Updated Release: PowerShell PKI Module v3.1 (mar 23, 2015)

March 23, 2015, 1:21 pm

≫ Next: Closed Unassigned: OCSPResponse incorrectly indicate response expiration [81]

≪ Previous: Released: PowerShell PKI Module v3.1 (Mar 23, 2015)

Important: I would like to hear more about what you are thinking about the project? I appreciate that you like it (2000 downloads over past 6 months), but may be you have to say something? What do you dislike in the module? Maybe you would love to see some new functionality? Tell, what you think!

Installation guide:

Use default installation path to install this module for current user only.
To install this module for all users — enable "Install for all users" check-box in installation UI
if previous module installations are detected, they are removed during upgrade.

Breaking Changes

Starting with this release, when installing module to "All Users", the module is no longer installed in the System32 folder. Instead, it is installed in the following folde: %osdrive%Program Files\Sysadmins LV\PowerShell\Modules. When per-user option is selected, it is installed in the MyDocuments folder as usually.

Release notes for version 3.1

This release is minor release and covers mostly existing bug fixes. On the other hand, this release prepares

Major and minor bug fixing;
Added X509CRLNumberExtension extension implementation;
Added X509FreshestCRLExtension extension implementation;
Improved ASN.1 encoder performance;
The following bugs are addressed/fixed:
- https://pspki.codeplex.com/workitem/81 (fixed)
- https://pspki.codeplex.com/workitem/78 (fixed)
- https://pspki.codeplex.com/workitem/77 (fixed)
- https://pspki.codeplex.com/workitem/76 (fixed)
- https://pspki.codeplex.com/workitem/75 (fixed)
- https://pspki.codeplex.com/workitem/72 (fixed)
- https://pspki.codeplex.com/workitem/71 (fixed)
- https://pspki.codeplex.com/workitem/69 (fixed)
- https://pspki.codeplex.com/workitem/68 (fixed)
- https://pspki.codeplex.com/workitem/64 (implemented)
- https://pspki.codeplex.com/workitem/62 (fixed)

New commands:

Get-EnterprisePKIHealthStatus

Deprecated commands:

None

more details in my weblog:
PKI.Core.dll API documentation is published at http://pkix2.sysadmins.lv/library/. PKI.Core.dll sources are published in PKILib 3.1.0.0.zip

for details about new commands please see main page: http://pspki.codeplex.com/

p.s. if you found a bug, or want to suggest new features, please open a working item in Issue Tracker: http://pspki.codeplex.com/workitem/list/basic
for general discussions you can post here: http://pspki.codeplex.com/discussions

↧

Closed Unassigned: OCSPResponse incorrectly indicate response expiration [81]

March 23, 2015, 1:31 pm

≫ Next: Closed Unassigned: NotImplementedException - PSPKI.psm1 [79]

≪ Previous: Updated Release: PowerShell PKI Module v3.1 (mar 23, 2015)

OCSPResponse incorrectly indicate response expired when `nextUpdate` is missing in one or more OCSPSingleResponses.
Comments: fixed in v3.1

↧

Closed Unassigned: NotImplementedException - PSPKI.psm1 [79]

March 23, 2015, 1:33 pm

≫ Next: Closed Unassigned: X509CRLDistributionPointsExtension do not support segmented CRLs [78]

≪ Previous: Closed Unassigned: OCSPResponse incorrectly indicate response expiration [81]

I didn't use the installer, because I want to Import the module by hand.

