Hello,
I'm not sure this is the right place to make a feature request... Please excuse me if it is not.
I would like to be able to manage the security settings of the CA through PowerShell (setting CA administrators, certificate managers, etc.).
I think I saw a thread on technet where Brian Komar or yourself said that it was possible to do so with `certutil -setreg ca\security` but the format to use was not specified (and I'd guess it would require some SDDL...).
What I imagine is new cmdlets with signatures similar to the following:
```
Get-CASecurityAcl [-CertificationAuthority] <CertificateAuthority[]> [<CommonParameters>]
Add-CASecurityAcl [-InputObject] <SecurityDescriptor[]> [[-User] <NTAccount[]>] [[-AccessType] <AccessControlType>] [[-AccessMask] <CARight[]>] [<CommonParameters>]
Set-CASecurityAcl [-InputObject] <SecurityDescriptor[]> [<CommonParameters>]
Remove-CASecurityAcl [-InputObject] <SecurityDescriptor[]> [[-User] <NTAccount[]>] [[-AccessType] <AccessControlType>] [<CommonParameters>]
```
And a new CARight enum that would contain something like `Read`, `ManageCA`, `IssueManageCertificates` and `RequestCertificates`.
While I'm at it, it would also be interesting to have:
* wrappers around other `certutil -setreg` commands like being able to enable/disable role separation, configure restrictions for certificate managers and enrollment agents, audit filters, etc.
* get "resolved" AIA and CDP URLs (with placeholders resolved to their actual values for each CA certificates in use)
* edit certificate templates' settings (which would probably require modifying the template objects in AD directly...)
* Allow retrieving issued and revoked certificate requests all in one command (which should be possible if the internal Get-RequestRow cmdlet was refactored/made public and the filter on `Disposition` removed). Not sure it is possible to return pending/failed requests in one request though...
Whether you implement any of those proposals, thank you very much for making administrating AD CS with PowerShell so easy! Microsoft should definitely consider including your module natively in the OS to complement the too simple existing cmdlets.
Best regards,
Jordan
Comments: > Windows PKI team do not consider PowerShell as a serious tool and will stick with certutil for years. They can't really expect sysadmins to be versatile in low-level C API (like for when you want to write a custom policy module, which in my opinion should not be even required when you simply want to customize subject names or stuff like that which should be available right from the GUI) or to have to use COM objects and parse certutil output whenever you want to automate something... Not to mention all GUI-only stuff like certificate templates which aren't automatable at all (quite bad for a PKI). That + the difficulty to find an exhaustive and easy to search documentation of all certutil commands makes quite clear for me that something like your module is an absolute requirement for everyone actually using the product (i.e. not developers). Thanks a lot for filling this gap! You can't imagine how much time we're not losing thanks to you. > do you mean similar output, or just get the status? Not similar output since here certutil does the job quite well. It's just a nightmare if I want to parse this output in a script and not run it interactively. I'd like a native PowerShell result, that is easily playable with. I don't exactly know how but some custom object structure that could contain all verifications of `certutil -f -verify -urlfetch` for the whole chain with an easily interpretable output format that can be used in scripts. And probably even better, the possibility to __not__ pass a certificate object at all to the command but instead a CA object, which would then check for all CA certificates all AIA, CDP and OCSP URLs and responses validity (close to expiring, etc.). > 5 years ago I wrote a PoC, which makes certificate validation and simply reports exact issues, if any: http://www.sysadmins.lv/PermaLink,guid,b14ea574-ca90-4f1b-9845-35b6ce273fb2.aspx I'm redirected to https://pspki.codeplex.com/workitem/Test-Certificate but the link does not seem to work (blank page) and it is not referenced on archive.org unfortunately...
I'm not sure this is the right place to make a feature request... Please excuse me if it is not.
I would like to be able to manage the security settings of the CA through PowerShell (setting CA administrators, certificate managers, etc.).
I think I saw a thread on technet where Brian Komar or yourself said that it was possible to do so with `certutil -setreg ca\security` but the format to use was not specified (and I'd guess it would require some SDDL...).
What I imagine is new cmdlets with signatures similar to the following:
```
Get-CASecurityAcl [-CertificationAuthority] <CertificateAuthority[]> [<CommonParameters>]
Add-CASecurityAcl [-InputObject] <SecurityDescriptor[]> [[-User] <NTAccount[]>] [[-AccessType] <AccessControlType>] [[-AccessMask] <CARight[]>] [<CommonParameters>]
Set-CASecurityAcl [-InputObject] <SecurityDescriptor[]> [<CommonParameters>]
Remove-CASecurityAcl [-InputObject] <SecurityDescriptor[]> [[-User] <NTAccount[]>] [[-AccessType] <AccessControlType>] [<CommonParameters>]
```
And a new CARight enum that would contain something like `Read`, `ManageCA`, `IssueManageCertificates` and `RequestCertificates`.
While I'm at it, it would also be interesting to have:
* wrappers around other `certutil -setreg` commands like being able to enable/disable role separation, configure restrictions for certificate managers and enrollment agents, audit filters, etc.
* get "resolved" AIA and CDP URLs (with placeholders resolved to their actual values for each CA certificates in use)
* edit certificate templates' settings (which would probably require modifying the template objects in AD directly...)
* Allow retrieving issued and revoked certificate requests all in one command (which should be possible if the internal Get-RequestRow cmdlet was refactored/made public and the filter on `Disposition` removed). Not sure it is possible to return pending/failed requests in one request though...
Whether you implement any of those proposals, thank you very much for making administrating AD CS with PowerShell so easy! Microsoft should definitely consider including your module natively in the OS to complement the too simple existing cmdlets.
Best regards,
Jordan
Comments: > Windows PKI team do not consider PowerShell as a serious tool and will stick with certutil for years. They can't really expect sysadmins to be versatile in low-level C API (like for when you want to write a custom policy module, which in my opinion should not be even required when you simply want to customize subject names or stuff like that which should be available right from the GUI) or to have to use COM objects and parse certutil output whenever you want to automate something... Not to mention all GUI-only stuff like certificate templates which aren't automatable at all (quite bad for a PKI). That + the difficulty to find an exhaustive and easy to search documentation of all certutil commands makes quite clear for me that something like your module is an absolute requirement for everyone actually using the product (i.e. not developers). Thanks a lot for filling this gap! You can't imagine how much time we're not losing thanks to you. > do you mean similar output, or just get the status? Not similar output since here certutil does the job quite well. It's just a nightmare if I want to parse this output in a script and not run it interactively. I'd like a native PowerShell result, that is easily playable with. I don't exactly know how but some custom object structure that could contain all verifications of `certutil -f -verify -urlfetch` for the whole chain with an easily interpretable output format that can be used in scripts. And probably even better, the possibility to __not__ pass a certificate object at all to the command but instead a CA object, which would then check for all CA certificates all AIA, CDP and OCSP URLs and responses validity (close to expiring, etc.). > 5 years ago I wrote a PoC, which makes certificate validation and simply reports exact issues, if any: http://www.sysadmins.lv/PermaLink,guid,b14ea574-ca90-4f1b-9845-35b6ce273fb2.aspx I'm redirected to https://pspki.codeplex.com/workitem/Test-Certificate but the link does not seem to work (blank page) and it is not referenced on archive.org unfortunately...