Client certificates provide a way for users to be authenticated when logging on to Microsoft Communications Server 2010; certificates are particularly useful for telephones and other devices running Microsoft Communicator “14” Phone Edition where it is difficult to enter a user name and/or password. The Revoke-CsClientCertificate provides a way for administrators to revoke a client certificate that has been issued to a user.
Syntax
Revoke-CsClientCertificate -Identity <UserIdParameter> [-Confirm [<SwitchParameter>]] [-Force <SwitchParameter>] [-WhatIf [<SwitchParameter>]] |
Parameters
| Parameter | Required | Type | Description |
|---|---|---|---|
|
Identity |
Required |
User Identity |
Indicates the Identity of the user account whose certificate is to be revoked. User Identities can be specified using one of four formats: 1) the user's Session Initiation Protocol (SIP) address; 2) the user's Universal Principal Name; 3) the user's domain name and logon name, in the form domain\logon (for example, litwareinc\kenmyer); and, 4) the user's Active Directory Domain Services display name (for example, Ken Myer). Note that the SamAccountName cannot be used as an identity because it is not necessarily unique in a forest. |
|
Force |
Optional |
Switch Parameter |
Suppresses the display of any non-fatal error message that might arise when running the command. |
|
WhatIf |
Optional |
Switch Parameter |
Describes what would happen if you executed the command without actually executing the command. |
|
Confirm |
Optional |
Switch Parameter |
Prompts you for confirmation before executing the command. |
Detailed Description
Client certificates provide an alternate way for users to be authenticated by Communications Server 2010. Instead of having to provide a user name and password, users provide an X.509 certificate stored on a smart card or a hardware device such as a cell phone running Communicator “14” Phone Edition. (This certificate must have a Subject Name or Subject Alternate Name that identifies the user, and must be issued by an Enterprise Certificate Authority.) To be authenticated, users only need to type in a PIN number; it’s typically easier for a cell phone users to type in a PIN number than to type in an alphanumeric user name and/or password.
At any time administrators can revoke a client certificate that has been issued to a user; this is done by using the Revoke-CsClientCertificate cmdlet. By default, Revoke-CsClientCertificate deletes all the client certificates issued to the user in question. If you only want to delete a specific certificate or set of certificates (for example, all the client certificates that have already expired) you will need to use the Get-CsClientCertificate cmdlet to return the desired collection of certificates, then pipe that collection to Revoke-CsClientCertificate. See the Examples section of this help topic for more information.
Revoke-CsClientCertificate does not actually delete the certificate itself; instead, the cmdlet simply prevents the user from using that certificate to log on to Communications Server 2010.
Return Types
Revokes-CsClientCertificate revokes instances of the Microsoft.Rtc.Management.UserPinService.CertInfoDetails object.
Examples
-------------------------- Example 1 ------------------------
 Copy Code |
|
|---|---|
Revoke-CsClientCertificate -Identity "Ken Myer" |
|
The command shown in Example 1 revokes all the client certificates currently assigned to Ken Myer; this is done by calling Revoke-CsClientCertificate followed by the Identity of the user whose certificates are to be revoked.
-------------------------- Example 2 ------------------------
| Copy Code |
|
|---|---|
Get-CsClientCertificate -Identity "Ken Myer" | Where-Object {$_.PublicationTime -gt "1/1/2010"} | Revoke-CsClientCertificate
|
|
The preceding command revokes any client certificates that were issued to Ken Myer prior to January 1, 2010. To do this, the command first uses Get-CsClientCertificate to retrieve a collection of all the certificates issued to Ken Myer. This collection is then piped to the Where-Object cmdlet, which selects only those certificates where the PublicationTime property is earlier than (i.e., greater than, or -gt) January 1, 2010 (1/1/2010). This filtered collection is then piped to Revoke-CsClientCertificate, which, in turn, deletes each item in the collection.