Remove-QADPrivateKey
From PowerGUI Wiki
Delete the private keys that correspond to the X.509 certificates that match the desired conditions.
This cmdlet is part of the Quest ActiveRoles Server product. Use Get-QARSProductInfo to view information about ActiveRoles Server.
Contents |
Syntax
Remove-QADPrivateKey [-Store] <X509CertificateStoreUI> [-AllEnhancedKeyUsages <string[]>] [-AllKeyUsages {None | EncipherOnly | CrlSign | KeyCertSign | KeyAgreement | DataEncipherment | KeyEncipherment | NonRepudiation | DigitalSignature | DecipherOnly}] [-AnyEnhancedKeyUsage <string[]>] [-AnyKeyUsage {None | EncipherOnly | CrlSign | KeyCertSign | KeyAgreement | DataEncipherment | KeyEncipherment | NonRepudiation | DigitalSignature | DecipherOnly}] [-CertificateAuthority] [-Expired] [-FriendlyName <string[]>] [-IssuedBy <string[]>] [-IssuedTo <string[]>] [-IssuerDN <string[]>] [-KeyAlgorithm <string[]>] [-KeyAlgorithmParameters <string[]>] [-PrivateKeyExportable] [-PrivateKeyProtected] [-PublicKey <string[]>] [-Revoked] [-SerialNumber <string[]>] [-SignatureAlgorithm <string[]>] [-SubjectDN <string[]>] [-SubjectKeyIdentifier <string[]>] [-Template <string[]>] [-Thumbprint <string[]>] [-Valid] [-Version <int[]>] [-Confirm] [-WhatIf] [<CommonParameters>]
Detailed Description
For a given certificate held in a local certificate store, you can use this cmdlet to delete the private key that corresponds to the certificate, from the local computer. The cmdlet deletes the private key for each of the certificates that satisfy the conditions you configure using the cmdlet parameters. A typical use of this cmdlet is to delete the certificate's private key after exporting a certificate (see examples).
Parameters
| Name | Description | Required? | Pipeline Input | Default Value |
|---|---|---|---|---|
| AllEnhancedKeyUsages | Use this parameter to specify the object identifiers (OIDs) that indicate the intended purposes of the public key contained in the certificate whose private key you want to delete, in addition to or in place of the key usage setting. Parameter value can be one or more OIDs or OID friendly names separated by commas. A list of some enhanced key usage OIDs can be found in Microsoft's article "IX509ExtensionEnhancedKeyUsage Interface" at http://msdn.microsoft.com/en-us/library/aa378132.aspx
This parameter causes the cmdlet to delete the private key associated with a certificate if the intended purposes of the certificate's key match all of the OIDs specified. | false | false | |
| AllKeyUsages | Use this parameter to specify the key usage purpose for the certificates whose private keys you want to delete. Parameter value can be any member of the X509KeyUsageFlags enumeration, such as EncipherOnly or DigitalSignature. For a complete list of the enumeration members, see the "X509KeyUsageFlags Enumeration" article in Microsoft's .NET Framework Class Library at http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509keyusageflags.aspx
You can supply multiple members as an attribute value, separating them by commas. In this case, the cmdlet deletes the private key associated with a certificate if the certificate's key is intended for each of the purposes defined by the members you specified. The following values are permitted for this object type. | false | false | |
| AnyEnhancedKeyUsage | Use this parameter to specify the object identifiers (OIDs) that indicate the intended purposes of the public key contained in the certificate whose private key you want to delete, in addition to or in place of the key usage setting. Parameter value can be one or more OIDs or OID friendly names separated by commas. A list of some enhanced key usage OIDs can be found in Microsoft's article "IX509ExtensionEnhancedKeyUsage Interface" at http://msdn.microsoft.com/en-us/library/aa378132.aspx
This parameter causes the cmdlet to delete the private key associated with a certificate if the intended purposes of the certificate's key match any of the OIDs specified. | false | false | |
| AnyKeyUsage | Use this parameter to specify the key usage purpose for the certificates whose private keys you want to delete. Parameter value can be any member of the X509KeyUsageFlags enumeration, such as EncipherOnly or DigitalSignature. For a complete list of the enumeration members, see the "X509KeyUsageFlags Enumeration" article in Microsoft's .NET Framework Class Library at http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509keyusageflags.aspx
You can supply multiple members as an attribute value, separating them by commas. In this case, the cmdlet deletes the private key associated with a certificate if the certificate's key is intended for any of the purposes defined by the members you specified. The following values are permitted for this object type. | false | false | |
| CertificateAuthority | Supply this parameter to delete only the private keys that are associated with certification authority (CA) certificates. (CA certificates are certificates that are issued by a CA to itself or to a second CA for the purpose of creating a defined relationship between the two certification authorities.) If you want to delete only the private keys associated with the certificates that are not CA certificates, use the following syntax: -CertificateAuthority:$false. | false | false | |
