Public/Set-PWSHCertutilConfig.ps1

function Set-PWSHCertutilConfig {
    <#
    .SYNOPSIS
        Creates or updates a profile in the Posh-Certutil JSON configuration.
    .DESCRIPTION
        Writes or updates a named profile in Posh-Certutil.json. The certutil -restrict and
        -out values for each operation are pre-populated with defaults; edit the JSON file
        directly to customise them after creation. Supports -WhatIf.
    .PARAMETER Profile
        Name of the profile to create or update.
    .PARAMETER CAFqdn
        One or more CA FQDNs to include in this profile.
    .PARAMETER DisplayName
        Optional display name for each CA, in the same order as -CAFqdn. Defaults to the FQDN.
    .PARAMETER Description
        Optional description for this profile.
    .PARAMETER UseTls
        Use HTTPS (port 5986) for WinRM. Default: $true.
    .PARAMETER Port
        WinRM port. Defaults to 5986 when -UseTls is $true, 5985 otherwise.
    .PARAMETER MaxSessionsPerCA
        Maximum concurrent WinRM sessions per CA server. Default: 2.
    .EXAMPLE
        Set-PWSHCertutilConfig -Profile 'prod-pki' -CAFqdn 'ca01.corp.local','ca02.corp.local' -UseTls $true -Description 'Production PKI'
        Creates the 'prod-pki' profile with two CAs using TLS.
    .EXAMPLE
        Set-PWSHCertutilConfig -Profile 'lab' -CAFqdn 'ca-lab.lab.local' -UseTls $false
        Creates a non-TLS lab profile.
    .OUTPUTS
        PSCustomObject. The saved profile as returned by Get-PWSHCertutilConfig.
    #>

    [CmdletBinding(SupportsShouldProcess)]
    [OutputType([PSCustomObject])]
    param(
        [Parameter(Mandatory, Position = 0)]
        [string] $Profile,

        [Parameter(Mandatory)]
        [string[]] $CAFqdn,

        [Parameter()]
        [string[]] $DisplayName,

        [Parameter()]
        [string] $Description = '',

        [Parameter()]
        [bool] $UseTls = $true,

        [Parameter()]
        [int] $Port,

        [Parameter()]
        [int] $MaxSessionsPerCA = 2
    )

    if (-not $PSBoundParameters.ContainsKey('Port')) {
        if ($UseTls) { $Port = 5986 } else { $Port = 5985 }
    }

    $cas = for ($i = 0; $i -lt $CAFqdn.Count; $i++) {
        [ordered]@{
            fqdn        = $CAFqdn[$i]
            displayName = if ($DisplayName -and $i -lt $DisplayName.Count) { $DisplayName[$i] } else { $CAFqdn[$i] }
        }
    }

    $profileEntry = [ordered]@{
        description  = $Description
        remoting     = [ordered]@{
            useTls           = $UseTls
            port             = $Port
            maxSessionsPerCA = $MaxSessionsPerCA
        }
        cas          = @($cas)
        certutilView = [ordered]@{
            restrict = [ordered]@{
                issuedCerts   = 'GeneralFlags=0,Disposition=20'
                revokedCerts  = 'Disposition=21'
                expiringCerts = 'GeneralFlags=0,Disposition=20,NotAfter>={TODAY},NotAfter<={EXPIRE_DATE}'
                search        = '{DYNAMIC}'
            }
            out      = [ordered]@{
                issuedCerts   = @('RequestID','RequesterName','CommonName','NotBefore','NotAfter','CertificateTemplate','SerialNumber')
                revokedCerts  = @('RequestID','RequesterName','CommonName','NotBefore','NotAfter','SerialNumber','RevokedReason','RevokedEffectiveWhen')
                expiringCerts = @('RequestID','RequesterName','CommonName','NotAfter','CertificateTemplate','SerialNumber')
                search        = @('RequestID','RequesterName','CommonName','NotBefore','NotAfter','CertificateTemplate','SerialNumber','RevokedReason','RevokedEffectiveWhen')
            }
        }
        syncState    = $null
    }

    if ($PSCmdlet.ShouldProcess($Profile, 'Create or update profile in Posh-Certutil.json')) {
        $config = Read-ConfigFile
        $config.profiles | Add-Member -MemberType NoteProperty -Name $Profile -Value $profileEntry -Force
        $config | ConvertTo-Json -Depth 10 | Set-Content -Path $script:ConfigPath -Encoding UTF8
        Write-Verbose "Profile '$Profile' written to $script:ConfigPath"
        Get-PWSHCertutilConfig -Profile $Profile
    }
}