By I get this error NotImplementedException, could it be, that the order of the modules is wrong?
The function Write-ErrorMessage was importet after it was called from PSPKI.psm1?

```
VERBOSE: Loading module from path 'C:\PowerShellRepro\Modules\PSPKI\PSPKI.psd1'.
VERBOSE: Loading 'Assembly' from path 'C:\PowerShellRepro\Modules\PSPKI\Library\PKI.Core.dll'.
VERBOSE: Loading 'Assembly' from path 'C:\PowerShellRepro\Modules\PSPKI\Library\Interop.CERTADMINLib.dll'.
VERBOSE: Loading 'Assembly' from path 'C:\PowerShellRepro\Modules\PSPKI\Library\Interop.CERTCLILib.dll'.
VERBOSE: Loading 'Assembly' from path 'C:\PowerShellRepro\Modules\PSPKI\Library\Interop.CERTENROLLLib.dll'.
VERBOSE: Loading 'TypesToProcess' from path 'C:\PowerShellRepro\Modules\PSPKI\Types\PSPKI.Types.ps1xml'.
VERBOSE: Loading 'FormatsToProcess' from path 'C:\PowerShellRepro\Modules\PSPKI\Types\PSPKI.Format.ps1xml'.
VERBOSE: Loading module from path 'C:\PowerShellRepro\Modules\PSPKI\PSPKI.psm1'.
Write-ErrorMessage : Exception of type 'Microsoft.PowerShell.Commands.WriteErrorException' was thrown.
At C:\PowerShellRepro\Modules\PSPKI\PSPKI.psm1:122 char:9
+ catch {Write-ErrorMessage -Source "CAPIUnavailable"}
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotImplemented: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : NotImplementedException,Write-ErrorMessage

VERBOSE: Exporting function '__RestartCA'.
VERBOSE: Exporting function 'Test-XCEPCompat'.
VERBOSE: Exporting function 'Ping-Wmi'.
VERBOSE: Exporting function 'Ping-ICertAdmin'.
VERBOSE: Exporting function 'Write-ErrorMessage'.
VERBOSE: Importing function 'Ping-ICertAdmin'.
VERBOSE: Importing function 'Ping-Wmi'.
VERBOSE: Importing function 'Test-XCEPCompat'.
VERBOSE: Importing function 'Write-ErrorMessage'.
VERBOSE: Importing function '__RestartCA'.
```
Comments: Missing RSAT when they are required.

↧

Closed Unassigned: X509CRLDistributionPointsExtension do not support segmented CRLs [78]

March 23, 2015, 1:33 pm

≫ Next: Closed Unassigned: New-SelfSignedCertificateEx unused parameter 'StoreName' [77]

≪ Previous: Closed Unassigned: NotImplementedException - PSPKI.psm1 [79]

X509CRLDistributionPointsExtension class do not support segmented CRLs and fails if more than one DistributionPoint is defined in the extension.
Comments: fixed in v3.1

↧

Closed Unassigned: New-SelfSignedCertificateEx unused parameter 'StoreName' [77]

March 23, 2015, 1:33 pm

≫ Next: Closed Unassigned: WARNING: Non-request or non-CRL table row removal is not supported. [76]

≪ Previous: Closed Unassigned: X509CRLDistributionPointsExtension do not support segmented CRLs [78]

New-SelfSignedCertificateEx has an unused parameter 'StoreName'. This parameter is not implemented and should be completely removed.
Comments: fixed in v3.1

↧

Closed Unassigned: WARNING: Non-request or non-CRL table row removal is not supported. [76]

March 23, 2015, 1:34 pm

≫ Next: Closed Unassigned: Get-CA Problem when ADCS is Stopped [75]

≪ Previous: Closed Unassigned: New-SelfSignedCertificateEx unused parameter 'StoreName' [77]

Hi,

I'm running the following command from the PSPKI 3.0 module on a Windows Server 2012 R2 Certficate Authority box

Get-CertificationAuthority "xxxxxxxx" | Get-FailedRequest | Remove-DatabaseRow

I receive the following error

WARNING: Non-request or non-CRL table row removal is not supported.
Comments: fixed in v3.1

↧

Closed Unassigned: Get-CA Problem when ADCS is Stopped [75]

March 23, 2015, 1:34 pm

≫ Next: Closed Unassigned: CertValidityPeriod.set_ValidityPeriod throws FormatException on valid data [72]

≪ Previous: Closed Unassigned: WARNING: Non-request or non-CRL table row removal is not supported. [76]

Hi Vadims,
I have two enterprise CAs in my test AD - if they are both in the running state the Get-CA command provides the following information (as expected):

__get-certificationauthority__
Chipeater Class 3 Primary CA PPC3P01.ppcnfoun... True Running Enterprise Subordinate CA
Chipeater Class 3 Secondary CA PPC3S01.ppcnfoun... True Running Enterprise Subordinate CA

However, if I stop ADCS on one of the CAs and run the Get-CA command again I get an error (rather than the CA being listed as stopped):

__get-certificationauthority__
Exception calling "GetCA" with "2" argument(s): "CCertAdmin::GetCAProperty: The RPC server is unavailable. 0x800706ba
(WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)"
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSPKI\Server\Get-CertificationAuthority.ps1:14 char:20
+ "__ComputerSet" {[PKI.CertificateServices.CertificateAuthority]::GetCA("Server ...

