Remove-Certificate Configuration

The cmdlet accepts one or more of the following configuration settings. Configuration settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the cmdlet, access to these internal properties is provided through the Config method.

CertMgr Configuration Settings

CertComment: A comment to include in a saved certificate.

This settings specified the comment to use when calling SaveCertificate. This can only be used when CertificateOutputFormat is set to a value other than the default value. When CertificateOutputFormat is set to "SSH2PublicKey" the value of this setting should be the full header. For instance: "Comment: My Comment".

CertificateOutputFormat: The format of the certificate to save.

By default when SaveCertificate is called the certificate will be written in a PEM format. The format may be changed by setting CertificateOutputFormat to one of the following values:


"PEM" (default)	A PEM formatted public certificate. Example: -----BEGIN CERTIFICATE----- MIIBkTCB+6ADAgECAgEBMA0GCSqGSIb3DQEBBQUAMA4xDDAKBgNVBAMTAzEwMDAgFw0wNzAx ... Pg49SpQ+HcUibIpum2O0hmnySH7BPGfXD8Lu -----END CERTIFICATE-----
"SSH2PublicKey"	A SSH2 formated public key. Example: ---- BEGIN SSH2 PUBLIC KEY ---- AAAAB3NzaC1yc2EAAAADAQABAAAAgQD5/STHUd7YkN1JyoyYnUvCf+Fyx1+ZleBJxvwDcm3y ... 6bVPTODELil1PVWJDlfdwoLZZKY2ACFHzxBqaOlYv1rbd2JIYAuqGca2ow== ---- END SSH2 PUBLIC KEY ----
"OpenSSHPublicKey"	An OpenSSH formatted public key. Example: ssh-rsa AAAAB3NzaC1y...
"P7B"	A P7B file.
"JWK"	A JWK that contains a public key.
"XML"	A XML file containing the public certificate. Example: <X509Data><X509Certificate>MIIBkTCB+6ADAgECAgEBMA0GCSqGSIb3DQEBBQUAMA4xDDAKBgNVBAMTAzEwMDAgFw0wNzAx ... Pg49SpQ+HcUibIpum2O0hmnySH7BPGfXD8Lu</X509Certificate></X509Data>

CertKeyLength: The public key length for created certificates and keys.

When CreateCertificate creates a new certificate and associated key, or when CreateKey creates a key, this setting determines the length of the new public key (in bits). The default value is 1024.

CertKeyType: The types of keys created for new certificates.

When CreateCertificate creates a new certificate and associated key, or when CreateKey creates a key, this setting determines the type of key generated: 1 for key exchange (encryption) keys, and 2 for digital signature keys. The default value is 1.

CertPublicKeyAlgorithm: The public key algorithm used when a certificate is created.

When CreateCertificate creates a new certificate and associated key, this setting determines the public key algorithm of the generated keys. Valid values are:

RSA (default)
DSA
ECDSA_P256
ECDSA_P384
ECDSA_P521
Ed25519
Ed448

CertSignatureAlgorithm: The signature algorithm used when creating certificates.

When CreateCertificate or IssueCertificate creates a new certificate, the signature algorithm used is specified by this setting. Possible values are:

MD2
MD5
SHA1
SHA256 (default)
SHA384
SHA512

CertValidityTime: The validity period for the certificate.

This configuration setting determines the duration in days that a newly created certificate remains valid. The certificate becomes valid as soon as it is created, unless CertValidityOffset is set. The duration is not changed if CertValidityOffset is set; the certificate will still expire CertValidityTime days after the validity period begins. The default value is 365 days.

CertValidityOffset: The number of days until the certificate becomes valid.

This configuration setting can be used to change when a newly created certificate becomes valid. By default, the certificate is valid as soon as it is created. Set CertValidityOffset to the number of days that this starting period should be offset from the current day. This setting also accepts negative values for back-dating the validity of a certificate. The default value is 0.

CSP: The Cryptographic Service Provider.

The name of the Cryptographic Service Provider used to provide access to certificate signing operations.

ExportedCert: The exported certificate file.

This setting holds the certificate data that is exported when ExportCertificate is called with an empty CertFile parameter. If ExportFormat is set to "PFX" this setting holds the hex encoded PFX file data. If ExportFormat is set to any other value this holds the raw certificate content (not encoded).

ExportFormat: The format of the exported certificate.

By default when ExportCertificate is called the certificate will be written as a PFX file. The format of the exported certificate may be changed by setting ExportFormat to one of the following values:


"PFX" or "PKCS12" (default)	A PFX file (PKCS12).
"PEM" or "PKCS1"	A PEM formatted PKCS1 private key file. Example: -----BEGIN RSA PRIVATE KEY----- MIICWwIBAAKBgQD5/STHUd7YkN1JyoyYnUvCf+Fyx1+ZleBJxvwDcm3yaZ98bvry ... 91y8ydb3mQ9l1hZudo2sj8tHnvEgph0r7B8hMM6Qaw== -----END RSA PRIVATE KEY-----
"PKCS8"	A PEM formatted PKCS8 private key file. Example: -----BEGIN PRIVATE KEY----- MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAPn9JMdR3tiQ3UnK ... HSvsHyEwzpBr -----END PRIVATE KEY-----
"OpenSSHPrivateKey"	An OpenSSH private key file. Example: -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAlwAAAAdzc2gtcnNh ... AwQFBgcICQo= -----END OPENSSH PRIVATE KEY-----
"PPK"	A PuTTY private key file. Example: PuTTY-User-Key-File-2: ssh-rsa Encryption: none Comment: rsa-key-20180822 Public-Lines: 4 AAAAB3NzaC1yc2EAAAADAQABAAAAgQCmz5j5kWUKxfwiv6J0LQ4wN9ekpeORXVaP ... 8pSSWejQ5Q== Private-Lines: 8 AAAAgH87Sp/YcSw1dKoAZuWb0/2dKkKwMRIYEkS15caRpzAteay6WWX7l1sgBTU7 ... Oa0= Private-MAC: d53e24f44bde8d1d3844a142fbb1fa7c88ea3585
"JWK"	A JWK that contains a private key.

