Webinar: PKI Insights - Best Practices for Improving your PKI Posture Management Program for your Digital Certificates and Encryption by PKI Solutions
Close

PowerShell PKI Module Documentation

Documentation Home
This command is not available in non-domain environments
This command requires installed Remote Server Administration Tools (RSAT)
This command obsolete. Use Get-AdPkiContainer command instead.

Get-ADKRACertificate

Synopsis

Retrieves all published to Active Directory Key Recovery Agents (KRA) certificates.

Syntax

Get-ADKRACertificate [[-Subject] <String>] [[-Issuer] <String>] [-ValidOnly] [-ShowUI] [<CommonParameters>]

Description

Retrieves all published to Active Directory Key Recovery Agents (KRA) certificates. This command must be used to retrieve key recovery agent certificates for Add-CAKRACertificate command purposes.

Parameters

-Subject <String>

Specifies a filter for Subject field (distinguished name format). This parameter works in conjunction with other parameters.

This parameter accepts the following wildcard characters:
? — for single wildcard character matching
* — for multiple wildcard character matching

Required? False
Position? 0
Default value
Accept pipeline input? false
Accept wildcard characters? True

-Issuer <String>

Specifies a filter for Issuer field (distinguished name format). This parameter works in conjunction with other parameters.

This parameter accepts the following wildcard characters:
? — for single wildcard character matching
* — for multiple wildcard character matching

Required? False
Position? 1
Default value
Accept pipeline input? false
Accept wildcard characters? True

-ValidOnly <SwitchParameter>

Specifies whether to return only valid certificates. Valid KRA certificate must conform the following requirements:

— time valid
— has valid certificate chain up to any trusted root
— is not revoked
— valid for 'Key Recovery Agent' application policy (enhanced key usage)

This parameter works in conjunction with other parameters.

Required? False
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? False

-ShowUI <SwitchParameter>

Displays a certificate pickup UI window. By using this window you can select one or more KRA certificates to use.

This parameter works in conjunction with other parameters.

Required? False
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? False

<CommonParameters>

This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).

Inputs

None.

Outputs

System.Security.Cryptography.X509Certificates.X509Certificate2[]

Notes

Examples

Example 1

PS C:\> Get-ADKRACertificate

Returns all published to Active Directory KRA certificates without performing any certificate checking.

Example 2

PS C:\> Get-ADKRACertificate -Issuer "*MyCA*" -ValidOnly

Returns all valid KRA certificates issued by a CA server which name (including DN suffixes) contains "MyCA" string.

Related links

Get-CAKRACertificate
Add-CAKRACertificate
Remove-CAKRACertificate
Set-CAKRACertificate

Minimum PowerShell version support

  • Windows PowerShell 3.0

Operating System Support

  • Windows 7
  • Windows 8
  • Windows 8.1
  • Windows 10
  • Windows 11
  • Windows Server 2008 R2 all editions
  • Windows Server 2012 all editions
  • Windows Server 2012 R2 all editions
  • Windows Server 2016 all editions
  • Windows Server 2019 all editions
  • Windows Server 2022 all editions