Remove-QADCertificate
From PowerGUI Wiki
Remove X.509 certificates that match the desired conditions.
This cmdlet is part of the Quest ActiveRoles Server product. Use Get-QARSProductInfo to view information about ActiveRoles Server.
Contents |
Syntax
Remove-QADCertificate [-DirObj] <IGenericDirectoryObject> [[-Certificate] <X509CertificateUI[]>] [-AllEnhancedKeyUsages <string[]>] [-AllKeyUsages {None | EncipherOnly | CrlSign | KeyCertSign | KeyAgreement | DataEncipherment | KeyEncipherment | NonRepudiation | DigitalSignature | DecipherOnly}] [-AnyEnhancedKeyUsage <string[]>] [-AnyKeyUsage {None | EncipherOnly | CrlSign | KeyCertSign | KeyAgreement | DataEncipherment | KeyEncipherment | NonRepudiation | DigitalSignature | DecipherOnly}] [-CertificateAuthority] [-Control <hashtable>] [-Expired] [-FriendlyName <string[]>] [-HasPrivateKey] [-IssuedBy <string[]>] [-IssuedTo <string[]>] [-IssuerDN <string[]>] [-KeyAlgorithm <string[]>] [-KeyAlgorithmParameters <string[]>] [-PrivateKeyExportable] [-PrivateKeyProtected] [-PublicKey <string[]>] [-Revoked] [-SerialNumber <string[]>] [-SignatureAlgorithm <string[]>] [-SubjectDN <string[]>] [-SubjectKeyIdentifier <string[]>] [-Template <string[]>] [-Thumbprint <string[]>] [-Valid] [-Version <int[]>] [-Confirm] [-WhatIf] [<CommonParameters>]
Remove-QADCertificate [-Store] <X509CertificateStoreUI> [[-Certificate] <X509CertificateUI[]>] [-AllEnhancedKeyUsages <string[]>] [-AllKeyUsages {None | EncipherOnly | CrlSign | KeyCertSign | KeyAgreement | DataEncipherment | KeyEncipherment | NonRepudiation | DigitalSignature | DecipherOnly}] [-AnyEnhancedKeyUsage <string[]>] [-AnyKeyUsage {None | EncipherOnly | CrlSign | KeyCertSign | KeyAgreement | DataEncipherment | KeyEncipherment | NonRepudiation | DigitalSignature | DecipherOnly}] [-CertificateAuthority] [-Expired] [-FriendlyName <string[]>] [-HasPrivateKey] [-IssuedBy <string[]>] [-IssuedTo <string[]>] [-IssuerDN <string[]>] [-KeyAlgorithm <string[]>] [-KeyAlgorithmParameters <string[]>] [-PrivateKeyExportable] [-PrivateKeyProtected] [-PublicKey <string[]>] [-Revoked] [-SerialNumber <string[]>] [-SignatureAlgorithm <string[]>] [-SubjectDN <string[]>] [-SubjectKeyIdentifier <string[]>] [-Template <string[]>] [-Thumbprint <string[]>] [-Valid] [-Version <int[]>] [-Confirm] [-WhatIf] [<CommonParameters>]
Detailed Description
Use this cmdlet to remove X.509 certificates from a certificate store or an Active Directory object. The cmdlet removes the certificates that satisfy the conditions you configure using the cmdlet parameters.
Parameters
| Name | Description | Required? | Pipeline Input | Default Value |
|---|---|---|---|---|
| AllEnhancedKeyUsages | Use this parameter to specify the object identifiers (OIDs) that indicate the intended purposes of the public key contained in the certificate to remove, in addition to or in place of the key usage setting. Parameter value can be one or more OIDs or OID friendly names separated by commas. A list of some enhanced key usage OIDs can be found in Microsoft's article "IX509ExtensionEnhancedKeyUsage Interface" at msdn.microsoft.com/en-us/library/aa378132.aspx
This parameter causes the cmdlet to remove a certificate if the intended purposes of the certificate's key match all of the OIDs specified. | false | false | |
| AllKeyUsages | Use this parameter to specify the key usage purpose for the certificates you want to remove. Parameter value can be any member of the X509KeyUsageFlags enumeration, such as EncipherOnly or DigitalSignature. For a complete list of the enumeration members, see the "X509KeyUsageFlags Enumeration" article in Microsoft's .NET Framework Class Library at msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509keyusageflags.aspx
You can supply multiple members as an attribute value, separating them by commas. In this case, the cmdlet removes a certificate if the certificate's key is intended for each of the purposes defined by the members you specified. The following values are permitted for this object type. | false | false | |
| AnyEnhancedKeyUsage | Use this parameter to specify the object identifiers (OIDs) that indicate the intended purposes of the public key contained in the certificate to remove, in addition to or in place of the key usage setting. Parameter value can be one or more OIDs or OID friendly names separated by commas. A list of some enhanced key usage OIDs can be found in Microsoft's article "IX509ExtensionEnhancedKeyUsage Interface" at msdn.microsoft.com/en-us/library/aa378132.aspx
This parameter causes the cmdlet to remove a certificate if the intended purposes of the certificate's key match any of the OIDs specified. | false | false | |
| AnyKeyUsage | Use this parameter to specify the key usage purpose for the certificates you want to remove. Parameter value can be any member of the X509KeyUsageFlags enumeration, such as EncipherOnly or DigitalSignature. For a complete list of the enumeration members, see the "X509KeyUsageFlags Enumeration" article in Microsoft's .NET Framework Class Library at msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509keyusageflags.aspx
You can supply multiple members as an attribute value, separating them by commas. In this case, the cmdlet removes a certificate if the certificate's key is intended for any of the purposes defined by the members you specified. The following values are permitted for this object type. | false | false | |
| Certificate | Use this parameter to specify the certificate objects representing the certificates to remove. This could be output objects of the Get-QADCertificate or Import-QADCertificate cmdlet (see examples). | false | false | |
| CertificateAuthority | Supply this parameter to remove only certification authority (CA) certificates. (CA certificates are certificates that are issued by a CA to itself or to a second CA for the purpose of creating a defined relationship between the two certification authorities.) If you want to remove only the certificates that are not CA certificates, use the following syntax: -CertificateAuthority:$false. | false | false | |
| Control | Use this parameter to pass request controls (in-controls) to ActiveRoles Server as part of an operation request. In ActiveRoles Server, request controls are used to send extra information along with an operation request, to control how ActiveRoles Server performs the request.