Note: On Linux/Unix the PFX/PKCS12 format is not supported. On Unix/Linux the default format is "PEM".

Note: ExportCertificate is not support on macOS.

ImportCertAction: Specified the action to take if a matching certificate or a link to a matching certificate already exists.

When calling ImportCertificate if a matching certificate or a link to a matching certificate already exists in the Windows certificate store this setting governs what action will be taken. Possible values are:


1	CERT_STORE_ADD_NEW - Imports a certificate only if no existing certificate is present.
2	CERT_STORE_ADD_USE_EXISTING - If an existing certificate is found, it is not replaced.
3 (default)	CERT_STORE_ADD_REPLACE_EXISTING - If an existing certificate is found it is replaced.
4	CERT_STORE_ADD_ALWAYS - No checks are performed and a new certificate is always added to the store. This can result in duplicates.
5	CERT_STORE_ADD_REPLACE_EXISTING_INHERIT_PROPERTIES - If an existing certificate is found it is replaced, and the new certificate inherits properties from the certificate it replaces.
6	CERT_STORE_ADD_NEWER - Imports a certificate only if the certificate is newer than an existing matching certificate.
7	CERT_STORE_ADD_NEWER_INHERIT_PROPERTIES - Imports a certificate only if the certificate is newer than an existing matching certificate, and inherits the properties of old certificate it replaces.

JWKAlgorithm: The JWK algorithm.

This setting specifies the JWK algorithm. It can be set before calling ExportCertificate (if ExportFormat is set to JWK) or SaveCertificate (if CertificateOutputFormat is set to JWK) to control the key Id used to create the JWK. It will be populated if a JWK-formatted is loaded into the cmdlet.

Valid values are:

(empty string)
HS256
HS384
HS512
RS256
RS384
RS512
EC256
EC384
EC512

JWKKeyId: The JWK key Id.

This setting specifies the JWK key Id. It can be set before calling ExportCertificate (if ExportFormat is set to JWK) or SaveCertificate (if CertificateOutputFormat is set to JWK) to control the key Id used to create the JWK. It will be populated if a JWK-formatted is loaded into the cmdlet.

JWKKeyOps: The JWK intended key operations list.

This setting specifies the intended key operations for the JWK. It can be set before calling ExportCertificate (if ExportFormat is set to JWK) or SaveCertificate (if CertificateOutputFormat is set to JWK) to control the key Id used to create the JWK. It will be populated if a JWK-formatted is loaded into the cmdlet.

This setting format is a JSON array. Examples: ["sign","verify"] or ["encrypt"].

JWKUse: The JWK use parameter value.

Valid values are enc and sig.

KeyFormat: How the public and private key are formatted.

This setting controls the format of CertPublicKey and CertPrivateKey. By default these properties hold PEM formatted public and private key data. When set to 1 (XML) the keys are stored in a XML format. This only affects the values returned by the cmdlet; the actual keys remain the same regardless of this setting. Possible values are:

0 (PEM - default)
1 (XML)

The default value is 0 (PEM).

ReplaceKey: Whether or not to replace an existing key when creating a new key.

If this is false (default), the component will throw an error if a duplicate key exists while generating a new keyset using CreateKey. If set to true, the component will replace a key if it already exists when generating new keys.

RequestSubjectAltNames: Subject Alternative Names for a Certificate Signing Request.

This allows Subject Alternative Names to be added to a Certificate Signing request. The setting only supports email, DNS, URI, and IPv4 addresses. Separate alternative names should be separated by commas. For example:

string altNames = "email:copy,dns:domain.com,dns.1:other.domain.com,uri:http://www.domain.com,ip:192.168.1.102"

SavedCert: The saved certificate file.

This setting holds the certificate data that is saved when SaveCertificate is called with an empty FileName parameter. If CertificateOutputFormat is set to "P7B" this setting holds the hex encoded P7B file data. If CertificateOutputFormat is set to any other value this holds the raw certificate content (not encoded).

SubjectAltNames: Subject Alternative Names for creating or issuing certificates.

This allows the Subject Alternative Names extension to be specified when creating or issuing a certificate via CreateCertificate or IssueCertificate. This setting only supports email, DNS, URI, and IPv4 addresses. Separate alternative names should be separated by commas. For example:

string altNames = "email:copy,dns:domain.com,dns.1:other.domain.com,uri:http://www.domain.com,ip:192.168.1.102"

Base Configuration Settings

UseBackgroundThread: Whether threads created by the cmdlet are background threads.

If set to True, when the cmdlet creates a thread the thread's IsBackground property will be explicitly set to True. By default this setting is False.

UseInternalSecurityAPI: Tells the cmdlet whether or not to use the system security libraries or an internal implementation.

By default the cmdlet will use the system security libraries to perform cryptographic functions. When set to False calls to unmanaged code will be made. In certain environments this is not desirable. To use a completely managed security implementation set this setting to True. Setting this to True tells the cmdlet to use the internal implementation instead of using the system's security API.

Note: This setting is static. The value set is applicable to all cmdlets used in the application.

When this value is set the product's system DLL is no longer required as a reference, as all unmanaged code is stored in that file.