| Expired | Supply this parameter to delete only the private keys that are associated with expired certificates (a certificate is considered expired after the certificate's expiration date). If you want to delete only the private keys that are associated with the certificates that are not expired, use the following syntax: -Expired:$false. | false | false | |
| FriendlyName | Use this parameter to specify the friendly name associated with the certificate whose private key you want to delete. You can supply an array of strings each of which represents the friendly name of a single certificate, to delete the private keys corresponding to the certificates that have any of the specified names.
Friendly name is an optional property of a certificate that can be set on an as-needed basis. It is possible to assign a friendly name to a certificate so the certificate can be easily identified. | false | false | |
| IssuedBy | Use this parameter to specify the name of the certification authority (CA) that issued the certificate whose private key you want to delete. You can supply an array of strings each of which represents the name of a single CA, to delete the private keys corresponding to the certificates that were issued by any of the certification authorities specified. | false | false | |
| IssuedTo | Use this parameter to specify the name of the principal to which the sought-for private key was issued. You can supply an array of strings each of which represents a single principal's name, to delete the private keys corresponding to the certificates that were issued to any of the principals specified. | false | false | |
| IssuerDN | Use this parameter to specify the issuer distinguished name of the certificate whose private key you want to delete. You can supply an array of strings each of which represents the distinguished name of a single certificate's issuer, to delete the private keys that correspond to the certificates issued by any of the issuers specified.
The issuer distinguished name identifies the certification authority (CA) that issued the certificate. A distinguished name consists of name attributes, for example, "CN=Name,OU=OrgUnit,C=US". | false | false | |
| KeyAlgorithm | Use this parameter to specify the key algorithm information, in string format, for the certificate whose private key you want to delete. Parameter value is the object identifier (OID) or OID's friendly name that identifies the algorithm. You can specify an array of strings each of which identifies a certificate's key algorithm, to delete the private keys corresponding to the certificates that use any of the specified key algorithms. | false | false | |
| KeyAlgorithmParameters | Use this parameter to specify the hexadecimal string representing the key algorithm parameters of the certificate whose private key you want to delete. You can supply an array of strings each of which represents the key algorithm parameters of a single certificate, to delete the private keys corresponding to the certificates that have any of the specified key algorithm parameters. | false | false | |
| PrivateKeyExportable | Supply this parameter to delete the private keys associated with the certificates that have their private key marked as exportable. With this parameter, the cmdlet only the private keys that can be exported. Without this parameter, the cmdlet does not consider whether a private key can be exported. If you want to delete only private keys that cannot be exported, use the following syntax: -PrivateKeyExportable:$false. | false | false | |
| PrivateKeyProtected | Supply this parameter to delete the private keys associated with the certificates that have their private key marked as protected. With this parameter, the cmdlet deletes only the protected private keys. Without this parameter, the cmdlet does not consider whether a private key is protected. If you want to delete only private keys that are not protected, use the following syntax: -PrivateKeyProtected:$false. | false | false | |
| PublicKey | Use this parameter to specify the hexadecimal string representing the public key of the certificate whose private key you want to delete. You can supply an array of strings each of which represents the public key associated with a single certificate, to remove the private keys corresponding to the certificates that contain any of the public keys specified. | false | false | |
| Revoked | Supply this parameter to delete only private keys corresponding to revoked certificates. If you want to remove only private keys corresponding to the certificates that are not revoked, use the following syntax: -Revoked:$false. | false | false | |
| SerialNumber | Use this parameter to specify the serial number of the certificate whose private key you want to delete. You can supply an array of strings each of which represents the serial number of a single certificate, to delete the private keys corresponding to the certificates that have any of the specified serial numbers.
