Public/Publish-PWSHCertutilCACrl.ps1

function Publish-PWSHCertutilCACrl {
    <#
    .SYNOPSIS
        Publishes a new CRL on one or all CAs in a profile and returns the decoded CRL.
    .DESCRIPTION
        Connects to each CA in the profile via WinRM, runs certutil -crl to publish a new
        Certificate Revocation List, downloads the resulting CRL file, and returns it as a
        PowerShell object containing the raw CRL (Base64), publish output, and ASN.1-decoded
        CRL content via certutil -dump. Supports -WhatIf.
    .PARAMETER Profile
        The configuration profile to use.
    .PARAMETER CAFqdn
        Optional. Publishes on this CA only instead of all CAs in the profile.
    .PARAMETER Credential
        Optional PSCredential for WinRM. Defaults to current user.
    .EXAMPLE
        Publish-PWSHCertutilCACrl -Profile 'prod-pki'
        Publishes a new CRL on every CA in the 'prod-pki' profile.
    .EXAMPLE
        Publish-PWSHCertutilCACrl -Profile 'prod-pki' -CAFqdn 'ca01.corp.local'
        Publishes a new CRL on ca01.corp.local only.
    .EXAMPLE
        Publish-PWSHCertutilCACrl -Profile 'prod-pki' -WhatIf
        Shows which CAs would have a CRL published without performing the action.
    .OUTPUTS
        PSCustomObject. Profile, CAServer, FileName, LastWriteTime, PublishOutput, CrlBase64, and CRLDecoded properties.
    #>

    [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'Medium')]
    [OutputType([PSCustomObject])]
    param(
        [Parameter(Mandatory, Position = 0)]
        [string] $Profile,

        [Parameter()]
        [string] $CAFqdn,

        [Parameter()]
        [pscredential] $Credential
    )

    $config        = Read-ConfigFile
    $profileConfig = Get-ProfileConfig -Config $config -ProfileName $Profile

    $cas = if ($PSBoundParameters.ContainsKey('CAFqdn')) {
        $found = $profileConfig.cas | Where-Object { $_.fqdn -eq $CAFqdn }
        if (-not $found) { throw "CA '$CAFqdn' is not defined in profile '$Profile'." }
        $found
    } else { $profileConfig.cas }

    foreach ($ca in $cas) {
        if (-not $PSCmdlet.ShouldProcess($ca.fqdn, 'Publish CRL')) { continue }
        try {
            $sessionArgs = @{ CAFqdn = $ca.fqdn; RemotingConfig = $profileConfig.remoting }
            if ($PSBoundParameters.ContainsKey('Credential')) { $sessionArgs['Credential'] = $Credential }
            $session = Get-CASession @sessionArgs

            $crlResult  = Invoke-CertutilCrl -Session $session
            $crlDecoded = ConvertFrom-CertutilAsn1 -CrlBase64 $crlResult.CrlBase64

            [PSCustomObject]@{
                Profile       = $Profile
                CAServer      = $ca.fqdn
                FileName      = $crlResult.FileName
                LastWriteTime = $crlResult.LastWriteTime
                PublishOutput = $crlResult.PublishOutput
                CrlBase64     = $crlResult.CrlBase64
                CRLDecoded    = $crlDecoded
            }
        } catch {
            Write-Error "Failed to publish CRL on '$($ca.fqdn)': $_"
        }
    }
}