Hello,
I'm not sure this is the right place to make a feature request... Please excuse me if it is not.
I would like to be able to manage the security settings of the CA through PowerShell (setting CA administrators, certificate managers, etc.).
I think I saw a thread on technet where Brian Komar or yourself said that it was possible to do so with `certutil -setreg ca\security` but the format to use was not specified (and I'd guess it would require some SDDL...).
What I imagine is new cmdlets with signatures similar to the following:
```
Get-CASecurityAcl [-CertificationAuthority] <CertificateAuthority[]> [<CommonParameters>]
Add-CASecurityAcl [-InputObject] <SecurityDescriptor[]> [[-User] <NTAccount[]>] [[-AccessType] <AccessControlType>] [[-AccessMask] <CARight[]>] [<CommonParameters>]
Set-CASecurityAcl [-InputObject] <SecurityDescriptor[]> [<CommonParameters>]
Remove-CASecurityAcl [-InputObject] <SecurityDescriptor[]> [[-User] <NTAccount[]>] [[-AccessType] <AccessControlType>] [<CommonParameters>]
```
And a new CARight enum that would contain something like `Read`, `ManageCA`, `IssueManageCertificates` and `RequestCertificates`.
While I'm at it, it would also be interesting to have:
* wrappers around other `certutil -setreg` commands like being able to enable/disable role separation, configure restrictions for certificate managers and enrollment agents, audit filters, etc.
* get "resolved" AIA and CDP URLs (with placeholders resolved to their actual values for each CA certificates in use)
* edit certificate templates' settings (which would probably require modifying the template objects in AD directly...)
* Allow retrieving issued and revoked certificate requests all in one command (which should be possible if the internal Get-RequestRow cmdlet was refactored/made public and the filter on `Disposition` removed). Not sure it is possible to return pending/failed requests in one request though...
Whether you implement any of those proposals, thank you very much for making administrating AD CS with PowerShell so easy! Microsoft should definitely consider including your module natively in the OS to complement the too simple existing cmdlets.
Best regards,
Jordan
Comments: Few comments: 1) Get-CASecurity -- this command is in my roadmap. However, I'm not sure if I will be able to write the code in upcoming update. But for sure, it will be delivered in very near future. I have PoC of this command, but is not very well tested. 2) "wrappers around other certutil -setreg commands". My module do not rely on certutil in any way, everything is native (managed with wrappers around unmanaged functions) code. I think about Get/Set-CAConfigurationProperty (or so) with the following parameters: -ParameterName <string> -Value <object>. There is a lot of work, so it will require some time. I'm the only developer and can't write too much in short timeframes. 3) "get "resolved" AIA and CDP URLs (with placeholders resolved to their actual values for each CA certificates in use" -- it isn't too hard. I will look into this. 4) "edit certificate templates' settings (which would probably require modifying the template objects in AD directly...)" -- it is currently postponed. I prepated CertificateTemplates namespace for template editing, but there is a lot of work. I had a talk with Windows PKI team, they said that certificate template modification outside of certtmpl.msc is not supported, so the only I can do is to implement entire GUI behavior (and relationships between settings). 5) "Allow retrieving issued and revoked certificate requests" -- it is already done. Get-RequestRow won't be refactored and marked "public". However, this function was rewritten significantly. Instead, there will be a more generic (public) function Get-DatabaseRow, which allows to dump any CA table (there are 4 tables: Request, CRL, Extension and Attribute). Request table contains all revoked, issued, pending and failed requests. I will retire Get-IssuedCRL command (it was just an ad-hoc solution), because it will be moved to Get-DatabaseRow command. However, specific commands like Get-RevokedRequest, Get-IssuedRequest, Get-PendingRequest and Get-FailedRequest are encouraged for use. 6) "Microsoft should definitely consider including your module natively". Won't happen because of number of reasons, so there is a field for my module.
I'm not sure this is the right place to make a feature request... Please excuse me if it is not.
I would like to be able to manage the security settings of the CA through PowerShell (setting CA administrators, certificate managers, etc.).
I think I saw a thread on technet where Brian Komar or yourself said that it was possible to do so with `certutil -setreg ca\security` but the format to use was not specified (and I'd guess it would require some SDDL...).
What I imagine is new cmdlets with signatures similar to the following:
```
Get-CASecurityAcl [-CertificationAuthority] <CertificateAuthority[]> [<CommonParameters>]
Add-CASecurityAcl [-InputObject] <SecurityDescriptor[]> [[-User] <NTAccount[]>] [[-AccessType] <AccessControlType>] [[-AccessMask] <CARight[]>] [<CommonParameters>]
Set-CASecurityAcl [-InputObject] <SecurityDescriptor[]> [<CommonParameters>]
Remove-CASecurityAcl [-InputObject] <SecurityDescriptor[]> [[-User] <NTAccount[]>] [[-AccessType] <AccessControlType>] [<CommonParameters>]
```
And a new CARight enum that would contain something like `Read`, `ManageCA`, `IssueManageCertificates` and `RequestCertificates`.
While I'm at it, it would also be interesting to have:
* wrappers around other `certutil -setreg` commands like being able to enable/disable role separation, configure restrictions for certificate managers and enrollment agents, audit filters, etc.
* get "resolved" AIA and CDP URLs (with placeholders resolved to their actual values for each CA certificates in use)
* edit certificate templates' settings (which would probably require modifying the template objects in AD directly...)
* Allow retrieving issued and revoked certificate requests all in one command (which should be possible if the internal Get-RequestRow cmdlet was refactored/made public and the filter on `Disposition` removed). Not sure it is possible to return pending/failed requests in one request though...
Whether you implement any of those proposals, thank you very much for making administrating AD CS with PowerShell so easy! Microsoft should definitely consider including your module natively in the OS to complement the too simple existing cmdlets.
Best regards,
Jordan
Comments: Few comments: 1) Get-CASecurity -- this command is in my roadmap. However, I'm not sure if I will be able to write the code in upcoming update. But for sure, it will be delivered in very near future. I have PoC of this command, but is not very well tested. 2) "wrappers around other certutil -setreg commands". My module do not rely on certutil in any way, everything is native (managed with wrappers around unmanaged functions) code. I think about Get/Set-CAConfigurationProperty (or so) with the following parameters: -ParameterName <string> -Value <object>. There is a lot of work, so it will require some time. I'm the only developer and can't write too much in short timeframes. 3) "get "resolved" AIA and CDP URLs (with placeholders resolved to their actual values for each CA certificates in use" -- it isn't too hard. I will look into this. 4) "edit certificate templates' settings (which would probably require modifying the template objects in AD directly...)" -- it is currently postponed. I prepated CertificateTemplates namespace for template editing, but there is a lot of work. I had a talk with Windows PKI team, they said that certificate template modification outside of certtmpl.msc is not supported, so the only I can do is to implement entire GUI behavior (and relationships between settings). 5) "Allow retrieving issued and revoked certificate requests" -- it is already done. Get-RequestRow won't be refactored and marked "public". However, this function was rewritten significantly. Instead, there will be a more generic (public) function Get-DatabaseRow, which allows to dump any CA table (there are 4 tables: Request, CRL, Extension and Attribute). Request table contains all revoked, issued, pending and failed requests. I will retire Get-IssuedCRL command (it was just an ad-hoc solution), because it will be moved to Get-DatabaseRow command. However, specific commands like Get-RevokedRequest, Get-IssuedRequest, Get-PendingRequest and Get-FailedRequest are encouraged for use. 6) "Microsoft should definitely consider including your module natively". Won't happen because of number of reasons, so there is a field for my module.