I only just realised this when I started using the EnterprisePKI PowerShell script you provided - which "blows up" on me if one of the Enterprise CAs is stopped (the error which I've included a snippet of below seems to be related to the Get-CA problem).

__.\EnterprisePKI.ps1__
Exception calling "GetCA" with "2" argument(s): "CCertAdmin::GetCAProperty: The RPC server is unavailable. 0x800706ba
(WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)"

Can you advise whether it is expected that a CA with ADCS stopped would cause this kind of behaviour?

Regards, Chipeater
Comments: fixed in v3.1

↧

Closed Unassigned: CertValidityPeriod.set_ValidityPeriod throws FormatException on valid data [72]

March 23, 2015, 1:34 pm

≫ Next: Closed Issue: AlternativeName.Format(bool multiline) strips trailing character [71]

≪ Previous: Closed Unassigned: Get-CA Problem when ADCS is Stopped [75]

CertValidityPeriod.set_ValidityPeriod throws FormatException on valid data. This issue is caused due to invalid pattern handling.
Comments: fixed in v3.1

↧

Closed Issue: AlternativeName.Format(bool multiline) strips trailing character [71]

March 23, 2015, 1:34 pm

≫ Next: Closed Unassigned: ASN.1 -- signed integers are incorrectly encoded and decoded [69]

≪ Previous: Closed Unassigned: CertValidityPeriod.set_ValidityPeriod throws FormatException on valid data [72]

Hi Camelot,

I just tried your last example. Any idea why the result would be truncated? I am missing the last caracter of every domain name returned:

This is what I get:

```
DNS Name=test.example.co, DNS Name=test2.example.co
```

But I would expect:

```
DNS Name=test.example.com, DNS Name=test2.example.com
```

Thanks!
Comments: fixed in v3.1

↧

Closed Unassigned: ASN.1 -- signed integers are incorrectly encoded and decoded [69]

March 23, 2015, 1:35 pm

≫ Next: Closed Unassigned: [Bug] OCSPRequest and nonce support [68]

≪ Previous: Closed Issue: AlternativeName.Format(bool multiline) strips trailing character [71]

ASN.1 -- signed integers are incorrectly encoded and decoded. Reference: http://msdn.microsoft.com/en-us/library/windows/desktop/bb540806(v=vs.85).aspx
Comments: fixed in v3.1

↧

Closed Unassigned: [Bug] OCSPRequest and nonce support [68]

March 23, 2015, 1:35 pm

≫ Next: Closed Unassigned: [Feature request] Test-CAHealth [64]

≪ Previous: Closed Unassigned: ASN.1 -- signed integers are incorrectly encoded and decoded [69]

Hi again,

It seems there was a regression between v2.8 and v3.0 on OCSP support for nonce values.
With v2.8, when I executed:
```
New-Object PKI.OCSP.OCSPRequest $cert, $true
```
I got in return `Nonce=$true` and `NonceValue=random_value` but now with 3.0 `Nonce` is still `$true` but `NonceValue` is now empty.

When looking at the source, `NonceValue` indeed does not seem to be initialized anywhere and the private m_encode method was simplified and does not generate a nonce anymore.

Jordan
Comments: fixed in v3.1

↧

Closed Unassigned: [Feature request] Test-CAHealth [64]

March 23, 2015, 1:36 pm

≫ Next: Closed Unassigned: [Feature request] Get resolved AIA/CDP [62]

≪ Previous: Closed Unassigned: [Bug] OCSPRequest and nonce support [68]

Equivalent of the pkiview.msc snap-in or even better of the [camonitor.vbs](http://gallery.technet.microsoft.com/scriptcenter/164e8047-d7bf-4774-91cf-90d46b82e725) script.

This would take as input either a CA object or no object at all (i.e. all CAs in AD forest), optionally threshold values (ideally as an absolute value or a percentage value of the total validity) to define expiring certificates/CRLs.

