pkisolutions / pspki Goto Github PK

Hi Vadims,

I'm using cmdlet get-ca and it seems to take several minutes to finish execution. It takes around 20-25 minutes.

I checked this cmdlet and I realized it is using this class/method to get CA object "[PKI.CertificateServices.CertificateAuthority]::EnumEnterpriseCAs".

I tried two different Enterprise CAs with same hardware and OS (ws2012R2), and one of them is finishing in just 1 second but the other one seems to get stucked.

Do you know if it takes into account CA database size, crl size, remote registry, or any other component from CA that could be the reason? configuration between CAs are similar (ocsp, aia/cdp extensions,...).

I really appreciate you help.

Thanks.

The about_PSPKI_Module.help.txt file says that codeplex is the official support page. This should be updated to github.

Function Get-CryptographicServiceProvider returns "Object reference not set to an instance of an object." if use without parameter.

This is caused by [SysadminsLV.PKI.Cryptography.CspProviderInfoCollection]::GetProviderInfo which does not allow $null or empty string.

[SysadminsLV.PKI.Cryptography.CspProviderInfoCollection]::GetProviderInfo() returns provider as expected.

[SysadminsLV.PKI.Cryptography.CspProviderInfoCollection]::GetProviderInfo($name) returns "Object reference not set to an instance of an object." if $name is $null or "".

Using Get-DatabaseRow for the Attribute or Extension tables does not allow to use at the same time the -RowID and -Filter parameters (if we specify both, only -RowID is taken into account).

There is a way around that by adding another filter for either AttributeRequestID or ExtensionRequestId but that is not clear and user-friendly.

Currently those 2 commands write directly to the host/warning/error stream, making them almost impossible to work with in automated scripts where we do want to take actions depending on the actual return status.
I think in a general manner, Write-Host|Warning|Error should be banned from your entire module and replaced with custom objects with error code property.

Hello Vadims!

Great 3.2.6 release! It fixes all bugs/problems I raised since the 3.2.5 :)

Just note that this repo is not synced with the release on codeplex (the PSD1 file still mentions 3.2.5.0 for instance and the libraries have not been updated).
You might have to re-think your release process since the move to a public repo ;-) Someone taking raw sources from here might have problems difficult to identify otherwise.

In my case, I don't like the installer for instance and always preferred to download the sources from codeplex (which you have not made available this time probably because of the move to github).

Commands that use CA database row as a pipeline input (such as Revoke-Certificate, Approve/Deny-Request, etc.) reinstantiate ICertAdmin2 COM interface for each input object. It is necessary only when config string changes. In practice, most requests comes from one of very few CAs, as the result, it is possible to cache config string and use the same ICertAdmin2 object for a series of input objects which came from the same CA.

Hello

I wonder if you can help me with the following issue please,
now and then I will get an issue connecting the CA using Connect-CertificationAuthority -computername CA01 whereby it connects but the status is a follows

isAccessible: False
ServiceStatus: Running

As it says IsAccessible = false, I can then not get or issue requests etc. I presume the ServiceStatus is comming back from a WMI call (please correct me if that is not the case) but what about IsAccessible what is that querying please? does the query use a specific port etc. The odd thing is it works most of the time but evey now and then it will report False so I am trying to work out what I can do on the Windows/Firewall side etc to make it more reliable e.g. True

Thanks very much in advance :)

Firstly thanks for such an awesome module, I was wondering with the imminent shutdown of codeplex is the plan to move the distribution of PSPKI over to the PowerShell gallery?

From a consumer perspective this would be awesome as it significantly reduces the complexities of setting up a new client as the installation of PowerShell Gallery modules can be easily scripted.

Hi,

I need to extract DNS data from a pending request, as shown in this article.

Anyhow, doing the following while using the latest module version fails for me:

$row = Get-PendingRequest -CA CANAME -Property "RawRequest" -Request;
$bytes = [convert]::FromBase64String($row."Request.RawRequest");
New-Object System.Security.Cryptography.X509CertificateRequests.X509CertificateRequest (,$bytes)

with the following error:

New-Object : Exception calling ".ctor" with "1" argument(s): "Object reference not set to an instance of an object."

