Free PKI Insights webinar: "Post-Quantum Cryptography (PQC) and PKI" 9/19 - Register Here!

PowerShell PKI Module Documentation

Documentation Home
This command is not available in non-domain environments

Get-AdPkiContainer

Synopsis

Retrieves named PKI container from Active Directory.

Syntax

Get-AdPkiContainer [-ContainerType] <DsContainerType> [<CommonParameters>]

Description

Retrieves named PKI container from Active Directory. AD PKI containers are used to hold information about enterprise PKI. Such information includes:

– intermediate CA certificates
– trusted root CA certificates
– certitificate revocation lists
– Enterprise CA registration information
– enterprise object identifiers (OID)
– key recoverty agent (KRA) certificates
– enterprise certificate templates

Parameters

-ContainerType <DsContainerType>

Specifies the container type. The value can be one of the following:
NTAuth — Contains certificates of CAs that are allowed to issue client authentication certificates and perform client private key archival. These certificates are downloaded and cached on Active Directory forest clients.
AIA — Contains CA certificates and cross-certificates that are used by certificate clients to build certificate chains. These certificates are downloaded and cached on Active Directory forest clients.
CDP — Contains certificate revocation lists published to Active Directory. These CRLs are not automatically downloaded by clients. They are accessed only when explicit request to specific CRL is created.
RootCA — Contains certificates of trusted root CAs approved by Active Directory administrators. These certificates are downloaded and cached on Active Directory forest clients.
EnrollmentServices — Contains enrollment service objects (typically Enterprise CAs) which are used by clients that implement [MS-WCCE] communication protocol to manually, or automatically request certificates.
KRA — Contains a collection of key recovery agent (KRA) certificates published to Active Directory. Certification Authorities use this container to locate KRA certificates when key archival is configured.
OID — Contains a collection of mapping objects between object identifier (OID) and their friendly names.
CertificateTemplates — Contains a collection of certificate templates.

Required? True
Position? 0
Default value
Accept pipeline input? false
Accept wildcard characters? False

<CommonParameters>

This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).

Inputs

Outputs

SysadminsLV.PKI.Management.ActiveDirectory.DsPkiContainer

Notes

Examples

Example 1

PS C:\> $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 "c:\pki\root_cacert.crt"
PS C:\> Get-AdPkiContainer -ContainerType RootCA | Add-AdCertificate -Certificate $cert -Dispose

This example gets certificate from a file, retrieves RootCA (trusted root CAs) AD container and publishes certificate to RootCA container. After operation completion, input object (RootCA container) is disposed. After autoenrollment trigger, domain members will get new trusted root CA.

Example 2

PS C:\> $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 "c:\pki\cross.cer"
PS C:\> Get-AdPkiContainer -ContainerType AIA | Add-AdCertificate -Certificate $cert -CrossCertificate -Dispose

This example gets certificate from a file, retrieves AIA (intermediate CA) AD container and publishes certificate to AIA container as cross-certificate. After operation completion, input object (AIA container) is disposed. After autoenrollment trigger, domain members will get new certificate in Intermediate CAs local store.

Example 3

PS C:\> $crl = Get-CRL -Path "c:\pki\contoso subca.crl"
PS C:\> Get-AdPkiContainer -ContainerType CDP | Add-AdCertificateRevocationList -CRL $crl -HostName "subca01" -Dispose

This command reads CRL object from file, retrieves CDP container from Active Directory and writes CRL to CDP object. During object creation, a dedicated subcontainer with name 'subca01' under CDP container is created. After operation completion, input object (CDP container) is disposed.

Example 4

PS C:\> Get-AdPkiContainer -ContainerType NTAuth | Remove-AdCertificate -Thumbprint "EC9385E533782453D5C285B2A67311447FB57A6F", "3E778F108E7DC983939732AFAC3EE89383478973" -Dispose

This command retrieves NTAuth container from Active Directory and removes all certificate occurences with specified certificate thumbprints. After operation completion, input object (NTAuth container) is disposed.

Example 5

PS C:\> $aia = Get-AdPkiContainer -ContainerType AIA
PS C:\> $entries = $aia.Certificates | Where-Object {$_.Name -eq "Contoso CA"}
PS C:\> Get-AdPkiContainer -ContainerType AIA | Remove-AdCertificate -Certificate $entries -Dispose -ForceDelete

First line retrieves AIA (SubCA) container from Active Directory. Second line selects all certificate enries for "Contoso CA" in specified container. Third line removes selected entries from AIA container and deletes empty CA entry from Active Directory. After operation completion, input object (AIA container) is disposed.

Example 6

PS C:\> Get-AdPkiContainer -ContainerType CDP | Remove-AdCertificateRevocationList -Thumbprint "1C4BF393320A6C70D5C506AF9F422950B0C11EAB6273132C9B326438AB1C0929", "17FCB3E67512017E4611FBA9052164031F1D873F800E613A96AC09F77D269349" -Dispose -ForceDelete

This command retrieves CDP container from Active Directory and removes all CRLs with specified certificate thumbprints. If particular CDP entry in Active Directory is empty, it is deleted. After operation completion, input object (CDP container) is disposed.

Example 7

PS C:\> $cdp = Get-AdPkiContainer -ContainerType CDP
PS C:\> $entries = $cdp.RevocationLists | Where-Object {$_.HostName -eq "subca01"}
PS C:\> Get-AdPkiContainer -ContainerType CDP | Remove-AdCertificateRevocationList -CRL $entries -Dispose -ForceDelete

First line retrieves CDP container from Active Directory. Second line selects all CRL entries for "subca01" host name in specified container. Third line removes selected entries from CDP container and deletes empty CDP entries from Active Directory. After operation completion, input object (CDP container) is disposed.

Related links

Add-AdCertificate
Add-AdCertificateRevocationList
Remove-AdCertificate
Remove-AdCertificateRevocationList

Minimum PowerShell version support

  • Windows PowerShell 3.0

Operating System Support

  • Windows 7
  • Windows 8
  • Windows 8.1
  • Windows 10
  • Windows 11
  • Windows Server 2008 R2 all editions
  • Windows Server 2012 all editions
  • Windows Server 2012 R2 all editions
  • Windows Server 2016 all editions
  • Windows Server 2019 all editions
  • Windows Server 2022 all editions