Using PowerShell to clear or remove all AIA and CDP entries in Active Directory Certificate Services for Windows Server 2012
You may have already seen that you can deploy most Windows Server 2012 role services with Windows PowerShell. If you are interested in Active Directory Certificate Services (AD CS), you've probably noticed the PowerShell commands for deploying all six available CA roles: AD CS Deployment Cmdlets in Windows PowerShell. You may have also noticed that there are also several commands for managing AD CS, very creatively called the AD CS Administration Cmdlets in Windows PowerShell ;-) There are three main things that these AD CS Administration cmdlets allow you to do in Windows Server 2012:
- Add, Remove, or list the Certificate Templates - These are only the templates that are already configured on the server. This is essentially the same as using the Certificate Templates UI to "publish" templates on the server.
- Add, Remove, or list the Authority Information Access (AIA) - this is the location where the CA certificate is published, which is used by client computers to verify and download the CA certificate to see if it is trusted/trustworthy.
- Add, Remove, or list the Certificate Revocation List (CRL) Distribution Point (CDP) - this is the location where the CA publishes the CRL, so that clients can check to see if a particular certificate has been revoked.
One of the things that may seem difficult when you are planning to publish the AIA or CDP is that there are several default entries. When you setup a PKI, this often means that you will need to first clear out the existing entries. This wasn't really a problem with the certutil command because it would automatically overwrite what was there originally. However, the PowerShell cmdlets add to or remove what is there. When you need to remove all the default entries before publishing your own, you probably don't want to write out the commands one-by-one, especially if they are the default entries.
Fortunately, I met Jason Fare (IT Architect for FIS, Inc.) at TEC 2012 during a course with Brian Komar and he quickly created a couple of PowerShell one liner commands to show us how easily you can remove all the default CDP and AIA entries with PowerShell.
To remove all the existing CDP entries, you can run the following PowerShell command:
$crllist = Get-CACrlDistributionPoint; foreach ($crl in $crllist) {Remove-CACrlDistributionPoint $crl.uri -Force };
To remove all the existing AIA entries, you can run the following PowerShell command:
$aialist = Get-CAAuthorityInformationAccess; foreach ($aia in $aialist) {Remove-CAAuthorityInformationAccess $aia.uri -Force};
Thanks to Jason for working out those commands and encouraging us to share them with people. You will see similar commands in future examples of our TechNet documentation for your convenience. :-)