I found out that this is the module which cause the issue "VERBOSE: Loading module from path 'C:\Program Files\Sysadmins LV\PowerShell PKI Module\pspki\PSPKI.psm1. Any idea?
↧
New Post: Import-Module pspki take long time as system account
↧
New Post: Import-Module pspki take long time as system account
This is a general message. Module loading process includes a lot of things and I can't tell what exactly creates a delay in your case. Another possibility is that the code fails to load format and extended type files.
↧
↧
New Post: Import-Module pspki take long time as system account
I may found it, the psm1 file stay for about 60 seconds at this line. BTW: onyl one time. If I run a second time the script it works like a charme.
Get-ChildItem -Path $PSScriptRoot -Include *.ps1 -Recurse | Foreach-Object { . $_.FullName }
Get-ChildItem -Path $PSScriptRoot -Include *.ps1 -Recurse | Foreach-Object { . $_.FullName }
↧
New Post: Import-Module pspki take long time as system account
BTW: If you like to reproduce you can start a system powershell with: "psexec -i -s Powershell.exe" and import the module with "import-module pspki -debug -verbose"
↧
New Post: Import-Module pspki take long time as system account
Hi,
any idea?
Thanks
Paul
any idea?
Thanks
Paul
↧
↧
New Post: Get-CertificationAuthority doesn't work in remote session
Hi.
Fresh install of Windows 2012 R2 (domain joined) and PSPKI v3.1.0.
When I'm logged in locally I can run Get-CertificationAuthority and see my three CAs. If I instead do an Enter-PSSession from my workstation to the server and do the same thing I get no result at all. No error message either. Same result if I add -ComputerName, I just don't get anything back.
Connect-CertificationAuthority throws an error: "Specified Certification Authority is unavailable." Obviously, if I do the same thing locally it works.
Any ideas?
Thanks,
Fredrik
Fresh install of Windows 2012 R2 (domain joined) and PSPKI v3.1.0.
When I'm logged in locally I can run Get-CertificationAuthority and see my three CAs. If I instead do an Enter-PSSession from my workstation to the server and do the same thing I get no result at all. No error message either. Same result if I add -ComputerName, I just don't get anything back.
Connect-CertificationAuthority throws an error: "Specified Certification Authority is unavailable." Obviously, if I do the same thing locally it works.
Any ideas?
Thanks,
Fredrik
↧
New Post: Get-CertificationAuthority doesn't work in remote session
This issue is caused due to credential delegation. By default, when you authenticate to remote server (via Enter-PSSession), these credentials can be used only on that server. Server is not allowed to authenticate you anywhere else, while Get-CertificationAuthority cmdlet does some remote requests to LDAP and CA server. You have either, to use CredSSP or enable this server trusted for delegation.
As aside note: the server part of the module is not designed to run in remoting session, instead each command in server cmdlets has parameters to work with remote CAs.
As aside note: the server part of the module is not designed to run in remoting session, instead each command in server cmdlets has parameters to work with remote CAs.
↧
New Post: Get-CertificationAuthority doesn't work in remote session
That explains that. Thanks!
↧
Commented Unassigned: Get-EnterprisePKIHealthStatus Error [86]
When I run Get-Ca | Get-EnterprisePKIHealthStatus -Debug -Verbose I receive the attached error. I'm running this command from an elevated PowerShell session on Windows 8.1 Enterprise. My PKI consists of an offline root ca and an enterprise sub-ca
Comments: I get the same error as madmonky running in a PowerShell v4 host on Windows 7 Professional (64 bit). I also have an offline root CA and online issuing sub-CA.
Comments: I get the same error as madmonky running in a PowerShell v4 host on Windows 7 Professional (64 bit). I also have an offline root CA and online issuing sub-CA.
↧
↧
Commented Unassigned: Get-EnterprisePKIHealthStatus Error [86]
When I run Get-Ca | Get-EnterprisePKIHealthStatus -Debug -Verbose I receive the attached error. I'm running this command from an elevated PowerShell session on Windows 8.1 Enterprise. My PKI consists of an offline root ca and an enterprise sub-ca
Comments: I can confirm the problem running on Windows 8.1 and Server 2012(CA). I also have an offline root CA and online issuing sub-CA.
Comments: I can confirm the problem running on Windows 8.1 and Server 2012(CA). I also have an offline root CA and online issuing sub-CA.
↧
Commented Unassigned: Get-EnterprisePKIHealthStatus Error [86]
When I run Get-Ca | Get-EnterprisePKIHealthStatus -Debug -Verbose I receive the attached error. I'm running this command from an elevated PowerShell session on Windows 8.1 Enterprise. My PKI consists of an offline root ca and an enterprise sub-ca
Comments: Apparently, the issue is related to issues in CRL/DeltaCRL URL retrieval from certificate/CRL. Sometimes, there are weird characters (returned by C++ functions) and sometimes something else. I moved URL retrieval to fully managed code and the issue should disappear. Anyway, I will work on this issue and provide solution for the next module update.
Comments: Apparently, the issue is related to issues in CRL/DeltaCRL URL retrieval from certificate/CRL. Sometimes, there are weird characters (returned by C++ functions) and sometimes something else. I moved URL retrieval to fully managed code and the issue should disappear. Anyway, I will work on this issue and provide solution for the next module update.
↧
Reviewed: PowerShell PKI Module v3.1 (Oct 30, 2015)
Rated 5 Stars (out of 5) - I've been using these cmdlets for a few months now and they have completely simplified a lot of tasks.