I get the exact same error if, instead of manually creating X509CertificateRequest, I use the following:

Get-CertificateRequest -RawRequest $bytes

Is it a known issue or I'm doing something wrong? It might be worth mentioning the above commands working on issued certificates (Get-IssuedRequest).

I'm trying to get the signature algorithm of signed certificates. The goal is to get a list of certificates that have been signed with sha1 before the sha256 migration of your PKI.

using Get-IssuedRequest -Property * I'm not able to get the signature algorithm

is there another way to get the signature algorithm? or I am doing something wrong?

thanks

Hello,

I tried to run the most updated script "Get-EnterprisePKIHealthStatus" for all my Enterprise CAs and always got Status = Error.

Apparently, no errors appearing in debug mode. And in pkiview.msc console I have an OK status for all CAs and PKI components.

I have a two-tear pki with 1 Offline Root CA and 2 Online Enterprise CAs. Would be the problem that the script detects my Root CA as offline and therefore final status code is error?

I appreciate any help!

Thanks.

Alberto.

When Denying a request I a seeing WARNING: The request's with ID = REQID current status does not allow this operation

However the certificate denial is actually completed successfully

Get-PendingRequest -CertificationAuthority -RequestID ##### |Deny-CertificateRequest
WARNING: The request's with ID = ##### current status does not allow this operation.

Additionally... Thank you very much for your work on PSPKI, it has greatly improved management of Microsoft CA's!

When using Get-RevokedReques, Get-IssuedRequest, Get-PendingRequest, Get-FailedRequest and specify additional non-capitalized properties, they fail with:

Exception calling "Add" with "2" argument(s): "An item with the same key has already been added."
At C:\Program Files\WindowsPowerShell\Modules\PSPKI\3.3.0.0\Server\Get-RequestRow.ps1:121 char:13
+             $Row.Properties.Add($colName, $colVal)
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : ArgumentException
Exception calling "Add" with "2" argument(s): "An item with the same key has
already been added."
At C:\Program
Files\WindowsPowerShell\Modules\PSPKI\3.3.0.0\Server\Get-RequestRow.ps1:121
char:13
+             $Row.Properties.Add($colName, $colVal)
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : ArgumentException

Get-CertificateRequest returns file not found when using relative path like .\MyRequest.csr

Get-CertificateRequest -Path .\MyRequest.csr

The following works:

Get-CertificateRequest -Path ( Resolve-Path .\MyRequest.csr )

It would come handy if relative paths are supported.

Using the following command together with a policy.inf file allows to "change" some content of a CSR:

CertReq -f -q –config "MyCA\Test Root CA" -cert 88884808333333336960447CE1731EA6654345676 –policy .\MyFriends.CSR .\MyCPS.inf .\MyUpdated.csr

The command creates a new nested PKCS7 request file.
Using certutil -dump .\MyUpdated.csr returns 4 different objects:

`PKCS7/CMS

Message
PKCS7 Message Content:
================ Begin Nesting Level 1 ================
CMS Certificate Request:
---- CUSTOM REQUEST DATA BASED ON .\MyCPS.inf -------

================ Begin Nesting Level 2 ================
PKCS10 Certificate Request:
---- ORIGINAL REQUEST DATA BASED ON .\MyFriends.CSR -------

---------------- End Nesting Level 2 ----------------
---------------- End Nesting Level 1 ----------------
Signer Count: 2
Signer Info[0]:
NULL signature verifies
---- SOME KIND OF DUMMY SIGNATURE OID.1.3.6.1.4.1.311.21.9=Dummy Signer -------

Signer Info[1]:
---- SIGNER CERT -------`

Reading the new request

$req = Get-CertificateRequest ( Resolve-Path .\MyUpdated.csr )

$req.RequestType returns an object of type PKCS7 which seems to be the original request but as PKCS7
$req.ExternalData returns an object of content type CMC Data but with content SysadminsLV.PKI.Cryptography.X509CertificateRequests.X509CertificateRequestPkcs10 which is again the original request.

So the object returned by Get-CertificateRequest is missing the data injected by policy.inf as well as all signatures.

I'm happy to share more detailed examples if required

Thank you for your support.

