PowerShell PKI Module Documentation

Documentation Home
This command requires installed Remote Server Administration Tools (RSAT)

Enable-PolicyModuleFlag

Synopsis

Enables policy module flags.

Syntax

Enable-PolicyModuleFlag [-InputObject] <EditFlag[]> [-Flag] <PolicyModuleFlagEnum> [-RestartCA] [<CommonParameters>]

Description

Enables policy module flags. These flags are processed by the policy module during certificate request processing.

Parameters

-InputObject <EditFlag[]>

Specifies the EditFlags object to process. The object can be retrieved by running Get-PolicyModuleFlag command.

Required? True
Position? 0
Default value
Accept pipeline input? true (ByValue, ByPropertyName)
Accept wildcard characters? False

-Flag <PolicyModuleFlagEnum>

Specifies new flag to enable for processing by CA policy module. This parameter accepts the following value or values:

EnableRequestExtensions — Enables 'Enabled Request Extensions' list processing.
RequestExtensionList — Instructs CA server to process RequestExtensionList property.
DisableExtensionList — Enables 'Disabled Request Extensions' list processing. If the flag is enabled and certificate request contains one or more extemsions from this list, extensions will be discarded.
AddOldKeyUsage — N/A
AddOldCertType — N/A
AttributeEndDate — Allows to specify certificate's validity end date. While certificate's validity on Enterprise CAs is (mainly) determined by certificate template settings, Standalone CAs determines this value by ValidityPeriod and ValidityPeriodUnits settings only. This flag allows to override ValidityPeriod and ValidityPeriodUnits settings to set certificate's validity.
BasicConstraintsCritical — Marks Basic Constraints extension as critical.
BasicConstraintsCA — Enables Basic Constraints extension for CA certificates.
EnableAKIKeyID — Enables KeyID (issuer's public key hash) value to appear in Authority Key Identifier (AKI) extension.
AttributeCA — N/A
IgnoreRequestGroup — N/A
EnableAKIIssuerName — Enables issuer name value to appear in Authority Key Identifier (AKI) extension.
EnableAKIIssuerSerial — Enables issuer certificate's serial number to appear in Authority Key Identifier (AKI) extension.
EnableAKICritical — Marks Authority Key Identifier (AKI) extension as critical.
ServerUpgraded — N/A
AttributeEKU — Enables Enhanced Key Usages (EKU) extensions passing as unauthenticated request attribute (rather than including EKU extension as authenticated extension in the request).
EnableDefaultSMIME — N/A
EmailOptional — N/A
AttributeSubjectAlternativeName — Enables Subject Alternative Name (SAN) extensions passing as unauthenticated request attribute (rather than including SAN extension as authenticated extension in the request).
Note: Do not enable this flag on Enterprise CAs. Instead, inclue SAN extension directly in the request.
EnableLDAPReferrals — Allows Certification Authority (CA) to chase a referral for user or computer information in a trusted forest. When referrals are not chased and the user information is not available, the request will be denied if the user is enrolling from another forest. Referral chasing is not enabled by default as unintended template enumeration and enrollment may occur in some scenarios.
This flag is necessary only for Cross-Forest Enrollment scenarios.
EnableChaseClientDC — N/A
AuditCertTemplateLoad — Enables template list load from Active Directory audit.
DisableOldOSCNUPN — N/A
DisableLDAPPackageList — N/A
EnableUPNMap — N/A
EnableOCSPRevNoCheck — Enables id-pkix-ocsp-nocheck extension in the request.
EnableRenewOnBehalfOf — Enables certificate renewel on behalf of other user or computer.

Required? True
Position? 1
Default value
Accept pipeline input? false
Accept wildcard characters? False

-RestartCA <SwitchParameter>

Restarts CertSvc service on the specified CA server to immediately apply changes.

Required? False
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? False

<CommonParameters>

This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).

Inputs

PKI.CertificateServices.PolicyModule.EditFlag

Outputs

PKI.CertificateServices.PolicyModule.EditFlag

Notes

Examples

Example 1

PS C:\> Get-CertificationAuthority -Name Company-CA | Get-PolicyModuleFlag | Enable-PolicyModuleFlag AttributeSubjectAlternativeName -Restart CA

Enables 'Subject Alternative Name' attribute in a submitted certificate request. After command completion 'Company-CA' CA server will be restarted to immediately apply changes.

Note: do not enable SAN attribute on Enterprise CAs if it is possible to include SAN as extension.

Example 2

PS C:\> Get-CertificationAuthority -Name Company-CA | Get-PolicyModuleFlag | Enable-PolicyModuleFlag EnableOCSPRevNoCheck, DisableExtensionList -RestartCA

Enables 'OCSP No Revocation Checking' extension and disables Disabled Certificate Extension list processing. This will allow CA to issue OCSP Response Signing certificate and will instruct CA server to process disabled extension list (see Add-ExtensionList) and extensions in this list will be not populated in issued certificates. After command completion 'Company-CA' CA server will be restarted to immediately apply changes.

Related links

Get-CertificationAuthority
Connect-CertificationAuthority
Get-PolicyModuleFlag
Disable-PolicyModuleFlag
Restore-PolicyModuleFlagDefault

Minimum PowerShell version support

  • Windows PowerShell 3.0

Operating System Support

  • Windows 7
  • Windows 8
  • Windows 8.1
  • Windows 10
  • Windows 11
  • Windows Server 2008 R2 all editions
  • Windows Server 2012 all editions
  • Windows Server 2012 R2 all editions
  • Windows Server 2016 all editions
  • Windows Server 2019 all editions
  • Windows Server 2022 all editions