PowerShell PKI Module Documentation

Documentation Home

Get-ExtensionList

Synopsis

Retrieves certificate enabled/disabled extension lists.

Syntax

Get-ExtensionList [-CertificationAuthority] <CertificateAuthority[]> [<CommonParameters>]

Description

Retrieves certificate enabled/disabled extension lists. Extensions are separated in 3 categories:

EnabledExtensionList – contains extensions that CA server will publish in each issued certificate upon request.
OfflineExtensionList – contains allowed extension list that CA server will publish in issued certificates when offline request is used.
DisabledExtensionList – contains extensions that will not be published in certificate even if this extension is specified in the request.

Note: additional information can be found at: http://technet.microsoft.com/library/cc740063(WS.10).aspx

Parameters

-CertificationAuthority <CertificateAuthority[]>

Specifies the Certification Authority object. This object can be retrieved by running Get-CertificationAuthority command.

Required? True
Position? 0
Default value
Accept pipeline input? true (ByValue, ByPropertyName)
Accept wildcard characters? False

<CommonParameters>

This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).

Inputs

PKI.CertificateServices.CertificateAuthority

Outputs

PKI.CertificateServices.PolicyModule.ExtensionList

Notes

Examples

Example 1

PS C:\> Get-CertificationAuthority -Name Company-CA | Get-ExtensionList

Returns ExtensionList object for specified CA server.

Example 2

PS C:\> Get-CertificationAuthority | Get-ExtensionList

Returns ExtensionList object for all CAs in the forest with separate object per CA.

Example 3

PS C:\> Get-CertificationAuthority -Name Company-CA | Get-ExtensionList | Add-ExtensionList -DisabledExtension "Certificate Template Name" | Set-ExtensionList -RestartCA

This command will add the 'Certificate Template Name' extension to restricted extension list. As the result CA server will not publish this extension in issued certificates. After configuration is changed, the command will restart certificate services to immediately apply changes.

Example 4

PS C:\> Get-CertificationAuthority -Name Company-CA | Get-ExtensionList | Remove-ExtensionList -OfflineExtension "Subject Alternative Name" | Set-ExtensionList -RestartCA

This will remove 'Subject Alternative Name' extension from allowed extensions in request. As the result CA server will ignore this extension in certificate request.

Related links

Get-CertificationAuthority
Connect-CertificationAuthority
Add-ExtensionList
Remove-ExtensionList
Set-ExtensionList

Minimum PowerShell version support

  • Windows PowerShell 3.0

Operating System Support

  • Windows 7
  • Windows 8
  • Windows 8.1
  • Windows 10
  • Windows 11
  • Windows Server 2008 R2 all editions
  • Windows Server 2012 all editions
  • Windows Server 2012 R2 all editions
  • Windows Server 2016 all editions
  • Windows Server 2019 all editions
  • Windows Server 2022 all editions