Hello,

when we use the command get-issuedrequest we sometimes get the certificatetemplate as OID. When we would like to have more properties like the RawCertificate, the property certificatetemplate also shows that rawcertificate.

Can you please help us with that issue?
Our CA runs on a Windows Server 2012 R2 and we are using version 3.2.6 of your Module

Thank you!

In the parameters, parameter -Password accepts unencrypted password string which is insecure and should be replaced with [Security.SecureString] type.

I use PSPKI in Windows 2016 Core test environment. I know Windows 2016 is not in the list of supported OS, but I thought it's worth a try. ;)

The CA is newly installed, I do not have any KRA on this system added. I want to you PSPKI to add a KRA. The KRA certificate is already issued by another CA. The certificate is valid and trusted. It has the thumbprint (sample) 0F75CCFC39455ABD64851AAEF50D202B7580C3A7.

$CA | Get-CAKRACertificate

Certificate: Empty

$KRACert = Get-ADKRACertificate -Subject "CN=$CAKRA*"

$KRACert is from the type System.Security.Cryptography.X509Certificates.X509Certificate2 and contains the correct certificate, with the thumbprint 0F75CCFC39455ABD64851AAEF50D202B7580C3A7

$KRA = $CA | Add-CAKRACertificate -Certificate $KRACert

$KRA is from the type PKI.CertificateServices.KRA and the thumbprint is still 0F75CCFC39455ABD64851AAEF50D202B7580C3A7

$KRA | Set-CAKRACertificate -RestartCA $CA | Get-CAKRACertificate

After using Set-CAKRACertificate, the thumbprint suddenly changes! The thumbprint is now (sample) 5106DD2F848595803C817E72E1205A0AA1EF67C7. The subject, serial number etc. however is as expected (=correct). But, because of the wrong thumbprint, the certificate is, of course, invalid.
I tried to add Get-CAKRACertificate, Remove-CAKRACertificate etc. to my command. But still, in every scenario, as soon as I use Set-CAKRACertificate, the thumbprint changes to the wrong value (its always the same wrong value).

If I use the Certification Authority console I can add the Key Recovery Agent successfully (and valid ;) ).

As discussed in #4, the following functions need to be updated, to get rid of Write-Host and Wriye-Warning (where it is used incorrectly):

* Approve-CertificateRequest
* Get-RequestRow
* Remove-CAKRACertificate
* Revoke-Certificate
* Remove-CertificateEnrollmentPolicyService
* Remove-CertificateEnrollmentService
* Remove-DatabaseRow
* Deny-CertificateRequest
* Add-CertificateEnrollmentService
* Add-CertificateEnrollmentPolicyService
* Add-CertificateTemplateAcl

Thank you.

Hi

We are using a ADCS failover cluster, with only one server being active at a time. I am getting an error when trying to run the command get-certificaitonAuthority i get the following error: I can confirm the RPC service is running and certutil command line is working fine. I have a different system a single enterprise CA in another environment and PSPKI module works fine on that one. Could you please help me resolve this issue.

Exception calling "EnumEnterpriseCAs" with "2" argument(s): "CCertAdmin::GetCAProperty: The RPC server is unavailable.
0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)"
At C:\Program Files\WindowsPowerShell\Modules\PSPKI\Server\Get-CertificationAuthority.ps1:14 char:20

• ... mputerSet" {[PKI.CertificateServices.CertificateAuthority]::EnumEnter ...

•             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : NotSpecified: (:) [], MethodInvocationException
  • FullyQualifiedErrorId : COMException

PS C:> $error[0].exception.InnerException.StackTrace
at CERTADMINLib.CCertAdminClass.GetCAProperty(String strConfig, Int32 PropId, Int32 PropIndex, Int32 PropType, Int32
Flags)
at PKI.CertificateServices.CertificateAuthority.getCaProperty()
at PKI.CertificateServices.CertificateAuthority.initialize()
at PKI.CertificateServices.CertificateAuthority.initializeFromConfigString(String computerName, String name)
at PKI.CertificateServices.CertificateAuthority..ctor(String computerName, String name)
at PKI.CertificateServices.CertificateAuthority.EnumEnterpriseCAs(String findType, String findValue)
at CallSite.Target(Closure , CallSite , Type , String , String )

Is there any way that the cmdlets/module can be used to interact with a CA across a 2 way forest trust scenario? Currently, get-certificationauthority only shows CA's in the local domain.

