Hello,
I'm not sure this is the right place to make a feature request... Please excuse me if it is not.
I would like to be able to manage the security settings of the CA through PowerShell (setting CA administrators, certificate managers, etc.).
I think I saw a thread on technet where Brian Komar or yourself said that it was possible to do so with `certutil -setreg ca\security` but the format to use was not specified (and I'd guess it would require some SDDL...).
What I imagine is new cmdlets with signatures similar to the following:
```
Get-CASecurityAcl [-CertificationAuthority] <CertificateAuthority[]> [<CommonParameters>]
Add-CASecurityAcl [-InputObject] <SecurityDescriptor[]> [[-User] <NTAccount[]>] [[-AccessType] <AccessControlType>] [[-AccessMask] <CARight[]>] [<CommonParameters>]
Set-CASecurityAcl [-InputObject] <SecurityDescriptor[]> [<CommonParameters>]
Remove-CASecurityAcl [-InputObject] <SecurityDescriptor[]> [[-User] <NTAccount[]>] [[-AccessType] <AccessControlType>] [<CommonParameters>]
```
And a new CARight enum that would contain something like `Read`, `ManageCA`, `IssueManageCertificates` and `RequestCertificates`.
While I'm at it, it would also be interesting to have:
* wrappers around other `certutil -setreg` commands like being able to enable/disable role separation, configure restrictions for certificate managers and enrollment agents, audit filters, etc.
* get "resolved" AIA and CDP URLs (with placeholders resolved to their actual values for each CA certificates in use)
* edit certificate templates' settings (which would probably require modifying the template objects in AD directly...)
* Allow retrieving issued and revoked certificate requests all in one command (which should be possible if the internal Get-RequestRow cmdlet was refactored/made public and the filter on `Disposition` removed). Not sure it is possible to return pending/failed requests in one request though...
Whether you implement any of those proposals, thank you very much for making administrating AD CS with PowerShell so easy! Microsoft should definitely consider including your module natively in the OS to complement the too simple existing cmdlets.
Best regards,
Jordan
Comments: Thanks for your reply. 1) Great to know! Don't rush the features of course. Even if they can't make it before quite some time, it's still good to know you have them on your roadmap somewhere. 2) I said it wrong, I'm sorry. I was thinking exactly about what you have in mind, of course not wrappers around certutil itself, which would not make much sense (especially for the `-setreg` commands which can be done directly by modifying the registry). Something like `Set-CAConfigurationProperty` would be good but probably not ideal for the most complex "settings". Role separation would be OK for instance but audit filters and restrictions for cert managers and enrollment agents would benefit from dedicated cmdlets I believe (like the Set-CASecurity I described in fact). But again, I understand this requires a huge amount of work and nobody can expect you to implement all of this in short timeframes (or at all for that matter...)! 3) I actually didn't even think it was "not too hard" :) Good to read this then! It would make some of my monitoring scripts less hacky... 4) That's what I thought and it is too bad. I hope they'll re-think about that in a next release. That would make it one of the very few aspects of Windows Server that wouldn't be manageable through PowerShell/managed code otherwise (or at least not in a supported way). 5) I meant __both__ issued and revoked in one cmdlet. Today if I want to search for certificates matching a particular filter, either revoked or not, I have to make 2 commands: one with Get-IssuedRequest and one with Get-RevokedRequest. I agree with you those cmdlets are best in most circumstances but there are some situations where you don't really care whether the certificate is revoked or not (I have this need for some reporting for instance). The `Get-DatabaseRow` is a very good idea anyway and seems better than my original idea. 6) That's what I thought :) Oh and a 7) while I'm thinking about it... it would probably be interesting to have an equivalent of `certutil -verify` (with and without the `-urlfetch` switch) natively in the module. Something like `Test-CertificateValidity` maybe... Anything that could help reviving the old [camonitor.vbs](http://gallery.technet.microsoft.com/scriptcenter/164e8047-d7bf-4774-91cf-90d46b82e725) monitoring script in a more modern way would probably help a lot of people. Thank you for reading me and keep up the amazing work you do. Jordan
I'm not sure this is the right place to make a feature request... Please excuse me if it is not.
