PowerShell PKI Module Documentation

This command is not available in non-domain environments
This command requires installed Remote Server Administration Tools (RSAT)

Add-OnlineResponderRevocationConfiguration

Synopsis

Adds new revocation configuration to Online Responder.

Syntax

Add-OnlineResponderRevocationConfiguration -OnlineResponder <OcspResponder[]> -Name <String> -CaCertificate <X509Certificate> [<CommonParameters>]

Add-OnlineResponderRevocationConfiguration -OnlineResponder <OcspResponder[]> -Name <String> -CertificationAuthority <CertificateAuthority> [<CommonParameters>]

Description

Adds new revocation configuration to Online Responder using CA certificate and configuration display name.

Note: this action shall be executed on array controller. Otherwise, these changes may be overwritten during array member synchronization with array controller.

Parameters

-OnlineResponder <OcspResponder[]>

Specifies the Online Responder the configuration is added to.

Required? True
Position? named
Default value
Accept pipeline input? true (ByValue, ByPropertyName)
Accept wildcard characters? False

-Name <String>

Specifies the revocation configuration display name.

Required? True
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? False

-CaCertificate <X509Certificate>

Specifies the CA certificate the revocation configuration is set up for. Use this parameter when custom or manually assigned OCSP signing certificate will be used for new revocation configuration.

Required? True
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? False

-CertificationAuthority <CertificateAuthority>

Specifies the Enterprise Certification Authority. Use this parameter with Enterprise Certification Authority for which you want to use automatic OCSP signing certificate enrollment and renewal based on a certificate template.

Required? True
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? False

<CommonParameters>

This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).

Inputs

SysadminsLV.PKI.Management.CertificateServices.OcspResponder

Outputs

SysadminsLV.PKI.Management.CertificateServices.OcspResponderRevocationConfiguration

Notes

Examples

Example 1

PS C:\> $CA = Get-CertificationAuthority "ca01.example.com" -Enterprise
PS C:\> Connect-OnlineResponder "ocsp1.example.com" | Add-OnlineResponderRevocationConfiguration -Name "Example Org v1.1" -CA $ca | Set-OnlineResponderRevocationConfiguration `
    -SigningCertTemplate "OcspResponseSigning" `
    -SigningFlag "Silent, SigningCertAutoRenewal, ForceDelegatedCert, AutoDiscoverSigninCert, ResponderIdKeyHash, SigningCertAutoEnrollment" `
    -BaseCrlUrl "http://cdp2.example.com/exca.crl","http://cdp3.example.com/exca.crl" `
    -DeltaCrlUrl "http://cdp2.example.com/exca+.crl","http://cdp3.example.com/exca+.crl" `
    -HashAlgorithm (New-Object System.Security.Cryptography.Oid2 "sha256")

In this example, a) first line connects to Enterprise CA server on 'ca01.example.com'. b) connects to Online Responder hosted on "ocsp1.example.com" and adds new revocation configuration named "Example Org v1.1" for CA retrieved on a first line. Further, revocation configuration is configured by using Set-OnlineResponderRevocationConfiguration command by specifying: a) use "OcspResponseSigning" certificate template for OCSP signing certificate enrollment b) use automatic certificate enrollment and renewal from referenced CA c) base and delta CRL URLs d) SHA256 hashing algorithm used to sign OCSP responses.

Example 2

PS C:\> $CaCert = Get-Item cert:\LocalMachine\CA\0E084CAC00546D876A7A2370BF4053F2CE8C1053
PS C:\> Connect-OnlineResponder "ocsp1.example.com" | Add-OnlineResponderRevocationConfiguration -Name "External Example Org CA" -CaCertificate $CaCert `
    -BaseCrlUrl "http://cdp2.example.com/exca.crl","http://cdp3.example.com/exca.crl" `
    -HashAlgorithm (New-Object System.Security.Cryptography.Oid2 "sha256")

Creates new Online Responder revocation configuration for non-Enterprise (Standalone, external, offline) Certification Authority with CA certificate thumbprint "0E084CAC00546D876A7A2370BF4053F2CE8C1053". Further, revocation configuration is configured by using Set-OnlineResponderRevocationConfiguration command by specifying: a) use out-of-band enrolled OCSP signing certificate b) base CRL URLs (assuming Delta CRLs are not used by CA) c) SHA256 hashing algorithm used to sign OCSP responses.

Related links

Connect-OnlineResponder
Remove-OnlineResponderRevocationConfiguration
Set-OnlineResponderRevocationConfiguration

Minimum PowerShell version support

  • PowerShell 3.0

Operating System Support

  • Windows 7
  • Windows 8
  • Windows 8.1
  • Windows 10
  • Windows Server 2008 R2 all editions
  • Windows Server 2012 all editions
  • Windows Server 2012 R2 all editions
  • Windows Server 2016 all editions
  • Windows Server 2019 all editions