Come and Check our BETA Alpha version of Powershellcenter.net
Send me your comment to Powershell@powershellcenter.com

Synopsis

Remove X.509 certificates from PKI-related containers in Active Directory.

This cmdlet is part of the Quest ActiveRoles Server product. Use Get-QARSProductInfo to view information about ActiveRoles Server.

Syntax

Unpublish-QADCertificate [-Container] <CAContainerType[]> [-Certificate] <X509CertificateUI[]> [-Connection <ArsConnection>] [-ConnectionAccount <string>] [-ConnectionPassword <SecureString>] [-Credential <PSCredential>] [-CrossCertificate] [-Force] [-Forest <string>] [-Proxy] [-Service <string>] [-UseGlobalCatalog] [-Confirm] [-WhatIf] [<CommonParameters>]

Detailed Description

Use this cmdlet to remove X.509 certificates from Certification Authority objects held in PKI-related containers in the Active Directory configuration naming context. The following containers are supported: Certification Authorities (RootCA) This is the publication point for the trusted root certification authorities' (CA) certificates. Publishing a root CA's certificate to the Certification Authorities container causes all domain members to import the root CA's certificate into their own trusted root CA stores. Authority information access (AIA) This is the publication point for the most currently published CA certificates for root and intermediate certification authorities. Publishing CA certificates to the AIA container helps clients find CA certificates dynamically during certificate chain building. The CA certificates that are available in the AIA container are also deployed with group policies into every client computer's Intermediate Certification Authorities store. NTAuthCertificates (NTAuthCA) Publishing CA certificates to the NTAuthCertificates object indicates that these CAs are trusted to both (1) issue authentication (logon) certificates for any user in the forest and (2) enable logon for smart cards, IIS mapping, and Extensible Authentication Protocol-Transport Layer Security (EAP-TLS). The CA certificates that are available in the NTAuthCertificates object are also deployed with group policies into every client computer's Intermediate Certification Authorities store. For every Active Directory forest, these containers are located in the forest's Configuration naming context under Services/Public Key Services, and are therefore replicated to every domain controller in the forest.

Parameters

-Certificate [<X509CertificateUI[]>]

Use this parameter to specify the certificate objects representing the certificates to remove. This could be output objects of the Get-QADCertificate or Import-QADCertificate cmdlet (see examples).

Required?   true
Position?   2
Default value?  
Accept pipeline input?   true (ByValue, ByPropertyName)
Accept wildcard characters?   false

-Connection [<ArsConnection>]

For parameter description, see help on the Connect-QADService cmdlet.

Required?   false
Position?   named
Default value?  
Accept pipeline input?   false
Accept wildcard characters?   false

-ConnectionAccount [<string>]

For parameter description, see help on the Connect-QADService cmdlet.

Required?   false
Position?   named
Default value?  
Accept pipeline input?   false
Accept wildcard characters?   false

-ConnectionPassword [<SecureString>]

For parameter description, see help on the Connect-QADService cmdlet.

Required?   false
Position?   named
Default value?  
Accept pipeline input?   false
Accept wildcard characters?   false

-Container [<CAContainerType[]>]

Use this parameter to specify the PKI containers from which you want to remove certificates. The possible parameter values are:

RootCA Identifies the Certification Authorities (trusted root CA) container

AIA Identifies the authority information access container

SubCA Same as AIA

NTAuthCA Identifies the NTAuthCertificates object

Required?   true
Position?   1
Default value?  
Accept pipeline input?   true (ByValue, ByPropertyName)
Accept wildcard characters?   false

-Credential [<PSCredential>]

For parameter description, see help on the Connect-QADService cmdlet.

Required?   false
Position?   named
Default value?  
Accept pipeline input?   false
Accept wildcard characters?   false

-CrossCertificate [<SwitchParameter>]

Supply this parameter when removing cross-certificates.

A cross-certificate is a certificate issued by one Certification Authority (CA) that signs the public key for the root certificate of another Certification Authority. Cross-certificates provide a means to create a chain of trust from a single, trusted, root CA to multiple other CAs.

Required?   false
Position?   named
Default value?  
Accept pipeline input?   false
Accept wildcard characters?   false

-Force [<SwitchParameter>]

Supply this parameter to delete the Certification Authority object from which all certificates have been removed by the unpublish operation. Without this parameter, the cmdlet does not delete the Certification Authority object, even though all certificates are removed from that object.

Required?   false
Position?   named
Default value?  
Accept pipeline input?   false
Accept wildcard characters?   false

-Forest [<string>]

Use this parameter to identify the Active Directory forest where you want to unpublish certificates. Parameter value is the fully qualified distinguished name of the forest root domain. This parameter only has an effect on the operations being performed through ActiveRoles Server (connection established using the Proxy parameter). In case of a proxy connection, the Forest parameter is required to identify the forest of the PKI containers to act upon, since ActiveRoles Server could be configured to manage domains from more than one forest.

Required?   false
Position?   named
Default value?  
Accept pipeline input?   true (ByPropertyName)
Accept wildcard characters?   false

-Proxy [<SwitchParameter>]

For parameter description, see help on the Connect-QADService cmdlet.

Required?   false
Position?   named
Default value?  
Accept pipeline input?   false
Accept wildcard characters?   false

-Service [<string>]

For parameter description, see help on the Connect-QADService cmdlet.

Required?   false
Position?   named
Default value?  
Accept pipeline input?   false
Accept wildcard characters?   false

-UseGlobalCatalog [<SwitchParameter>]

For parameter description, see help on the Connect-QADService cmdlet.

Required?   false
Position?   named
Default value?  
Accept pipeline input?   false
Accept wildcard characters?   false

-Confirm [<SwitchParameter>]

Prompts you for confirmation before executing the command.

Required?   false
Position?   named
Default value?  
Accept pipeline input?   false
Accept wildcard characters?   false

-WhatIf [<SwitchParameter>]

Describes what would happen if you executed the command without actually executing the command.

Required?   false
Position?   named
Default value?  
Accept pipeline input?   false
Accept wildcard characters?   false

Input Type

X509CertificateUI,CAContainerType

Return Type

Notes

Examples

EXAMPLE 1

PS> dir c:\cert | Import-QADCertificate | Unpublish-QADCertificate AIA,RootCA

Description

-----------

Remove the certificates found in the certificate files held in the c:\cert folder, from the authority information access (AIA) and trusted root CA (RootCA) containers.