Hello.
When we use the command Get-CertificationAuthority under non-administrative user account, but with right "Issue and Manage Certificates" on CA, we get a delay of about 3 seconds.

Our CA has Enterprise Subordinate type, runs on a Windows Server 2012 R2 and we are using version 3.2.6 of your module.

Please help us to solve this problem.
Thank you!

The [SysadminsLV.Asn1Parser] referenced type is invalid. It is namespace and is missing class name: AsnFormatter.

How do I get the DNS name entries in the the SAN (Subject Alternative name) field of an issued certificate ?

I couldn't find (or maybe missed) a way to get SAN information via Get-IssuedRequest.

Any help appreciated.

Thanks,
Mario

Using Self-Signed certificate generator, when executing the Following Command:

New-SelfsignedCertificateEx -Subject "CN=Test" -EnhancedKeyUsage "Server Authentication" -AlgorithmName ECDSA_P256 -KeyLength 256 -SignatureAlgorithm SHA256 -KeyUsage "DigitalSignature" -Path C:\ssl.pfx -Password (ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force) -Exportable

I get the following error:

New-SelfsignedCertificateEx : CertEnroll::CX509PrivateKey::Create: Invalid flags specified. 0x80090009 (-2146893815 NTE_BAD_FLAGS)

And when I take away the -KeyLength 256 argument:

 New-SelfsignedCertificateEx -Subject "CN=Test" -EnhancedKeyUsage "Server Authentication" -AlgorithmName ECDSA_P256 -SignatureAlgorithm SHA256 -KeyUsage "DigitalSignature" -Path C:\ssl.pfx -Password (ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force) -Exportable

I get the following error

New-SelfsignedCertificateEx : CertEnroll::CX509PrivateKey::Create: Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)

Hello Vadims,

There seems to be a bug in the Set-CertificateExtension function with some extensions types only.
The function works perfectly in most cases for me but with the naming constraint and certificate policies extensions, I have to rely on a mix of your PSPKI library and certutil -setextension instead.

Here is a sample script where I took random data to reproduce the problem (you must have at least one pending request of course):

$policy1Qualifier = New-Object System.Security.Cryptography.X509Certificates.X509PolicyQualifier 'http://example.com'
$policy1QualifierCollection = New-Object System.Security.Cryptography.X509Certificates.X509PolicyQualifierCollection
[void] $policy1QualifierCollection.Add($policy1Qualifier)
$policy1 = New-Object System.Security.Cryptography.X509Certificates.X509CertificatePolicy '1.3.6.1.4.1.6334.1.0',$policy1QualifierCollection

$policy2Qualifier = New-Object System.Security.Cryptography.X509Certificates.X509PolicyQualifier 'http://example.com'
$policy2QualifierCollection = New-Object System.Security.Cryptography.X509Certificates.X509PolicyQualifierCollection
[void] $policy2QualifierCollection.Add($policy2Qualifier)
$policy2 = New-Object System.Security.Cryptography.X509Certificates.X509CertificatePolicy '1.3.6.1.4.1.6334.1.1',$policy2QualifierCollection

$policiesCollection = New-Object System.Security.Cryptography.X509Certificates.X509CertificatePolicyCollection
[void] $policiesCollection.Add($policy1)
[void] $policiesCollection.Add($policy2)
$policiesExtension = New-Object System.Security.Cryptography.X509Certificates.X509CertificatePoliciesExtension $policiesCollection,$false


$permittedSubtree = New-Object System.Security.Cryptography.X509Certificates.X509AlternativeNameCollection
$dnsType = [System.Security.Cryptography.X509Certificates.X509AlternativeNamesEnum]::DnsName
$corpDomains = New-Object System.Security.Cryptography.X509Certificates.X509AlternativeName $dnsType,'.local'
$excludedSubtree = New-Object System.Security.Cryptography.X509Certificates.X509AlternativeNameCollection
[void] $excludedSubtree.Add($corpDomains)
$nameConstraintExt = New-Object System.Security.Cryptography.X509Certificates.X509NameConstraintsExtension $permittedSubtree,$excludedSubtree
$nameConstraintExt.Critical = $false

$extCollection = New-Object System.Security.Cryptography.X509Certificates.X509ExtensionCollection
[void] $extCollection.Add($policiesExtension)
[void] $extCollection.Add($nameConstraintExt)

Connect-CertificationAuthority | Get-PendingRequest | Set-CertificateExtension -Extension $extCollection -Verbose

For the certificate policies extension, I have an error.
For the naming constraint extension, the extension is added to the request but the actual DnsName in the excluded subtree is an empty string.