The parameter value is a hash table that defines the names and values of the request controls to be passed to ActiveRoles Server. The parameter syntax is as follows: -Control @{<name> = <value>; [<name> = <value>] ...}
In this syntax, each of the name-value pairs is the name and the value of a single control. For instructions on how to create and use hash tables, see topic "about_associative_array" or "about_hash_tables" in Windows PowerShell Help. For information about ActiveRoles Server request controls, refer to ActiveRoles Server SDK documentation. Note that this parameter only has an effect if an Active Directory object passed to the DirObj parameter is retrieved through ActiveRoles Server. For example, you could retrieve the object by using Get-QADUser with the Proxy connection parameter. In this case, the request to update the corresponding user account is processed by ActiveRoles Server, so the Control parameter passes the request controls to ActiveRoles Server. If the input object is retrieved through a direct connection to the directory (the Proxy connection parameter was not used), the Control parameter has no effect. | false | false | |
| DirObj | Parameter value is an object representing the directory object, such as a user account, from which to remove certificates. To remove certificates that are assigned to a particular user in Active Directory, retrieve the corresponding user account by using Get-QADUser and then pass the output object to this parameter (see examples). | true | true (ByValue) | |
| Expired | Supply this parameter to remove only expired certificates (a certificate is considered expired after the certificate's expiration date). If you want to remove only the certificates that are not expired, use the following syntax: -Expired:$false. | false | false | |
| FriendlyName | Use this parameter to specify the friendly name associated with the certificate to remove. You can supply an array of strings each of which represents the friendly name of a single certificate, to remove the certificates that have any of the specified names.
Friendly name is an optional property of a certificate that can be set on an as-needed basis. It is possible to assign a friendly name to a certificate so the certificate can be easily identified. | false | false | |
| HasPrivateKey | Supply this parameter to remove only certificates containing a private key. With this parameter, the cmdlet removes a certificate only if the certificate has a private key associated with it. Without this parameter, the cmdlet does not consider the presence of a private key. If you want to remove only the certificates that do not contain a private key, use the following syntax: -HasPrivateKey:$false. | false | false | |
| IssuedBy | Use this parameter to specify the name of the certification authority (CA) that issued the certificate to remove. You can supply an array of strings each of which represents the name of a single CA, to remove the certificates that were issued by any of the certification authorities specified. | false | false | |
| IssuedTo | Use this parameter to specify the name of the principal to which the sought-for certificate was issued. You can supply an array of strings each of which represents a single principal's name, to remove the certificates that were issued to any of the principals specified. | false | false | |
| IssuerDN | Use this parameter to specify the issuer distinguished name of the certificate to remove. You can supply an array of strings each of which represents the distinguished name of a single certificate's issuer, to remove the certificates issued by any of the issuers specified.
