Closed Unassigned: Get-EnterprisePKIHealthStatus Error [86]

April 17, 2016, 7:05 am

≫ Next: Closed Unassigned: CRL revocation check bug [85]

≪ Previous: Closed Unassigned: Register-ObjectIdentifier FIPS error [87]

When I run Get-Ca | Get-EnterprisePKIHealthStatus -Debug -Verbose I receive the attached error. I'm running this command from an elevated PowerShell session on Windows 8.1 Enterprise. My PKI consists of an offline root ca and an enterprise sub-ca
Comments: Fixed in v3.2.5

↧

Closed Unassigned: CRL revocation check bug [85]

April 17, 2016, 7:06 am

≫ Next: Closed Unassigned: Appear to be an error with Get-CertificateTemplate when the DisplayName of the Template include / character [84]

≪ Previous: Closed Unassigned: Get-EnterprisePKIHealthStatus Error [86]

Hi,

I tested the certificate at https://revoked.grc.com and https://test-sspev.verisign.com:2443/test-SSPEV-revoked-verisign.html to see if they were revoked (they should be) in their CRL revocation lists like this:

byte[] crlRawData = File.ReadAllBytes(...);
X509Certificate2 cert = new X509Certificate2(File.ReadAllBytes(...));

X509CRL2 crl = new X509CRL2(crlRawData);
X509CRLEntry bla = crl.RevokedCertificates[cert.SerialNumber];

However, bla == null, so they are reported as NOT revoked.

I took a look inside X509CRL2.cs in the get_revokedcertificates() method, and it seems rawBytes contains the information in the wrong endianess.

I edited the code to be like this:
Byte[] rawBytes = new Byte[CRLEntry.SerialNumber.cbData];
Marshal.Copy(CRLEntry.SerialNumber.pbData, rawBytes, 0, rawBytes.Length);

//This is new
rawBytes = rawBytes.Reverse().ToArray();

String serialNumberStr = rawBytes.Aggregate("", (current, b) => current + b.ToString("x2"));

And now the serial number is correct and the two certificates are reported as revoked.
Comments: Fixed in v3.2.5

↧

Closed Unassigned: Appear to be an error with Get-CertificateTemplate when the DisplayName of the Template include / character [84]

April 17, 2016, 7:06 am

≫ Next: Closed Unassigned: Import-Module errors with Types on remote share [83]

≪ Previous: Closed Unassigned: CRL revocation check bug [85]

Hello

I note then using Get-CertifcateTemplate it throws an error if the DisplayName of the template includes the / character

the error it throws is

New-Object : Exception calling ".ctor" with "1" argument(s): "Unknown error (0x80005000)"
At C:\Program Files\Sysadmins LV\PowerShell\Modules\pspki\Server\Get-CertificateTemplate.ps1:67 char:48
+ $vtemps | Where-Object {$_} | ForEach-Object {New-Object PKI.CertificateTemplat ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [New-Object], MethodInvocationException
+ FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand

People (not me) have created a number of templates whose displayname includes /

Thanks
Ernie

Comments: Fixed in v3.2.5

↧

Closed Unassigned: Import-Module errors with Types on remote share [83]

April 17, 2016, 7:07 am

≫ Next: Closed Unassigned: New-SelfSignedCertificateEx - "A parameter cannot be found that matches parameter name 'Encoding'" [80]

≪ Previous: Closed Unassigned: Appear to be an error with Get-CertificateTemplate when the DisplayName of the Template include / character [84]

(Reposting in the Issues area)

I am trying to import the module (ModuleVersion = '3.1.0.0') from a remote share. I would like to prevent the need to install the module on multiple workstations for security reasons.

I do not get the errors when the module is on a local drive, only when using a unc path or mapped drive.

Thank you.