If I export both extensions to a binary file and then use certutil -setextension with that file, then it works.
I have a working workaround so this is not a high-priority bug but I hate having to fallback to certutil :)

Hi,

As per the best practices, cmdlets should not be using Write-Host function to display any output. Anyhow, it seems that Get-EnterprisePKIHealthStatus cmdlet does not comply with that, always outputting the CA name due to the following line:

Write-Host ("=" * 20) $CA.DisplayName ("=" * 20)

Is it possible to remove this line, convert it to Write-Verbose or introduce an additional switch parameter which would allow to suppress it?

Thank you.

Can you tell me how to do this with your module:

openssl pkcs12 -export -out c:\cert.pfx -inkey ".pem" -in ".pem" -certfile "ca.pem"

So that you have a CA in the pfx file?

I was able to use your module to create a pfx file but wasn't certain how I get the CA in the PFX like OpenSSL command above.

Because of this change PowerShell Core does not have -Encoding Byte. Replaced with new parameter AsByteStream,

The following line has error when running on Powershell 6.0

Set-Content -Path $Path -Value ([Convert]::FromBase64String($PFXString)) -Encoding Byte

Any plan to have a version that can run on both PowerShell Core and PowerShell Windows?

Thanks.

Hi,

To use the cmdlet Get-CertificationAuthority we have to type Get-Certificati + Tab or Get-Cer + Tab 13 times.
Given that we have to pipe this cmdlet to many other cmdlets from the PSPKI module, could you please implement an alias for the Get-CertificationAuthority cmdlet (for example gca)?

Thanks in advance and thanks again for you great work!

Heya! I'm having trouble understanding the relationship of this module to the inbuilt one in Powershell 5.

• Is PSPKI an updated version of PKI, or a new codebase?
• Why is New-SelfSignedCertificateEx called New-SelfSignedCertificateEx when it is New-SelfSignedCertificate in PKI? Is that so I could have them both installed simultaneously?

Get-Command -module PKI on PS5 and Get-Command -module PSPKI show there's some overlap and some difference, but it would be great if README.md explained it better.

I'm managing a set of servers where Test-WebServerSSL brings an exception no matter where I try to connect to. The Problem looks exactly like I'm trying to access a port, where either SSL isn't in use, or the port is not reachable at all. But I've verified multiple times that the port is reachable and and via openssl also a valid connections is established.

PS C:\> Test-WebServerSSL -url server.contoso.tld -port 80
Exception calling "SendRequest" with "0" argument(s): "Object reference not set to an instance of an object."
At C:\Program Files\WindowsPowerShell\Modules\pspki\Client\Test-WebServerSSL.ps1:26 char:2
+     $Response.SendRequest()
+     ~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : NullReferenceException

I'm propsing a more specific error message for that error. Either it should tell me, the port is not reachable, or that the port didn't support any SSL/TLS. Or even more details on what's the problem at all.!

Trying this configuration, modified according to issue #42.

$newSelfSignedCertificateExParameters = @{
    Subject            = "CN=DscEncryptionCert"
    EKU                = 'Document Encryption'
    KeyUsage           = 'KeyEncipherment, DataEncipherment'
    SAN                = 'dns:DscEncryptionCert'
    FriendlyName       = 'DSC Credential Encryption certificate'
    Exportable         = $true
    StoreLocation      = 'LocalMachine'
    KeyLength          = 2048
    ProviderName       = 'Microsoft Enhanced Cryptographic Provider v1.0'
    AlgorithmName      = 'RSA'
    SignatureAlgorithm = 'SHA256'
}