↧
Commented Unassigned: Get-EnterprisePKIHealthStatus Error [86]
When I run Get-Ca | Get-EnterprisePKIHealthStatus -Debug -Verbose I receive the attached error. I'm running this command from an elevated PowerShell session on Windows 8.1 Enterprise. My PKI consists of an offline root ca and an enterprise sub-ca
Comments: Can I ask someone of you to test fixed (I believe) version of this command?
Comments: Can I ask someone of you to test fixed (I believe) version of this command?
↧
↧
Commented Unassigned: CRL revocation check bug [85]
Hi,
I tested the certificate at https://revoked.grc.com and https://test-sspev.verisign.com:2443/test-SSPEV-revoked-verisign.html to see if they were revoked (they should be) in their CRL revocation lists like this:
byte[] crlRawData = File.ReadAllBytes(...);
X509Certificate2 cert = new X509Certificate2(File.ReadAllBytes(...));
X509CRL2 crl = new X509CRL2(crlRawData);
X509CRLEntry bla = crl.RevokedCertificates[cert.SerialNumber];
However, bla == null, so they are reported as NOT revoked.
I took a look inside X509CRL2.cs in the get_revokedcertificates() method, and it seems rawBytes contains the information in the wrong endianess.
I edited the code to be like this:
Byte[] rawBytes = new Byte[CRLEntry.SerialNumber.cbData];
Marshal.Copy(CRLEntry.SerialNumber.pbData, rawBytes, 0, rawBytes.Length);
//This is new
rawBytes = rawBytes.Reverse().ToArray();
String serialNumberStr = rawBytes.Aggregate("", (current, b) => current + b.ToString("x2"));
And now the serial number is correct and the two certificates are reported as revoked.
Comments: This bug was automatically fixed when I moved X509CRL2 class to a fully managed code (and managed decoder). The fix will be available in the next module release.
I tested the certificate at https://revoked.grc.com and https://test-sspev.verisign.com:2443/test-SSPEV-revoked-verisign.html to see if they were revoked (they should be) in their CRL revocation lists like this:
byte[] crlRawData = File.ReadAllBytes(...);
X509Certificate2 cert = new X509Certificate2(File.ReadAllBytes(...));
X509CRL2 crl = new X509CRL2(crlRawData);
X509CRLEntry bla = crl.RevokedCertificates[cert.SerialNumber];
However, bla == null, so they are reported as NOT revoked.
I took a look inside X509CRL2.cs in the get_revokedcertificates() method, and it seems rawBytes contains the information in the wrong endianess.
I edited the code to be like this:
Byte[] rawBytes = new Byte[CRLEntry.SerialNumber.cbData];
Marshal.Copy(CRLEntry.SerialNumber.pbData, rawBytes, 0, rawBytes.Length);
//This is new
rawBytes = rawBytes.Reverse().ToArray();
String serialNumberStr = rawBytes.Aggregate("", (current, b) => current + b.ToString("x2"));
And now the serial number is correct and the two certificates are reported as revoked.
Comments: This bug was automatically fixed when I moved X509CRL2 class to a fully managed code (and managed decoder). The fix will be available in the next module release.
↧
New Post: Update the validity period of an existing CA template
I have a 2008 R2 CA and I setup auto enrollment for user certificates. That is working properly. However I need to be able to edit an existing CA template using Powershell.
My goal is run a script on a daily basis to update the validity period for a specific template in order that any request enrolled using that template expires on a specific date, let's say Dec 31st, 2016.
The basic script layout would be as follows.
Can you confirm if this script can be developed using this PKI module?
Thanks,
M0dest0.
My goal is run a script on a daily basis to update the validity period for a specific template in order that any request enrolled using that template expires on a specific date, let's say Dec 31st, 2016.
The basic script layout would be as follows.
Request Cert from CA
Compute the number of days remaining for Dec 1st 2016.
Update the CA template validaty period in Days with the days computed in the step above.
Can you confirm if this script can be developed using this PKI module?
Thanks,
M0dest0.
↧
New Post: Update the validity period of an existing CA template
No, the module do not allow certificate template modification. As I wrote on StackOverflow.com web site, it is not supported to modify certificate templates outside of Certificate Templates MMC snap-in.
↧
New Post: Update the validity period of an existing CA template
I've been googling but can't find any reference to this unsupported feature, I'd like go in depth on this issue so please, can you share some links or documentation? Thanks.
↧
↧
New Post: Update the validity period of an existing CA template
This information came from private sources. You may need to contact Microsoft Support to get official information.
↧
Created Unassigned: Register-ObjectIdentifier FIPS error [87]
Using the -UseActiveDirectory option, the following error is thrown:
Exception calling "Register" with "6" argument(s): "This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms."
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSPKI\Client\Register-ObjectIdentifier.ps1:32 char:3
+ [Security.Cryptography.Oid2]::Register($Value,$FriendlyName,$Group,$UseActiveD ...
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : InvalidOperationException
-Tim
Exception calling "Register" with "6" argument(s): "This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms."
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSPKI\Client\Register-ObjectIdentifier.ps1:32 char:3
+ [Security.Cryptography.Oid2]::Register($Value,$FriendlyName,$Group,$UseActiveD ...
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : InvalidOperationException
-Tim
↧
Commented Unassigned: Get-EnterprisePKIHealthStatus Error [86]
When I run Get-Ca | Get-EnterprisePKIHealthStatus -Debug -Verbose I receive the attached error. I'm running this command from an elevated PowerShell session on Windows 8.1 Enterprise. My PKI consists of an offline root ca and an enterprise sub-ca
Comments: I'll test the new version. Where can I download it?
Comments: I'll test the new version. Where can I download it?
↧