PS C:\windows\system32> $PSVersionTable

Name Value
---- -----
PSVersion 3.0
WSManStackVersion 3.0
SerializationVersion 1.1.0.1
CLRVersion 4.0.30319.18444
BuildVersion 6.2.9200.16481
PSCompatibleVersions {1.0, 2.0, 3.0}
PSRemotingProtocolVersion 2.2

When I try to import the following errors are displayed:

```
PS C:\windows\system32> Import-Module PSPKI
Update-TypeData : \\UNC_Path\WindowsPowerShell\Modules\PSPKI\Types
\PSPKI.Types.ps1xml, \\UNC_Path\WindowsPowerShell\Modules\PSPKI\Ty
pes\PSPKI.Types.ps1xml(5) : Error in type "System.Security.Cryptography.Oid": The member Equal is
already present.
At \\UNC_Path\WindowsPowerShell\Modules\PSPKI\PSPKI.psm1:281
char:3
+ Update-TypeData $PSScriptRoot\Types\PSPKI.Types.ps1xml
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Update-TypeData], RuntimeException
+ FullyQualifiedErrorId : TypesXmlUpdateException,Microsoft.PowerShell.Commands.UpdateTypeData
Command

Update-TypeData : \\UNC_Path\WindowsPowerShell\Modules\PSPKI\Types
\PSPKI.Types.ps1xml, \\UNC_Path\WindowsPowerShell\Modules\PSPKI\Ty
pes\PSPKI.Types.ps1xml(24) : Error in type "System.Security.Cryptography.Oid[]": The member AddOid
is already present.
At \\UNC_Path\WindowsPowerShell\Modules\PSPKI\PSPKI.psm1:281
char:3
+ Update-TypeData $PSScriptRoot\Types\PSPKI.Types.ps1xml
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Update-TypeData], RuntimeException
+ FullyQualifiedErrorId : TypesXmlUpdateException,Microsoft.PowerShell.Commands.UpdateTypeData
Command

Update-TypeData : \\UNC_Path\WindowsPowerShell\Modules\PSPKI\Types
\PSPKI.Types.ps1xml, \\UNC_Path\WindowsPowerShell\Modules\PSPKI\Ty
pes\PSPKI.Types.ps1xml(43) : Error in type "System.Security.Cryptography.Oid[]": The member
RemoveOid is already present.
At \\UNC_Path\WindowsPowerShell\Modules\PSPKI\PSPKI.psm1:281
char:3
+ Update-TypeData $PSScriptRoot\Types\PSPKI.Types.ps1xml
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Update-TypeData], RuntimeException
+ FullyQualifiedErrorId : TypesXmlUpdateException,Microsoft.PowerShell.Commands.UpdateTypeData
Command

Update-TypeData : \\UNC_Path\WindowsPowerShell\Modules\PSPKI\Types
\PSPKI.Types.ps1xml, \\UNC_Path\WindowsPowerShell\Modules\PSPKI\Ty
pes\PSPKI.Types.ps1xml(63) : Error in type
"System.Security.Cryptography.X509Certificates.X509ChainStatus": The member ToString is already
present.
At \\UNC_Path\WindowsPowerShell\Modules\PSPKI\PSPKI.psm1:281
char:3
+ Update-TypeData $PSScriptRoot\Types\PSPKI.Types.ps1xml
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Update-TypeData], RuntimeException
+ FullyQualifiedErrorId : TypesXmlUpdateException,Microsoft.PowerShell.Commands.UpdateTypeData
Command

Update-TypeData : \\UNC_Path\WindowsPowerShell\Modules\PSPKI\Types
\PSPKI.Types.ps1xml, \\UNC_Path\WindowsPowerShell\Modules\PSPKI\Ty
pes\PSPKI.Types.ps1xml(74) : Error in type "System.Management.Automation.Signature": The member
SigningTime is already present.
At \\UNC_Path\WindowsPowerShell\Modules\PSPKI\PSPKI.psm1:281
char:3
+ Update-TypeData $PSScriptRoot\Types\PSPKI.Types.ps1xml
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Update-TypeData], RuntimeException
+ FullyQualifiedErrorId : TypesXmlUpdateException,Microsoft.PowerShell.Commands.UpdateTypeData
Command
```
Comments: By design.

