Close

PowerShell PKI Module Documentation

Documentation Home
This command is not available in non-domain environments
This command requires installed Remote Server Administration Tools (RSAT)

This command supports only Enterprise Certification Authorities

Get-CAKRACertificate

Synopsis

Retrieves assigned to a specified Certification Authority (CA) Key Recovery Agent certificates.

Syntax

Get-CAKRACertificate [-CertificationAuthority] <CertificateAuthority[]> [<CommonParameters>]

Description

Retrieves assigned to a specified Certification Authority (CA) Key Recovery Agent certificates.

Key Recovery Agent certificate is used to encrypt user's certificate private key and store it in CA database. In the case when user cannot access his or her certificate private key it is possible to recover it by Key Recovery Agent if Key Archival procedure was taken against particular certificate

Parameters

-CertificationAuthority <CertificateAuthority[]>

Specifies the Certification Authority object. This object can be retrieved by running Get-CertificationAuthority command.

Required? True
Position? 0
Default value
Accept pipeline input? true (ByValue, ByPropertyName)
Accept wildcard characters? False

<CommonParameters>

This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).

Inputs

PKI.CertificateServices.CertificateAuthority

Outputs

PKI.CertificateServices.KRA

Notes

Examples

Example 1

PS C:\> $KRACerts = Get-ADKRACertificate -Subject "CN=Key Recovery*"
C:\PS>Get-CertificationAuthority -Name MyCA | Get-CAKRACertificate | Add-CAKRACertificate -Certificate $certs | Set-CAKRACertificate -RestartCA

First command retrieves from Active Directory all KRA certificates where subject field starts with 'CN=Key Recovery' (in DN format). Second command will retrieve currently assigned KRA certificates to MyCA CA server and adds new certificates obtained in first command. After configuration is changed, the command will restart certificate services to immediately apply changes.

Example 2

PS C:\> $Certs = Get-ADKRACertificate -ShowUI -Multipick
C:\PS>Get-CertificationAuthority | Get-CAKRACertificate | Add-CAKRACertificate $Certs | Set-Certificate -RestartCA

In this example first command will display certificate selection UI where you can select available KRA certificates. Second command will add selected (in previous command) certificates to currently assigned certificates and writes new certificate list back to a CA server. After configuration is changed, the command will restart certificate services to immediately apply changes.

Example 3

PS C:\> Get-CertificationAuthority -Name MyCA | Get-CAKRACertificate | Remove-CAKRACertificate -Thumbprint "70144a763e3a662756898c3160297c8cbcd244dc" | Set-CAKRACertificate -RestartCA

This example will remove key recovery agent certificate with thumbprint '70144a763e3a662756898c3160297c8cbcd244dc' from 'MyCA' CA server. After command completion certificate services will be restarted to immediately apply changes.

Example 4

PS C:\> Get-CertificationAuthority | Get-CAKRACertificate | Remove-CAKRACertificate -InvalidOnly | Set-CAKRACertificate -RestartCA

This example will remove invalid KRA certificates from all CA servers in the current forest. After command completion certificate services will be restarted to immediately apply changes.

Example 5

PS C:\> Get-CertificationAuthority -Name Company-CA | Get-CAKRACertificate | Remove-CAKRACertificate -ShowUI | Set-CAKRACertificate -RestartCA

This example will retrieve currently assigned KRA certificates and displays certificate selection UI where you can select certificates to remove and writes new KRA certificate list back to a Company-CA CA server. After command completion certificate services will be restarted to immediately apply changes.

Related links

Get-CertificationAuthority
Connect-CertificationAuthority
Get-ADKRACertificate
Add-CAKRACertificate
Remove-CAKRACertificate
Set-CAKRACertificate

Minimum PowerShell version support

  • Windows PowerShell 3.0

Operating System Support

  • Windows 7
  • Windows 8
  • Windows 8.1
  • Windows 10
  • Windows 11
  • Windows Server 2008 R2 all editions
  • Windows Server 2012 all editions
  • Windows Server 2012 R2 all editions
  • Windows Server 2016 all editions
  • Windows Server 2019 all editions
  • Windows Server 2022 all editions