We're headed to GridSecCon 2024, October 22-25 in Minneapolis, MN! Learn more here

PowerShell PKI Module Documentation

Documentation Home
This command is not available in non-domain environments
This command requires installed Remote Server Administration Tools (RSAT)

Add-CertificationAuthorityAcl

Synopsis

Adds new Access Control Entry (ACE) to a Certification Authority's Access Control List (ACL).

Syntax

Add-CertificationAuthorityAcl -InputObject <CertSrvSecurityDescriptor[]> -Identity <NTAccount[]> -AccessType <AccessControlType> -AccessMask <CertSrvRights> [<CommonParameters>]

Add-CertificationAuthorityAcl -InputObject <CertSrvSecurityDescriptor[]> -AccessRule <CertSrvAccessRule[]> [<CommonParameters>]

Description

Adds new Access Control Entry (ACE) to a Certification Authority's Access Control List (ACL).

This command performs ACL object change. Use Set-CertificationAuthorityAcl to write modified ACL to CA configuration.

Note: CA security descriptor supports only one ACE per principal. Therefore, if added prinicpal already has explicit permissions on CA server, existing ACE is updated.

Parameters

-InputObject <CertSrvSecurityDescriptor[]>

Specifies an ACL object of Certification Authority. This object can be retrieved by running Get-CertificationAuthorityAcl command.

Required? True
Position? named
Default value
Accept pipeline input? true (ByValue, ByPropertyName)
Accept wildcard characters? False

-AccessType <AccessControlType>

Specifies access type. Access type can be either: Allow or Deny. Try to avoid Deny access type usage. Instead, you should remove an account from the ACL or grant only required permissions.

Required? True
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? False

-AccessMask <CertSrvRights>

Specifies the access mask to apply to entities specified in '-Identity' parameter.

Required? True
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? False

-Identity <NTAccount[]>

Specifies a user, computer or a group to add to ACL.

Required? True
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? False

-AccessRule <CertSrvAccessRule[]>

Specifies an ACL object of Certification Authority. This object can be retrieved by running Get-CertificationAuthorityAcl command.

Required? True
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? False

<CommonParameters>

This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).

Inputs

SysadminsLV.PKI.Security.AccessControl.CertSrvSecurityDescriptor

Outputs

SysadminsLV.PKI.Security.AccessControl.CertSrvSecurityDescriptor

Notes

Examples

Example 1

PS C:\> Get-CertificationAuthority "ca01.example.com" | Get-CertificationAuthorityAcl | Add-CertificationAuthorityAcl -Identity "Cert Managers" -AccessType "Allow" -AccessMask "ManageCertificates" | Set-CertificationAuthorityAcl -RestartCA

In this example, existing Access Control List (ACL) object is retrieved from CA server hosted on "ca01.example.com" and added new "Allow" Access Control Entry (ACE) for group "Cert Managers" with "ManageCertificates" access and writes new ACL back to CA server configuration. CA service is restarted to immediately apply changes.

Example 2

PS C:\> $SourceACL = Get-CertificationAuthority "ca01.example.com" | Get-CertificationAuthorityAcl
PS C:\> $DestinationACL = Get-CertificationAuthority "ca01.example.com" | Get-CertificationAuthorityAcl | Remove-CertificationAuthorityAcl -Force
PS C:\> $DestinationACL | Add-CertificationAuthorityAcl -AccessRule $SourceACL.Access | Set-CertificationAuthorityAcl -RestartCA

This example shows techniques used to copy and replace ACL from source CA to destination CA. a) First line retrieves ACL from source CA server hosted on "ca01.example.com". b) Second line retrieves existing ACL from destination CA server hosted on "ca02.example.com" and clears all Access Control Entries (ACE). c) Third line copies ACEs from source CA to destination CA. Destination CA service is restarted to immediately apply new ACL.

Related links

Get-CertificationAuthority
Connect-CertificationAuthority
Get-CertificationAuthorityAcl
Remove-CertificationAuthorityAcl
Set-CertificationAuthorityAcl

Minimum PowerShell version support

  • Windows PowerShell 3.0

Operating System Support

  • Windows 7
  • Windows 8
  • Windows 8.1
  • Windows 10
  • Windows 11
  • Windows Server 2008 R2 all editions
  • Windows Server 2012 all editions
  • Windows Server 2012 R2 all editions
  • Windows Server 2016 all editions
  • Windows Server 2019 all editions
  • Windows Server 2022 all editions