The serial number of a certificate is a unique number assigned to the certificate by the certification authority (CA) that issued the certificate. | false | false | |
| SignatureAlgorithm | Use this parameter to specify the object identifier (OID) or OID's friendly name that identifies the type of the encryption algorithm used to create the signature of the certificate whose private key you want to delete. You can supply an array of strings each of which identifies a single certificate's signature algorithm, to delete the private keys corresponding to the certificates that use any of the algorithms specified. | false | false | |
| Store | Parameter value is an object that identifies the certificate store that holds the certificate whose private key you want to delete. Normally, this is an output object of the Get-QADLocalCertificateStore cmdlet. | true | true (ByValue) | |
| SubjectDN | Use this parameter to specify the subject distinguished name of the certificate whose private key you want to delete. You can supply an array of strings each of which represents the distinguished name of a single certificate's subject, to delete the private keys corresponding to the certificates issued to any of the subjects specified.
The subject distinguished name is a textual representation of the certificate's subject. This representation consists of name attributes, for example, "CN=Name,OU=OrgUnit,C=US". | false | false | |
| SubjectKeyIdentifier | Use this parameter to specify the subject key identifier (SKI) of the certificate whose private key you want to delete. You can supply an array of strings each of which represents a single certificate's SKI encoded in hexadecimal format, to delete the private keys that correspond to the certificates with the specified subject key identifiers.
The subject key identifier can be used to differentiate between multiple public keys held by the certificate subject. The SKI value is typically an SHA-1 hash of the key. | false | false | |
| Template | Use this parameter to specify the certificate template of the certificate whose private key you want to delete. Parameter value is the name of a certificate template. You can supply an array of strings each of which represents the name of a certificate template, to delete the private keys for the certificates that are based on any of the templates specified. | false | false | |
| Thumbprint | Use this parameter to specify the thumbprint of the certificate whose private key you want to delete. You can supply an array of strings each of which represents the thumbprint of a single certificate, to delete the private keys for multiple certificates at a time.
The thumbprint is a hash value generated using the SHA-1 algorithm that uniquely identifies the certificate. As such, the thumbprint of a certificate is commonly used to find the certificate in a certificate store. | false | false | |
| Valid | Supply this parameter to delete only private keys associated with valid certificates. If you want to delete private keys for only the certificates that are not valid, use the following syntax: -Valid:$false. | false | false | |
| Version | Parameter value is the X.509 format version of the certificate whose private key you want to delete. For example, to delete the private key for an X.509 version 3 certificate, supply the parameter value of 3. An array of numbers causes the cmdlet to remove private keys for certificates whose X.509 format version matches any of the numbers specified. | false | false | |
| Confirm | Prompts you for confirmation before executing the command. | false | false | |
| WhatIf | Describes what would happen if you executed the command without actually executing the command. | false | false |
Examples
EXAMPLE 1
$store = Get-QADLocalCertificateStore MyStore C:\PS>$store | Get-QADCertificate -IssuedTo 'John Smith' | Export-QADCertificate -Format Pfx -Mode Collection -Password (ConvertTo-SecureString <Password> -asplaintext -force) -File 'John Smith.pfx' | Out-Null C:\PS>$store | Remove-QADPrivateKey -IssuedTo 'John Smith'
Description
This example illustrates how to export certificates and then delete the private keys that correspond to those certificates.
In this example: Get-QADLocalCertificateStore retrieves the certificate store named MyStore, from the CurrentUser store location; Get-QADCertificate retrieves the certificates from that store that are issued to John Smith, and passes the certificate objects to Export-QADCertificate, which exports the certificates, along with their private keys, to a single file using the Pfx export format; then, Remove-QADPrivateKey deletes the private keys that correspond to the exported certificates. Note than the export operation requires the export data to be protected by a password, so the Password parameter of the Export-QADCertificate cmdlet is used to set a password.