$certificate = New-SelfSignedCertificateEx @newSelfSignedCertificateExParameters

When running this on the AppVeyor I get the following error (build worker is running Windows Server 2012 R2)
https://ci.appveyor.com/project/johlju/xpsdesiredstateconfiguration/build/6.0.106.0?fullLog=true#L21

I get the same error if I run it manually on Windows 10.0.17692.1000. When I had the parameters like in issue #42 the certificate was generated on Windows 10, although with the Subject and issuer, and does not report this error. 🙂

New-SelfSignedCertificateEx : Uninitialized object (Exception from HRESULT: 0x80040007 (OLE_E_BLANK))
At line:1 char:28
+ ... rtificate = New-SelfSignedCertificateEx @newSelfSignedCertificateExPa ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [New-SelfSignedCertificateEx], COMException
    + FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,New-SelfSignedCertificateEx

Is there something missing, like a component that need to be installed before running the command?

Btw. It works both in AppVeyor and locally if I run the script in Script Gallery. But since that is not supported anymore I like to use this module.

Consider the following scenario:
Get-CertificateTemplate -name WebServer | Get-CertificateTemplateAcl | Add-CertificateTemplateAcl -user someuser -accesstype allow -accessmask autoenroll | Set-CertificateTemplateAcl

both, Enroll and Autoenroll are added. This is because of -regex switch in switch statement and both, Enroll and Autoenroll match this pattern.

I'm having the following problem when listing certificates.

PS C:\> $foo = Get-CertificationAuthority -ComputerName certserver.domain.com | Get-IssuedRequest | select-object -First 1
PS C:\> $foo

RequestID             : 4
Request.RequesterName : DOMAIN\SERVERNAME$
CommonName            :
NotBefore             : 2/17/2017 6:14:57 PM
NotAfter              : 2/17/2018 6:14:57 PM
SerialNumber          : 4a0000000433928ae77eb46c33000000000004
CertificateTemplate   : 1.3.6.1.4.1.311.21.8.14878822.896839.16074912.9548190.15434057.227.8936861.11382353
RowId                 : 4
ConfigString          : certserver.domain.com\CASERVER2
Table                 : Request

PS C:\> $properties = `
>> 'RequestID', `
>> 'CertificateTemplate', `
>> 'CertificateHash', `
>> 'SerialNumber', `
>> 'NotBefore', `
>> 'NotAfter' , `
>> 'DistinguishedName', `
>> 'CommonName', `
>> 'Request.CallerName', `
>> 'Request.RequesterName', `
>> 'Request.RevokedEffectiveWhen', `
>> 'Request.RevokedReason'

PS C:\> $foo = Get-CertificationAuthority -ComputerName certserver.domain.com | Get-IssuedRequest -Property $pro
perties | select-object -First 1
PS C:\> $foo


RequestID                    : 4
Request.RequesterName        : DOMAIN\SERVERNAME$
CommonName                   :
NotBefore                    : 2/17/2017 6:14:57 PM
NotAfter                     : 2/17/2018 6:14:57 PM
SerialNumber                 : 4a0000000433928ae77eb46c33000000000004
CertificateTemplate          : 89 72 8b 64 39 aa dd f7 60 4e 0f 12 ab 61 98 b2 e8 a5 9f ac
CertificateHash              : 89 72 8b 64 39 aa dd f7 60 4e 0f 12 ab 61 98 b2 e8 a5 9f ac
DistinguishedName            :
Request.CallerName           : DOMAIN\SERVERNAME$
Request.RevokedEffectiveWhen :
Request.RevokedReason        :
RowId                        : 4
ConfigString                 : certserver.domain.com\CASERVER2
Table                        : Request

Note the CertificateTemplate in the second command has the same value as CertificateHash. If I do -Property *, it does the same thing but with EnrollmentFlags (which is the next property in the list).

What's going wrong? I've only been able to duplicate this on one of my two CA servers.