The issuer distinguished name identifies the certification authority (CA) that issued the certificate. A distinguished name consists of name attributes, for example, "CN=Name,OU=OrgUnit,C=US". | false | false | |
| KeyAlgorithm | Use this parameter to specify the key algorithm information, in string format, for the certificate you want to remove. Parameter value is the object identifier (OID) or OID's friendly name that identifies the algorithm. You can specify an array of strings each of which identifies a certificate's key algorithm, to remove the certificates that use any of the specified key algorithms. | false | false | |
| KeyAlgorithmParameters | Use this parameter to specify the hexadecimal string representing the key algorithm parameters of the certificate to remove. You can supply an array of strings each of which represents the key algorithm parameters of a single certificate, to remove the certificates that have any of the specified key algorithm parameters. | false | false | |
| PrivateKeyExportable | Supply this parameter to remove certificates containing an exportable private key. With this parameter, the cmdlet removes a certificate if the private key associated with the certificate can be exported. Without this parameter, the cmdlet does not consider whether the private key can be exported. If you want to remove certificates whose private key cannot be exported, use the following syntax: -PrivateKeyExportable:$false. | false | false | |
| PrivateKeyProtected | Supply this parameter to remove certificates containing a protected private key. With this parameter, the cmdlet removes a certificate if the private key associated with the certificate is protected. Without this parameter, the cmdlet does not consider whether the private key is protected. If you want to remove certificates whose private key is not protected, use the following syntax: -PrivateKeyProtected:$false. | false | false | |
| PublicKey | Use this parameter to specify the hexadecimal string representing the public key of the certificate to remove. You can supply an array of strings each of which represents the public key associated with a single certificate, to remove the certificates that contain any of the keys specified. | false | false | |
| Revoked | Supply this parameter to remove only revoked certificates. If you want to remove only the certificates that are not revoked, use the following syntax: -Revoked:$false. | false | false | |
| SerialNumber | Use this parameter to specify the serial number of the certificate to remove. You can supply an array of strings each of which represents the serial number of a single certificate, to remove the certificates that have any of the specified serial numbers.
The serial number of a certificate is a unique number assigned to the certificate by the certification authority (CA) that issued the certificate. | false | false | |
| SignatureAlgorithm | Use this parameter to specify the object identifier (OID) or OID's friendly name that identifies the type of the encryption algorithm used to create the signature of the certificate to remove. You can supply an array of strings each of which identifies a single certificate's signature algorithm, to remove the certificates that use any of the algorithms specified. | false | false | |
| Store | Parameter value is an object that identifies the certificate store from which to remove certificates. Normally, this is an output object of the Get-QADLocalCertificateStore cmdlet. | true | true (ByValue) | |
| SubjectDN | Use this parameter to specify the subject distinguished name of the certificate to remove. You can supply an array of strings each of which represents the distinguished name of a single certificate's subject, to remove the certificates issued to any of the subjects specified.
The subject distinguished name is a textual representation of the certificate's subject. This representation consists of name attributes, for example, "CN=Name,OU=OrgUnit,C=US". | false | false | |
| SubjectKeyIdentifier | Use this parameter to specify the subject key identifier (SKI) of the certificate to remove. You can supply an array of strings each of which represents a single certificate's SKI encoded in hexadecimal format.
The subject key identifier can be used to differentiate between multiple public keys held by the certificate subject. The SKI value is typically an SHA-1 hash of the key. | false | false | |
| Template | Use this parameter to specify the certificate template of the certificate to remove. Parameter value is the name of a certificate template. You can supply an array of strings each of which represents the name of a certificate template, to remove the certificates that are based on any of the templates specified. | false | false | |
| Thumbprint | Use this parameter to specify the thumbprint of the certificate to remove. You can supply an array of strings each of which represents the thumbprint of a single certificate, to remove multiple certificates at a time.
The thumbprint is a hash value generated using the SHA-1 algorithm that uniquely identifies the certificate. As such, the thumbprint of a certificate is commonly used to find the certificate in a certificate store. | false | false | |
| Valid | Supply this parameter to remove only valid certificates. If you want to remove only the certificates that are not valid, use the following syntax: -Valid:$false. | false | false | |
| Version | Parameter value is the X.509 format version of the certificates to remove. For example, to remove X.509 version 3 certificates, supply the parameter value of 3. An array of numbers causes the cmdlet to remove certificates whose X.509 format version matches any of the numbers specified. | false | false | |
| Confirm | Prompts you for confirmation before executing the command. | false | false | |
| WhatIf | Describes what would happen if you executed the command without actually executing the command. | false | false |
Input Type
Quest.ActiveRoles.ArsPowerShellSnapIn.UI.GenericDirectoryObject, Quest.ActiveRoles.ArsPowerShellSnapIn.X509CertificateStorageUI
Return Values
Quest.ActiveRoles.ArsPowerShellSnapIn.X509CertificateUI
Examples
EXAMPLE 1
Get-QADUser domainName\userName | Remove-QADCertificate
Description
Remove all certificates from the specified user account in Active Directory.
EXAMPLE 2
Get-QADLocalCertificateStore | Remove-QADCertificate -Expired
Description
Remove all expired certificates from all the certificate stores held in the CurrentUser store location.
EXAMPLE 3
Get-QADUser | Remove-QADCertificate -IssuerDN '*Microsoft*','*VeriSign*'
Description
Remove all certificates issued by Microsoft or VeriSign from all user accounts in your Active Directory domain.
EXAMPLE 4
$cert = dir c:\cert | Import-QADCertificate C:\PS>Get-QADUser domainName\userName | Remove-QADCertificate -Certificate $cert
Description
Create a collection of objects ($cert) representing the certificates found in the X.509 certificate files that are located in the specified folder (c:\cert). Then, pass those objects to the Remove-QADCertificate cmdlet to remove the corresponding certificates rom the specified user account.