Contrarily to the camonitor.vbs script, I don't think it should log or email anything on its own. It would simply serve as a building block for a monitoring script that would deal with the alerting itself.

The output should use a PowerShell friendly object structure (no host output that is).
Comments: Added in v3.1

↧

Closed Unassigned: [Feature request] Get resolved AIA/CDP [62]

March 23, 2015, 1:37 pm

≫ Next: Commented Unassigned: Changes to Module Requirements?? [74]

≪ Previous: Closed Unassigned: [Feature request] Test-CAHealth [64]

Add two new cmdlets or add a new `-Resolved` parameter to the existing `Get-AIA` and `Get-CDP` to get the resolved values of AIA and CDP URLs.
Careful, if there are several CA certificates (after rekey/renewal), this should list resolves URLs for all valid CA certificates.
Comments: Added in v3.1

↧

Commented Unassigned: Changes to Module Requirements?? [74]

March 23, 2015, 1:38 pm

≫ Next: Updated Wiki: Home

≪ Previous: Closed Unassigned: [Feature request] Get resolved AIA/CDP [62]

Hi All,

I have been happyily importing and approving Certificates via powershell script until this week, when I get the following error:

Import-Module : The specified module 'PSPKI' was not loaded because no valid module file was found in any module directory.
At \\HHH.int\DATA\IT\UK\SD\AccessControl\SecurityDocuments\Falcon\Issue MAC Certificate.ps1:1 char:14
+ Import-Module <<<< PSPKI
+ CategoryInfo : ResourceUnavailable: (PSPKI:String) [Import-Module], FileNotFoundException
+ FullyQualifiedErrorId : Modules_ModuleNotFound,Microsoft.PowerShell.Commands.ImportModuleCommand

Only change I can think off is that im running Powershell v1.0 and the PSPKI module now says its intended for Powershell v3.0, when did the module requirements change? from what i remember I have been using the PSPKI module for over a year without issue.

Patches and Updates to new versions are tightly controlled in my company so I dont have the option of updating to v3.0. the best they can do is v2.0 is there a older module that will work on 1 or 2

Thanks in advance
Comments: can you check the latest release and test whether it works for you?

↧

Updated Wiki: Home

March 24, 2015, 12:48 pm

≫ Next: Created Unassigned: import-module pspki in visual studio for asp.net application [82]

≪ Previous: Commented Unassigned: Changes to Module Requirements?? [74]

Project Description

This module is intended to simplify certain PKI management tasks by using automation with Windows PowerShell.

This module is intended for Certification Authority management. For local certificate store management you should consider to useQuest AD PKI cmdlets.

Module Requirements

Windows PowerShell 3.0
.NET Framework 4.0

This module can run on any of the specified operating system:

Windows Server 2008*/2008 R2/2012/2012 R2
Windows Vista**/7**/8**/8.1**

*— Server Core installation is not supported.
**— with installed RSAT (Remote System Administration Tools)

Certification Authority requirements

This module supports Enterprise or Standalone Certification Authority servers that are running one the following operating system:

Windows Server 2003/2003 R2
Windows Server 2008 (including Server Core)
Windows Server 2008 R2 (including Server Core)
Windows Server 2012 (including Server Core)
Windows Server 2012 R2 (including Server Core)

Command list:

Full command list for the latest release:

Add-AuthorityInformationAccess (Alias:Add-AIA)
Add-CAAccessControlEntry (Alias:Add-CAACL)
Add-CAKRACertificate
Add-CATemplate
Add-CertificateEnrollmentPolicyService
Add-CertificateEnrollmentService
Add-CertificateTemplateAcl
Add-CRLDistributionPoint (Alias:Add-CDP)
Add-ExtensionList
Approve-CertificateRequest
Connect-CertificationAuthority (Alias:Connect-CA)
Convert-PemToPfx
Convert-PfxToPem
Deny-CertificateRequest
Disable-CertificateRevocationListFlag (Alias:Disable-CRLFlag)
Disable-InterfaceFlag
Disable-KeyRecoveryAgentFlag (Alias:Disable-KRAFlag)
Disable-PolicyModuleFlag
Enable-CertificateRevocationListFlag (Alias:Enable-CRLFlag)
Enable-InterfaceFlag
Enable-KeyRecoveryAgentFlag (Alias:Enable-KRAFlag)
Enable-PolicyModuleFlag
Get-ADKRACertificate
Get-AuthorityInformationAccess (Alias:Get-AIA)
Get-CACryptographyConfig
Get-CAExchangeCertificate
Get-CAKRACertificate
Get-CASchema
Get-CASecurityDescriptor (Alias:Get-CAACL)
Get-CATemplate
Get-CertificateRequest
Get-CertificateRevocationList (Alias:Get-CRL)
Get-CertificateRevocationListFlag (Alias:Get-CRLFlag)
Get-CertificateTemplate
Get-CertificateTemplateAcl
Get-CertificateTrustList (Alias:Get-CTL)
Get-CertificateValidityPeriod
Get-CertificationAuthority (Alias:Get-CA)
Get-CryptographicServiceProvider
Get-CryptographicServiceProviderCNG
Get-CryptographicServiceProviderEx (Alias:Get-Csp)
Get-CRLDistributionPoint (Alias:Get-CDP)
Get-CRLValidityPeriod
Get-DatabaseRow
Get-EnrollmentPolicyServerClient
Get-EnterprisePKIHealthStatus
Get-ErrorMessage
Get-ExtensionList
Get-FailedRequest
Get-InterfaceFlag
Get-IssuedRequest
Get-KeyRecoveryAgentFlag (Alias:Get-KRAFlag)
Get-ObjectIdentifier (Alias:oid)
Get-ObjectIdentifierEx (Alias:oid2)
Get-PendingRequest
Get-PolicyModuleFlag
Get-RevokedRequest
Import-LostCertificate
Install-CertificationAuthority
New-SelfSignedCertificateEx
Ping-ICertInterface
Publish-CRL
Receive-Certificate
Register-ObjectIdentifier
Remove-AuthorityInformationAccess (Alias:Remove-AIA)
Remove-CAAccessControlEntry (Alias:Remove-CAACL)
Remove-CAKRACertificate
Remove-CATemplate
Remove-CertificateEnrollmentPolicyService
Remove-CertificateEnrollmentService
Remove-CertificateTemplate
Remove-CertificateTemplateAcl
Remove-CRLDistributionPoint (Alias:Remove-CDP)
Remove-DatabaseRow (Alias:Remove-Request)
Remove-ExtensionList
Restart-CertificationAuthority
Restore-CertificateRevocationListFlagDefault (Alias:Restore-CRLFlagDefault)
Restore-InterfaceFlagDefault
Restore-KeyRecoveryAgentFlagDefault (Alias:Restore-KRAFlagDefault)
Restore-PolicyModuleFlagDefault
Revoke-Certificate
Set-AuthorityInformationAccess
Set-CACryptographyConfig
Set-CAKRACertificate
Set-CASecurityDescriptor (Alias:Set-CAACL)
Set-CATemplate
Set-CertificateExtension
Set-CertificateTemplateAcl
Set-CertificateValidityPeriod
Set-CRLDistributionPoint (Alias:Set-CDP)
Set-CRLValidityPeriod
Set-ExtensionList
Show-Certificate
Show-CertificateRevocationList (Alias:Show-CRL)
Show-CertificateTrustList (Alias:Show-CTL)
Start-CertificationAuthority
Start-PsFCIV
Stop-CertificationAuthority
Submit-CertificateRequest
Test-WebServerSSL
Uninstall-CertificationAuthority
Unregister-ObjectIdentifier

Project Roadmap

Project is under active development and for future plans you can check our official Roadmap (not yet definitive).

The following technologies and products were used to design this module:

↧

Created Unassigned: import-module pspki in visual studio for asp.net application [82]

April 1, 2015, 2:16 pm

≫ Next: Edited Unassigned: import-module pspki in visual studio 2013 for asp.net application [82]

≪ Previous: Updated Wiki: Home

Import-module pspki doesn't import pspki module and hence I am not able to use Get-CertificateRequest command in a .net application (to be specific in a asp.net code behind page which is in C#). Can someone please guide me how do I use the pspki module on a c# page?