OS: Windows 10 version 1803—or corresponding Windows Server version
PowerShell version: built-in (5.1.17134.1)

Trying to import the module fails with multitude of the following errors:

Update-TypeData : Error in TypeData "System.Security.Cryptography.X509Certificates.X509Certificate2": The member ResolvedExtensions is already present.

workaround

comment out (or remove) the following block in .psm1 file

if ($PSVersionTable["PSVersion"].Major -gt 2) { try { Update-TypeData $PSScriptRoot\Types\PSPKI.Types.ps1xml Update-FormatData $PSScriptRoot\Types\PSPKI.Format.ps1xml } catch { } }

This works, but breaks digital signature, hence not very useful.

Trying to generate a certificate using the following.

$newSelfSignedCertificateExParameters = @{
    Subject            = "CN=DscEncryptionCert"
    EKU                = 'Document Encryption'
    KeyUsage           = 'KeyEncipherment, DataEncipherment'
    SAN                = 'DscEncryptionCert'
    FriendlyName       = 'DSC Credential Encryption certificate'
    Exportable         = $true
    StoreLocation      = 'LocalMachine'
    KeyLength          = 2048
    ProviderName       = 'Microsoft Enhanced Cryptographic Provider v1.0'
    AlgorithmName      = 'RSA'
    SignatureAlgorithm = 'SHA256'
}

$certificate = New-SelfSignedCertificateEx @newSelfSignedCertificateExParameters

But the result look like this (issuer and subject is blank).

Am I using it wrong?

$cert variable is not initialized anywhere

Hello there,
thanks for this great module, but I ran into an issue which I was not able to solve. I cannot set template ACLs, it always produces this error no matter what user or group I try. I am Enterprise Admin and have local admin on the CA:

PS C:\> import-module pspki
PS C:\> get-certificatetemplateacl -Template WebServer

Path                                    Owner                                   Access
----                                    -----                                   ------
CN=WebServer,CN=Certificate Template... AD\Enterprise Admins                    {PKI.Security.AccessControlEntry2, P...


PS C:\> get-certificatetemplateacl -Template WebServer | Add-CertificateTemplateAcl -User ad\ca-templateadmins -AccessType Allow -AccessMask Read,Write | Set-CertificateTemplateAcl
Set-CertificateTemplateAcl : Exception calling "CommitChanges" with "0" argument(s): "A constraint violation occurred.
"
At line:1 char:158
+ ... k Read,Write | Set-CertificateTemplateAcl
+                    ~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Set-CertificateTemplateAcl

I am using the latest version of your module on a Windows 2008 R2 enterprise CA with a domain/forest also on 2008 R2 level. I have looked into the source files, added debug output and tried to manually do the steps in the module, but I could not solve this isse. Can you please help me?

I'm looking at the module requirements

This module can run on any of the specified operating system:

Windows Server 2008*/2008 R2/2012/2012 R2
Windows Vista**/7**/8**/8.1**/10**

• — Server Core installation is not supported.

** — with installed RSAT (Remote System Administration Tools)

So, according to this, the module will NOT run on 2008 Core, but SHOULD run on 2008R2 Core. I'm saying should, as code that I have working on 2008R2 full GUI is throwing a CAPI unavailable error on R2 core.

I have NetFX2-Server Core, plus NDP451 installed on the server (as well as WMF 5.1).

Is there something that I'm missing that I need to install, or does the module just not run on 2008R2 core?

Thanks.

Graham

I am not sure this is even possible to handle so this issue is for discussion purpose mostly.
I am using your library and module on "relatively large" CA databases (about half a million rows at the time of writing for my highest volume CA) and wrote some scripts that are run via scheduled tasks in order to generate reports, send notification emails, etc.

My problem is that the scripts are taking more and more time to execute the more the database grows (that is expected), leading to what appears to be timeout issues. For example one reporting script queries over almost all of the records, does some filtering on user-side (because of the poor filtering capabilities of AD CS API) and for each record does some relatively heavy processing (additional database queries, some AD + DNS + Exchange checks and so on), before moving on to the next record.
If I just make this one big query, the connection to the CA (or the COM object I don't know) fails at some point, which led me to slice the query (at the moment 10,000 records at a time only).

