet is part of the Quest ActiveRoles Server product. Use Get-QARSProductInfo to view information about ActiveRoles Server.
Contents |
Syntax
Get-QADPKIObject [-Container] <PKIContainerType[]> [-Connection <ArsConnection>] [-ConnectionAccount <string>] [-ConnectionPassword <SecureString>] [-Credential <PSCredential>] [-Forest <string>] [-Proxy] [-Service <string>] [-UseGlobalCatalog] [<CommonParameters>]
Detailed Description
Use this cmdlet to retrieve objects from PKI-related containers that are used by certification authorities (CAs) to publish certificates, certificate revocation lists (CRLs), and other data to Active Directory. This cmdlet is intended to retrieve objects held in those containers. Output objects of this cmdlet could be passed, for example, to cmdlets for retrieving certificates or certificate revocation lists published in Active Directory.
The cmdlet can retrieve data from the following Active Directory containers:
Certification Authorities (RootCA) This is the publication point for the trusted root certification authorities' (CA) certificates. Publishing a root CA's certificate to the Certification Authorities container causes all domain members to import the root CA's certificate into their own trusted root CA stores. Objects in this container hold certificates for trusted root CAs in the forest. Root CA certificates are added automatically when an enterprise admin sets up an enterprise root CA or stand-alone root CA that is joined to the domain. Root CA certificates can also be added or removed from this container by using the Publish- or Unpublish-QADCertificate cmdlet.
Authority information access (AIA) This is the publication point for the most currently published CA certificates for root and intermediate certification authorities. Publishing CA certificates to the AIA container helps clients find CA certificates dynamically during certificate chain building. The CA certificates that are available in the AIA container are also deployed with group policies into every client computer's Intermediate Certification Authorities store. Objects in this container hold CA certificates that can be retrieved by clients using the authority information access (AIA) certificate extension to build a valid certificate chain and to retrieve any cross-certificates issued by the CA. The Publish- or Unpublish-QADCertificate cmdlet can be used to add or remove certificates from this container.
NTAuthCertificates (NTAuthCA) Publishing CA certificates to the NTAuthCertificates object indicates that these CAs are trusted to both (1) issue authentication (logon) certificates for any user in the forest and (2) enable logon for smart cards, IIS mapping, and Extensible Authentication Protocol-Transport Layer Security (EAP-TLS). The CA certificates that are available in the NTAuthCertificates object are also deployed with group policies into every client computer's Intermediate Certification Authorities store. Normally, this object contains all of the CA certificates in the current forest. Certificates are added automatically when a new CA is installed by an enterprise admin. Certificates can also be added or removed from this object by using the Publish- or Unpublish-QADCertificate cmdlet.
CRL distribution point (CDP) This is the publication point for the certification authorities' (CA) certificate revocation lists (CRL). Publishing a CA's certificate revocation list to the CDP container enables all domain members to verify the revocation status of certificates issued by the CA. Objects in this container hold all base CRLs and delta CRLs published in the forest. Certificate revocation lists can be added or removed from this container by using the Publish- or Unpublish-QADCertificateRevocationList cmdlet.
For every Active Directory forest, these containers are located in the forest's Configuration naming context under Services/Public Key Services, and are therefore replicated to every domain controller in the forest.
Parameters
| Name | Description | Required? | Pipeline Input | Default Value |
|---|---|---|---|---|
| Connection | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| ConnectionAccount | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| ConnectionPassword | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| Container | Use this parameter to specify the PKI-related containers from which you want to retrieve data. The possible parameter values are:
RootCA IIdentifies the Certification Authorities (trusted root CA) container AIA Identifies the authority information access container SubCA Same as AIA CDP Identifies the CRL distribution point container NTAuthCA Identifies the NTAuthCertificates object | true | true (ByValue) | |
| Credential | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| Forest | Use this parameter to identify the Active Directory forest of the PKI-related containers from which you want to retrieve data. Parameter value is the fully qualified distinguished name of the forest root domain. This parameter only has an effect on the operations being performed through ActiveRoles Server (connection established using the Proxy parameter). In case of a proxy connection, the Forest parameter is required to identify the forest of the target PKI-related containers, since ActiveRoles Server could be configured to manage domains from more than one forest. | false | true (ByPropertyName) | |
| Proxy | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| Service | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| UseGlobalCatalog | For parameter description, see help on the Connect-QADService cmdlet. | false | false |
Examples
EXAMPLE 1
Get-QADPKIObject RootCA,AIA | Get-QADCertificate
Description
Retrieve all the certificates that are published in the Certification Authorities (RootCA) or AIA container.
EXAMPLE 2
Get-QADPKIObject CDP | Get-QADCertificateRevocationList
Description
Retrieve all the certificate revocation lists that are published in the forest.