↧

Closed Unassigned: New-SelfSignedCertificateEx - "A parameter cannot be found that matches parameter name 'Encoding'" [80]

April 17, 2016, 7:08 am

≫ Next: Closed Unassigned: import-module pspki in visual studio 2013 for asp.net application [82]

≪ Previous: Closed Unassigned: Import-Module errors with Types on remote share [83]

Hello,
I want to create a self signed s/mime cert.
To archiv this I use the Cmdlet New-SelfSignedCertificateEx, but i get the error "A parameter cannot be found that matches parameter name 'Encoding'".

__If I didn't use "-Path "M:\Certs\cert.pfx"" it works.__

Any ideas?

```
PS C:\> New-SelfSignedCertificateEx
-Subject "E=bd24e2d11-98a3-4842-b15e-58bcc5be306c@aol.com"
-KeyLength 4096
-NotBefore 01.01.2015 -NotAfter 01.01.2018
-EnhancedKeyUsage '1.3.6.1.5.5.7.3.4','1.3.6.1.5.5.7.3.2'
-SignatureAlgorithm SHA512
-AllowSMIME
-Exportable
-Path "M:\Certs\cert.pfx"

cmdlet New-SelfSignedCertificateEx at command pipeline position 1
Supply values for the following parameters:
Password: ********************
New-SelfSignedCertificateEx : A parameter cannot be found that matches parameter name 'Encoding'.
At line:1 char:1
+ New-SelfSignedCertificateEx -Subject "E=bd24e2d11-98a3-4842-b15e-58bcc5be306c@aol ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [New-SelfSignedCertificateEx], ParameterBindingException
+ FullyQualifiedErrorId : NamedParameterNotFound,New-SelfSignedCertificateEx
```

↧

Closed Unassigned: import-module pspki in visual studio 2013 for asp.net application [82]

April 17, 2016, 7:09 am

≫ Next: Released: PowerShell PKI Module v3.2.5 (апр 17, 2016)

≪ Previous: Closed Unassigned: New-SelfSignedCertificateEx - "A parameter cannot be found that matches parameter name 'Encoding'" [80]

Import-module pspki doesn't import pspki module and hence I am not able to use Get-CertificateRequest command in a .net application (to be specific in a asp.net code behind page which is in C#). Can someone please guide me how do I use the pspki module on a c# page?

↧

Released: PowerShell PKI Module v3.2.5 (апр 17, 2016)

April 17, 2016, 8:36 am

≫ Next: Updated Release: PowerShell PKI Module v3.2.5 (apr 17, 2016)

≪ Previous: Closed Unassigned: import-module pspki in visual studio 2013 for asp.net application [82]

Installation guide:

Use default installation path to install this module for current user only.
To install this module for all users — enable "Install for all users" check-box in installation UI
if previous module installations are detected, they are removed during upgrade.

Release notes in my weblog: https://www.sysadmins.lv/blog-en/powershell-pki-module-v325-is-released.aspx

↧

Updated Release: PowerShell PKI Module v3.2.5 (apr 17, 2016)

April 17, 2016, 8:36 am

≫ Next: Created Unassigned: Maintain backwards compatibility and/or upgrade log [94]

≪ Previous: Released: PowerShell PKI Module v3.2.5 (апр 17, 2016)

Installation guide:

Use default installation path to install this module for current user only.
To install this module for all users — enable "Install for all users" check-box in installation UI
if previous module installations are detected, they are removed during upgrade.

Release notes in my weblog: https://www.sysadmins.lv/blog-en/powershell-pki-module-v325-is-released.aspx

↧

Created Unassigned: Maintain backwards compatibility and/or upgrade log [94]

April 29, 2016, 2:11 am

≫ Next: Commented Unassigned: Maintain backwards compatibility and/or upgrade log [94]

≪ Previous: Updated Release: PowerShell PKI Module v3.2.5 (apr 17, 2016)

↧

Commented Unassigned: Maintain backwards compatibility and/or upgrade log [94]

April 29, 2016, 12:01 pm

≫ Next: Commented Unassigned: Maintain backwards compatibility and/or upgrade log [94]

≪ Previous: Created Unassigned: Maintain backwards compatibility and/or upgrade log [94]

Hello,

For future releases of the module and underlying .NET libraries, would it be possible to maintain backwards compatibility and, when not possible (technically or not), provide an UPGRADE file listing all compatibility breaks and how to fix them?

