Get-PolicyModuleFlag

Synopsis

Retrieves default policy module flags.

Syntax

Get-PolicyModuleFlag [-CertificationAuthority] <CertificateAuthority[]> [<CommonParameters>]

Description

Retrieves default Policy Module flags. These flags are processed by policy module during certificate request processing.

Parameters

-CertificationAuthority <CertificateAuthority[]>

Specifies the Certification Authority object. This object can be retrieved by running Get-CertificationAuthority command.

<CommonParameters>

This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).

Inputs

PKI.CertificateServices.CertificateAuthority

Outputs

PKI.CertificateServices.PolicyModule.EditFlag

Notes

Examples

Example 1

PS C:\> Get-CertificationAuthority -Name Company-CA | Get-PolicyModuleFlag

Returns policy module enabled flags for specified CA server.

Example 2

PS C:\> Get-CertificationAuthority | Get-PolicyModuleFlag

Returns policy module enabled flags for all CAs in the forest with separate object per CA.

Example 3

PS C:\> Get-CertificationAuthority -Name Company-CA | Get-PolicyModuleFlag | Disable-PolicyModuleFlag AttributeSubjectAlternativeName -RestartCA

Disables 'Subject Alternative Name' attribute in a submitted certificate request and restarts certificate services. In order to issue a certificate with SAN extension, it must be a part of certificate request extensions. After command completion Company-CA CA server will be restarted to immediately apply changes.

Example 4

PS C:\> Get-CertificationAuthority -Name Company-CA | Get-PolicyModuleFlag | Disable-PolicyModuleFlag EnableOCSPRevNoCheck, DisableExtensionList -RestartCA

Disables 'OCSP No Revocation Checking' extension and disables Disabled Certificate Extension list processing. This will prevent CA to issue OCSP Response Signing certificate and any previously disabled extension (see Add-ExtensionList) will be populated in the issued certificates. After command completion Company-CA CA server will be restarted to immediately apply changes.

Example 5

PS C:\> Get-CertificationAuthority -Name Company-CA | Get-PolicyModuleFlag | Enable-PolicyModuleFlag AttributeSubjectAlternativeName -Restart CA

Enables 'Subject Alternative Name' attribute in a submitted certificate request. After command completion 'Company-CA' CA server will be restarted to immediately apply changes.

Note: do not enable SAN attribute on Enterprise CAs if it is possible to include SAN as extension.

Example 6

PS C:\> Get-CertificationAuthority -Name Company-CA | Get-PolicyModuleFlag | Enable-PolicyModuleFlag EnableOCSPRevNoCheck, DisableExtensionList -RestartCA

Enables 'OCSP No Revocation Checking' extension and disables Disabled Certificate Extension list processing. This will allow CA to issue OCSP Response Signing certificate and will instruct CA server to process disabled extension list (see Add-ExtensionList) and extensions in this list will be not populated in issued certificates. After command completion 'Company-CA' CA server will be restarted to immediately apply changes.

Related links

Get-CertificationAuthority
Connect-CertificationAuthority
Enable-PolicyModuleFlag
Disable-PolicyModuleFlag
Restore-PolicyModuleFlagDefault

Minimum PowerShell version support

• Windows PowerShell 3.0

Operating System Support

• Windows 7
• Windows 8
• Windows 8.1
• Windows 10
• Windows 11
• Windows Server 2008 R2 all editions
• Windows Server 2012 all editions
• Windows Server 2012 R2 all editions
• Windows Server 2016 all editions
• Windows Server 2019 all editions
• Windows Server 2022 all editions