none
Modify "Certificate Purposes" programmatically

    Question

  • Dear All,

    Currently I have 2 user certificates installed on my local certificate store, issued by the same Issuing CA.

    They both have the "Intended Purpose" Client Authentication enabled.

    I would like to know if there is a way to, programmatically, disable this "purpose" on my certificate.

    I'm able to do that using the mmc console, opening the certificate properties and on the "Certificate Purposes" I select "Enable only the following purposes", and then unselect "Client Authentication" . Is there any solution to do this by script?

    Thanks in advance for your help.


    Edgar Oliveira

    Saturday, June 22, 2013 8:36 AM

Answers

  • You are attacking this from the wrong end of the process.

    The correct way is to configure the certificate template prior to certificate issuance.

    Brian

    • Proposed as answer by Brian Komar [MVP]MVP Saturday, June 22, 2013 11:43 AM
    • Marked as answer by Ted Xie Thursday, June 27, 2013 7:05 AM
    Saturday, June 22, 2013 11:43 AM

All replies

  • You are attacking this from the wrong end of the process.

    The correct way is to configure the certificate template prior to certificate issuance.

    Brian

    • Proposed as answer by Brian Komar [MVP]MVP Saturday, June 22, 2013 11:43 AM
    • Marked as answer by Ted Xie Thursday, June 27, 2013 7:05 AM
    Saturday, June 22, 2013 11:43 AM
  • Hi,

    Yes, I know that.

    But the issue is there and the certificates are in production, deployed in thousands of users.

    So, this is supposed to be a workaround.

    And no, I cannot re-issue new certificates and delete the old ones as we use them to encrypt emails.

    If we do so, users will no longer be able to read old encrypted emails.

    That's why the workaround would be to remove client authentication from one of the certificates.

    Thanks


    Edgar Oliveira

    Saturday, June 22, 2013 1:21 PM
  • As Brian said, it is nor possible, nor supported in any way. I'm afraid, but Brian's response is correct and no workarounds are available for you.

    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Check out new: PowerShell FCIV tool.

    Saturday, June 22, 2013 3:43 PM