This is mostly working but more difficult to write/maintain and it is now taking forever to execute for some of those tasks...
I even replaced some of them with pure certutil-based queries (with its output mode to CSV) because this is just incredibly faster. I know .NET/PowerShell code can't be as efficient as C code like certutil, especially when working with COM classes but this made me wonder if it was possible to a) speed the library a little (unlikely I guess) and b) at least make it "timeout-aware", i.e. capable of transparently handling dropped connections to the COM class/underlying CA and automatically re-establishing the connection, without any developer action.

In the meantime, we are looking for a solution that would extract the databases of several CAs to a single location with real SQL-like capabilities and that would probably make all of this unnecessary but that is another (and maybe utopic) subject :)

import-module PSPKI
$test = Get-CA
Write-Host $test  # Returns a CertificationAuthority
Invoke-Command -ComputerName . -ScriptBlock {
    import-module PSPKI
    $test = Get-CA
    Write-Host $test # Returns null.
}

Same behavior when providing Invoke-command administrator level credentials.

Using
Windows Server 2012 R2
PowerShell v5.0
PSPKI 3.2.6.0
.net <= 4

Hi,

i try to install the PKI v3.2.6 with the installer, and get this message..
Can somebody help me?

Thanks

I would appreciate if you could let know how to convert the below code to PSPKI..

$cert = New-SelfSignedCertificate -DnsName yourdomain.cloudapp.net -CertStoreLocation "cert:\LocalMachine\My"
$password = ConvertTo-SecureString -String "your-password" -Force -AsPlainText
Export-PfxCertificate -Cert $cert -FilePath ".\my-cert-file.pfx" -Password $password
Export-Certificate -Type CERT -Cert $cert -FilePath .\my-cert-file.cer

The above code is from https://azure.microsoft.com/en-in/documentation/articles/cloud-services-certs-create/

Thanks

There is currently an issue when installing the module on server Core - tested on 2008R2 and 2016, but probably also the same on 2008, 2012 and 2012R2 as well.

If you pull the module from git rather than Gallery, and delete the Server directory, the module installs (and seems to work ) on 2008R2/2016 Core - thanks to Crypt32 for pointing that out (see issue #29)

When loading the module on core, the Client functions should be exported, and the server ones should not be exported. The help should also be updated to only give examples for the Client functions.

It seems that Install-Module doesn't display any output (other than module configuration errors), so the install process probably shouldn't write a warning that only the client modules are installed, since there's no way to capture that in a script. Possibly something like a Get-PKIModuleStatus should be written to return an object with a $true/$false for .ClientFunctions and .ServerFunctions depending on availability? Given that you already do not export AD #dependent functions on non domain environments, that could be added too?

Hi @Crypt32! I'm looking for an easy way to generate a self-signed certificate in memory, without requiring elevation. Will New-SelfSignedCertificateEx allow me to do this? Or does it work like New-SelfSignedCertificate, automatically writing the certificate to the cert store (and therefore requiring elevation)?

Hello,
There is a new bug since v3.3 in the Set-CertificateExtension function. 3 times in this function you are calling an inexistent Format() method on the OID objects.
This result in the try/catch to be triggered and the whole function to be exited, which is not good when we have more than 1 extension to set at once

Example 1 on the following pages is incorrect:

https://www.sysadmins.lv/projects/pspki/Add-CertificateTemplateAcl.aspx
https://www.sysadmins.lv/projects/pspki/get-certificatetemplateacl.aspx
https://www.sysadmins.lv/projects/pspki/set-certificatetemplateacl.aspx

PS C:\> Get-CertificateTemplate -Name WebServer | Get-CertificateTemplate | Add-CertificateTemplateAcl -User WebServerGroup -AccessType Allow -AccessMask Read, Enroll

should be

PS C:\> Get-CertificateTemplate -Name WebServer | Get-CertificateTemplateAcl | Add-CertificateTemplateAcl -User WebServerGroup -AccessType Allow -AccessMask Read, Enroll | Set-CertificateTemplateAcl

Hi,

First of all many thanks for the time you passed writing all this useful cmdlets.

In fact, I work most of my time through PSSessions within ISE, and I rarely open an RDP session.
Thus it took me some time to realize that some cmdlets are not working in PSSessions, and that I had to open an RDP session on the CA server directly. For example, Get-CertificationAuthority just returns nothing.

Please could you add a warning when the PSPKI module is loaded in a PSSession?
Thanks!