↧

Edited Unassigned: import-module pspki in visual studio 2013 for asp.net application [82]

April 1, 2015, 2:58 pm

≫ Next: New Comment on "Get-CATemplate"

≪ Previous: Created Unassigned: import-module pspki in visual studio for asp.net application [82]

↧

New Comment on "Get-CATemplate"

April 7, 2015, 10:34 am

≫ Next: New Post: Add SAN names to existing request

≪ Previous: Edited Unassigned: import-module pspki in visual studio 2013 for asp.net application [82]

v3.1 on 2012 Rs server - CA and AD on same machine. Played with Get-CATemplate and got this error: ============================================== PS C:\Windows\system32> Get-CertificationAuthority -Name W2K12-CA DisplayName ComputerName IsAccessible ServiceStatus Type ----------- ------------ ------------ ------------- ---- W2K12-CA w2k12-64.w2k12.com True Running Standalone Root CA PS C:\Windows\system32> Get-CertificationAuthority -Name W2K12-CA | Get-CATemplate New-Object : Exception calling ".ctor" with "1" argument(s): "Operation is not supported on this platform." At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\pspki\Server\Get-CATemplate.ps1:14 char:4 + New-Object PKI.CertificateServices.CATemplate -ArgumentList $CA + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [New-Object], MethodInvocationException + FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand PS C:\Windows\system32> Get-CATemplate -CertificationAuthority W2K12-CA Get-CATemplate : Cannot process argument transformation on parameter 'CertificationAuthority'. Cannot convert value "W2K12-CA" to type "PKI.CertificateServices.CertificateAuthority[]". Error: "Cannot convert value "W2K12-CA" to type "PKI.CertificateServices.CertificateAuthority". Error: "Specified Certification Authority 'W2K12-CA' is unavailable."" At line:1 char:40 + Get-CATemplate -CertificationAuthority W2K12-CA + ~~~~~~~~ + CategoryInfo : InvalidData: (:) [Get-CATemplate], ParameterBindingArgumentTransformationException + FullyQualifiedErrorId : ParameterArgumentTransformationError,Get-CATemplate PS C:\Windows\system32> ====================================== What did I do wrong?

↧

New Post: Add SAN names to existing request

April 13, 2015, 7:04 am

≫ Next: New Post: Add SAN names to existing request

≪ Previous: New Comment on "Get-CATemplate"

I'm trying to use the example on the Set-CertificateExtension page but I'm having an issue and not sure what I'm doing wrong.

Here is the PowerShell code I'm using to add the SAN names


$SANNames = @("mail.shilab.com",
              "autodiscover.shilab.com")

# Create san name collection
$AlternateNames = New-Object Security.Cryptography.X509Certificates.X509AlternativeNameCollection

# Add names to collection
foreach($Name in $SANNames){
    $AlternateNames.Add($(New-Object Security.Cryptography.X509Certificates.X509AlternativeName "DnsName",$Name))
    
}

# Create extension to CSR
$SAN = New-Object Security.Cryptography.X509Certificates.X509SubjectAlternativeNamesExtension $AlternateNames

# Get handle to CA
$CA = Get-CertificationAuthority -ComputerName shilabca1.shilab.local

# Add SAN extension to request
Get-PendingRequest -CertificationAuthority $CA -RequestID 19 | Set-CertificateExtension -Extension $SAN

