Unpublish-QADCertificate
From PowerGUI Wiki
Remove X.509 certificates from PKI-related containers in Active Directory.
This cmdlet is part of the Quest ActiveRoles Server product. Use Get-QARSProductInfo to view information about ActiveRoles Server.
Contents |
Syntax
Unpublish-QADCertificate [-Container] <CAContainerType[]> [-Certificate] <X509CertificateUI[]> [-Connection <ArsConnection>] [-ConnectionAccount <string>] [-ConnectionPassword <SecureString>] [-Credential <PSCredential>] [-CrossCertificate] [-Force] [-Forest <string>] [-Proxy] [-Service <string>] [-UseGlobalCatalog] [-Confirm] [-WhatIf] [<CommonParameters>]
Detailed Description
Use this cmdlet to remove X.509 certificates from Certification Authority objects held in PKI-related containers in the Active Directory configuration naming context. The following containers are supported:
Certification Authorities (RootCA) This is the publication point for the trusted root certification authorities' (CA) certificates. Publishing a root CA's certificate to the Certification Authorities container causes all domain members to import the root CA's certificate into their own trusted root CA stores.
Authority information access (AIA) This is the publication point for the most currently published CA certificates for root and intermediate certification authorities. Publishing CA certificates to the AIA container helps clients find CA certificates dynamically during certificate chain building. The CA certificates that are available in the AIA container are also deployed with group policies into every client computer's Intermediate Certification Authorities store.
NTAuthCertificates (NTAuthCA) Publishing CA certificates to the NTAuthCertificates object indicates that these CAs are trusted to both (1) issue authentication (logon) certificates for any user in the forest and (2) enable logon for smart cards, IIS mapping, and Extensible Authentication Protocol-Transport Layer Security (EAP-TLS). The CA certificates that are available in the NTAuthCertificates object are also deployed with group policies into every client computer's Intermediate Certification Authorities store.
For every Active Directory forest, these containers are located in the forest's Configuration naming context under Services/Public Key Services, and are therefore replicated to every domain controller in the forest.
Parameters
| Name | Description | Required? | Pipeline Input | Default Value |
|---|---|---|---|---|
| Certificate | Use this parameter to specify the certificate objects representing the certificates to remove. This could be output objects of the Get-QADCertificate or Import-QADCertificate cmdlet (see examples). | true | true (ByValue, ByPropertyName) | |
| Connection | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| ConnectionAccount | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| ConnectionPassword | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| Container | Use this parameter to specify the PKI containers from which you want to remove certificates. The possible parameter values are:
RootCA Identifies the Certification Authorities (trusted root CA) container AIA Identifies the authority information access container SubCA Same as AIA NTAuthCA Identifies the NTAuthCertificates object | true | true (ByValue, ByPropertyName) | |
| Credential | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| CrossCertificate | Supply this parameter when removing cross-certificates.
A cross-certificate is a certificate issued by one Certification Authority (CA) that signs the public key for the root certificate of another Certification Authority. Cross-certificates provide a means to create a chain of trust from a single, trusted, root CA to multiple other CAs. | false | false | |
| Force | Supply this parameter to delete the Certification Authority object from which all certificates have been removed by the unpublish operation. Without this parameter, the cmdlet does not delete the Certification Authority object, even though all certificates are removed from that object. | false | false | |
| Forest | Use this parameter to identify the Active Directory forest where you want to unpublish certificates. Parameter value is the fully qualified distinguished name of the forest root domain. This parameter only has an effect on the operations being performed through ActiveRoles Server (connection established using the Proxy parameter). In case of a proxy connection, the Forest parameter is required to identify the forest of the PKI containers to act upon, since ActiveRoles Server could be configured to manage domains from more than one forest. | false | true (ByPropertyName) | |
| Proxy | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| Service | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| UseGlobalCatalog | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| Confirm | Prompts you for confirmation before executing the command. | false | false | |
| WhatIf | Describes what would happen if you executed the command without actually executing the command. | false | false |
Input Type
X509CertificateUI,CAContainerType
Examples
EXAMPLE 1
dir c:\cert | Import-QADCertificate | Unpublish-QADCertificate AIA,RootCA
Description
Remove the certificates found in the certificate files held in the c:\cert folder, from the authority information access (AIA) and trusted root CA (RootCA) containers.