I would like to be able to manage the security settings of the CA through PowerShell (setting CA administrators, certificate managers, etc.).
I think I saw a thread on technet where Brian Komar or yourself said that it was possible to do so with `certutil -setreg ca\security` but the format to use was not specified (and I'd guess it would require some SDDL...).
What I imagine is new cmdlets with signatures similar to the following:
```
Get-CASecurityAcl [-CertificationAuthority] <CertificateAuthority[]> [<CommonParameters>]
Add-CASecurityAcl [-InputObject] <SecurityDescriptor[]> [[-User] <NTAccount[]>] [[-AccessType] <AccessControlType>] [[-AccessMask] <CARight[]>] [<CommonParameters>]
Set-CASecurityAcl [-InputObject] <SecurityDescriptor[]> [<CommonParameters>]
Remove-CASecurityAcl [-InputObject] <SecurityDescriptor[]> [[-User] <NTAccount[]>] [[-AccessType] <AccessControlType>] [<CommonParameters>]
```
And a new CARight enum that would contain something like `Read`, `ManageCA`, `IssueManageCertificates` and `RequestCertificates`.
While I'm at it, it would also be interesting to have:
* wrappers around other `certutil -setreg` commands like being able to enable/disable role separation, configure restrictions for certificate managers and enrollment agents, audit filters, etc.
* get "resolved" AIA and CDP URLs (with placeholders resolved to their actual values for each CA certificates in use)
* edit certificate templates' settings (which would probably require modifying the template objects in AD directly...)
* Allow retrieving issued and revoked certificate requests all in one command (which should be possible if the internal Get-RequestRow cmdlet was refactored/made public and the filter on `Disposition` removed). Not sure it is possible to return pending/failed requests in one request though...
Whether you implement any of those proposals, thank you very much for making administrating AD CS with PowerShell so easy! Microsoft should definitely consider including your module natively in the OS to complement the too simple existing cmdlets.
Best regards,
Jordan
Comments: Thanks for your reply. 1) Great to know! Don't rush the features of course. Even if they can't make it before quite some time, it's still good to know you have them on your roadmap somewhere. 2) I said it wrong, I'm sorry. I was thinking exactly about what you have in mind, of course not wrappers around certutil itself, which would not make much sense (especially for the `-setreg` commands which can be done directly by modifying the registry). Something like `Set-CAConfigurationProperty` would be good but probably not ideal for the most complex "settings". Role separation would be OK for instance but audit filters and restrictions for cert managers and enrollment agents would benefit from dedicated cmdlets I believe (like the Set-CASecurity I described in fact). But again, I understand this requires a huge amount of work and nobody can expect you to implement all of this in short timeframes (or at all for that matter...)! 3) I actually didn't even think it was "not too hard" :) Good to read this then! It would make some of my monitoring scripts less hacky... 4) That's what I thought and it is too bad. I hope they'll re-think about that in a next release. That would make it one of the very few aspects of Windows Server that wouldn't be manageable through PowerShell/managed code otherwise (or at least not in a supported way). 5) I meant __both__ issued and revoked in one cmdlet. Today if I want to search for certificates matching a particular filter, either revoked or not, I have to make 2 commands: one with Get-IssuedRequest and one with Get-RevokedRequest. I agree with you those cmdlets are best in most circumstances but there are some situations where you don't really care whether the certificate is revoked or not (I have this need for some reporting for instance). The `Get-DatabaseRow` is a very good idea anyway and seems better than my original idea. 6) That's what I thought :) Oh and a 7) while I'm thinking about it... it would probably be interesting to have an equivalent of `certutil -verify` (with and without the `-urlfetch` switch) natively in the module. Something like `Test-CertificateValidity` maybe... Anything that could help reviving the old [camonitor.vbs](http://gallery.technet.microsoft.com/scriptcenter/164e8047-d7bf-4774-91cf-90d46b82e725) monitoring script in a more modern way would probably help a lot of people. Thank you for reading me and keep up the amazing work you do. Jordan