This is the CSR I submitted to my Subordinate enterprise CA

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIFajCCBFICAQAwVjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5KMREwDwYDVQQH
DAhTb21lcnNldDEPMA0GA1UECgwGU0hJTGFiMRYwFAYDVQQDDA10cy5zaGlsYWIu
Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAju3jXb3iioe5Gk6W
TLm7Bqas/zI4QpnoyeQ07TT+e1lhD0Agx7zx5Sg0OwLD/RAaYEPLEBMs588cruy7
rJBkwwwCpv8+WNRr5lFLPv/tJ0qP+ywX2DmSJQEgXtNKxTFTPxD2Q4MYfXRNycyy
dLEr6Ecn/zYODvYHdt2BViEkCUWfpio7H1IhUfLSMdWFgTauJ1olprfxeBeo2QNb
nTDNaThIr8K4YUwgE894LtZYDdfZG04M0Okexm0GiGdvvKt3MZBuG4Fk2ml+xIc3
alhMYR1UigtPOd9H7dtqnMJdt3rCVx43cGeJ7MUXRQoLooYS7g5Zkip4+O1uMfaM
PBdO/QIDAQABoIICzTAaBgorBgEEAYI3DQIDMQwWCjYuMi45MjAwLjIwRgYJKwYB
BAGCNxUUMTkwNwIBCQwYc2hpbGFicmRwZ3cuc2hpbGFiLmxvY2FsDA9TSElMQUJc
ZG1hcnF1ZXMMB2NlcnRyZXEwcgYKKwYBBAGCNw0CAjFkMGICAQEeWgBNAGkAYwBy
AG8AcwBvAGYAdAAgAFIAUwBBACAAUwBDAGgAYQBuAG4AZQBsACAAQwByAHkAcAB0
AG8AZwByAGEAcABoAGkAYwAgAFAAcgBvAHYAaQBkAGUAcgMBADB0BgorBgEEAYI3
DQIBMWYwZB4mAEMAZQByAHQAaQBmAGkAYwBhAHQAZQBUAGUAbQBwAGwAYQB0AGUe
OgBTAEgASQBMAGEAYgBTAGEAbgBXAGUAYgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkA
ZgBpAGMAYQB0AGUwggF7BgkqhkiG9w0BCQ4xggFsMIIBaDA9BgkrBgEEAYI3FQcE
MDAuBiYrBgEEAYI3FQiBrMMwhJjnQIfllRDzyB+Ds94egQGG8/hehfeCMgIBZAIB
DDAbBgkrBgEEAYI3FQoEDjAMMAoGCCsGAQUFBwMBMA4GA1UdDwEB/wQEAwIFoDAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwQgYDVR0RBDswOYINdHMuc2hp
bGFiLmNvbYIPbWFpbC5zaGlsYWIuY29tghdhdXRvZGlzY292ZXIuc2hpbGFiLmNv
bTB4BgkqhkiG9w0BCQ8EazBpMA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAIC
AIAwCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBLTALBglghkgBZQMEAQIwCwYJYIZI
AWUDBAEFMAcGBSsOAwIHMAoGCCqGSIb3DQMHMB0GA1UdDgQWBBShGcjWqMae0RUv
SPstnIGUayi2LzANBgkqhkiG9w0BAQUFAAOCAQEASz4XTD8BuT0A81M/y1CWqfYz
lFbwv8ZftYrldtlugGlcTskH88UKrroLdack6Ll9hSB5nzhKItJxIInq/Ad2++4g
tuPHK6GkWq24NCrl+c/Ks7Twl9AyxRSSOkblpJzXhD42YsaJXKOHaEBBbFzfOTkY
IOZbIt/f7jRNBzqW8F7O5AynoItOKWjfNLCpSQtkarfaz3Rk3fuSLX4XhLG6Sw1G
/x5bUTLweaTWL6UnxBERuxu8EdI5oUZgLWHc+bB7Sm8IuZSs2x83dH8vmFX4HRAi
a4z7FZ2JXA2D3mUYYh19m7TwLZOjAYsGrhpiQ1fCG7EFiLKAiUlIupir4NNnZw==
-----END NEW CERTIFICATE REQUEST-----

The subject name in the CSR is ts.shilab.com. After the certificate is submitted, the SAN extension added and the certificate issued, I apply it to my IIS 8.5 site. When I attempt to access the site by the subject name ts.shilab.com I get an error in IE stating the certificate name doesn't match the name I put in the browser. However, if I use mail.shilab.com or autodiscover.shilab.com it works with no issue. What am I doing wrong? I've tried to add ts.shilab.com to the SAN extension but receive an error when I run Set-CertificateExtension

↧

New Post: Add SAN names to existing request

April 13, 2015, 7:46 am

≫ Next: New Post: Add SAN names to existing request

≪ Previous: New Post: Add SAN names to existing request

I've tried to add ts.shilab.com to the SAN extension but receive an error when I run Set-CertificateExtension

what error you receive?

looking at your request and it contains all mentioned names:

    2.5.29.17: Flags = 0, Length = 3b
    Subject Alternative Name
        DNS Name=ts.shilab.com
        DNS Name=mail.shilab.com
        DNS Name=autodiscover.shilab.com

IE should not complain when accessing "ts.shilab.com" name.

↧