Hello,
I'm not sure this is the right place to make a feature request... Please excuse me if it is not.
I would like to be able to manage the security settings of the CA through PowerShell (setting CA administrators, certificate managers, etc.).
I think I saw a thread on technet where Brian Komar or yourself said that it was possible to do so with `certutil -setreg ca\security` but the format to use was not specified (and I'd guess it would require some SDDL...).
What I imagine is new cmdlets with signatures similar to the following:
```
Get-CASecurityAcl [-CertificationAuthority] <CertificateAuthority[]> [<CommonParameters>]
Add-CASecurityAcl [-InputObject] <SecurityDescriptor[]> [[-User] <NTAccount[]>] [[-AccessType] <AccessControlType>] [[-AccessMask] <CARight[]>] [<CommonParameters>]
Set-CASecurityAcl [-InputObject] <SecurityDescriptor[]> [<CommonParameters>]
Remove-CASecurityAcl [-InputObject] <SecurityDescriptor[]> [[-User] <NTAccount[]>] [[-AccessType] <AccessControlType>] [<CommonParameters>]
```
And a new CARight enum that would contain something like `Read`, `ManageCA`, `IssueManageCertificates` and `RequestCertificates`.
While I'm at it, it would also be interesting to have:
* wrappers around other `certutil -setreg` commands like being able to enable/disable role separation, configure restrictions for certificate managers and enrollment agents, audit filters, etc.
* get "resolved" AIA and CDP URLs (with placeholders resolved to their actual values for each CA certificates in use)
* edit certificate templates' settings (which would probably require modifying the template objects in AD directly...)
* Allow retrieving issued and revoked certificate requests all in one command (which should be possible if the internal Get-RequestRow cmdlet was refactored/made public and the filter on `Disposition` removed). Not sure it is possible to return pending/failed requests in one request though...
Whether you implement any of those proposals, thank you very much for making administrating AD CS with PowerShell so easy! Microsoft should definitely consider including your module natively in the OS to complement the too simple existing cmdlets.
Best regards,
Jordan
Comments: Yes exactly like pkiview.msc! Well I need both the certutil -verify and pkiview.msc behaviors. I've written some monitoring/alerting script that mimics part of what pkiview.msc does but there are hardcoded bits and there are some checks I was not able to perform (or not easily at least). The problem I have is that I have both an AD CS PKI (2 independent hierarchies in fact) and an external non-Microsoft based PKI to monitor. If more of those checks were possible easily from PowerShell directly, that would make my scripts much more simple and powerful.
I'm not sure this is the right place to make a feature request... Please excuse me if it is not.
I would like to be able to manage the security settings of the CA through PowerShell (setting CA administrators, certificate managers, etc.).
I think I saw a thread on technet where Brian Komar or yourself said that it was possible to do so with `certutil -setreg ca\security` but the format to use was not specified (and I'd guess it would require some SDDL...).
What I imagine is new cmdlets with signatures similar to the following:
```
Get-CASecurityAcl [-CertificationAuthority] <CertificateAuthority[]> [<CommonParameters>]
Add-CASecurityAcl [-InputObject] <SecurityDescriptor[]> [[-User] <NTAccount[]>] [[-AccessType] <AccessControlType>] [[-AccessMask] <CARight[]>] [<CommonParameters>]
Set-CASecurityAcl [-InputObject] <SecurityDescriptor[]> [<CommonParameters>]
Remove-CASecurityAcl [-InputObject] <SecurityDescriptor[]> [[-User] <NTAccount[]>] [[-AccessType] <AccessControlType>] [<CommonParameters>]
```
And a new CARight enum that would contain something like `Read`, `ManageCA`, `IssueManageCertificates` and `RequestCertificates`.
While I'm at it, it would also be interesting to have:
* wrappers around other `certutil -setreg` commands like being able to enable/disable role separation, configure restrictions for certificate managers and enrollment agents, audit filters, etc.
* get "resolved" AIA and CDP URLs (with placeholders resolved to their actual values for each CA certificates in use)
* edit certificate templates' settings (which would probably require modifying the template objects in AD directly...)
* Allow retrieving issued and revoked certificate requests all in one command (which should be possible if the internal Get-RequestRow cmdlet was refactored/made public and the filter on `Disposition` removed). Not sure it is possible to return pending/failed requests in one request though...
Whether you implement any of those proposals, thank you very much for making administrating AD CS with PowerShell so easy! Microsoft should definitely consider including your module natively in the OS to complement the too simple existing cmdlets.
Best regards,
Jordan
Comments: Yes exactly like pkiview.msc! Well I need both the certutil -verify and pkiview.msc behaviors. I've written some monitoring/alerting script that mimics part of what pkiview.msc does but there are hardcoded bits and there are some checks I was not able to perform (or not easily at least). The problem I have is that I have both an AD CS PKI (2 independent hierarchies in fact) and an external non-Microsoft based PKI to monitor. If more of those checks were possible easily from PowerShell directly, that would make my scripts much more simple and powerful.