I maintain some scripts and modules relying on PSPKI for my company and for each release I have some incompatibilities that I have to trace down. Fixing them is even more complicated when the scripts are not centrally stored and executed instead directly on colleagues' workstations where they may not all have the same module version installed.

I understand this requires extra work for you and the module and libraries are provided without any warranty on backwards compatibility but it is more and more used in professional environments where long term compatibility is mandatory.

Best regards,
Jordan
Comments: At first, I appreciate that you find this project helpful for your environment. I understand your concerns about compatibility and this is where I try to pay a lot of attention. I would say that compatibility is my top priority because of what you said. However, different parts of code were written long ago when I haven't had a good design view on particular API set, as the resut the code was bad from design and maintenance perspective. And to provide better functionality some parts must be changed regardless of compatibility requirements. For each release I post a blog post under [PowerShell PKI module](https://www.sysadmins.lv/blog-en/categoryview/powershellpowershellpkimodule.aspx) category on my weblog where I provide information about changes in each new version. In any way, if you have a particular issue, you can ask it in the Discussions tab and I will try to resolve it.

↧

Commented Unassigned: Maintain backwards compatibility and/or upgrade log [94]

May 3, 2016, 7:15 am

≫ Next: Created Unassigned: X509CRL2.GetNextPublish() fails with v3.2.5 [95]

≪ Previous: Commented Unassigned: Maintain backwards compatibility and/or upgrade log [94]

Hello,

For future releases of the module and underlying .NET libraries, would it be possible to maintain backwards compatibility and, when not possible (technically or not), provide an UPGRADE file listing all compatibility breaks and how to fix them?

I maintain some scripts and modules relying on PSPKI for my company and for each release I have some incompatibilities that I have to trace down. Fixing them is even more complicated when the scripts are not centrally stored and executed instead directly on colleagues' workstations where they may not all have the same module version installed.

I understand this requires extra work for you and the module and libraries are provided without any warranty on backwards compatibility but it is more and more used in professional environments where long term compatibility is mandatory.

Best regards,
Jordan
Comments: Thanks for your answer. I completely understand that sometimes you have to deprecate legacy code or even break backwards compatibility. As long as it is properly documented somewhere (I think an UPGRADE file accompanying the module is better than just a blog post, but that's just my opinion) and it is done for valid reasons there is absolutely no problem with that of course. Regarding the last 3.2.5 release, I haven't had time yet to fully test all my scripts but I have at least one that is failing now while it worked before. I will post a dedicated issue for that problem to avoid mixing things up. I don't remember which version exactly (probably the 3.0 or 3.1) but I remember having to change some classes namespaces after upgrading to a previous version. Not a huge deal of course and easy to spot and fix but this was not documented in your blog post.

↧

Created Unassigned: X509CRL2.GetNextPublish() fails with v3.2.5 [95]

May 3, 2016, 7:22 am

≫ Next: Commented Unassigned: Maintain backwards compatibility and/or upgrade log [94]

≪ Previous: Commented Unassigned: Maintain backwards compatibility and/or upgrade log [94]

↧

Commented Unassigned: Maintain backwards compatibility and/or upgrade log [94]

May 3, 2016, 7:25 am

≫ Next: Commented Unassigned: X509CRL2.GetNextPublish() fails with v3.2.5 [95]

≪ Previous: Created Unassigned: X509CRL2.GetNextPublish() fails with v3.2.5 [95]

↧

Commented Unassigned: X509CRL2.GetNextPublish() fails with v3.2.5 [95]

May 3, 2016, 8:20 am

≫ Next: Commented Unassigned: X509CRL2.GetNextPublish() fails with v3.2.5 [95]

≪ Previous: Commented Unassigned: Maintain backwards compatibility and/or upgrade log [94]

↧

Commented Unassigned: X509CRL2.GetNextPublish() fails with v3.2.5 [95]

May 3, 2016, 8:59 am

≫ Next: Commented Unassigned: X509CRL2.GetNextPublish() fails with v3.2.5 [95]

≪ Previous: Commented Unassigned: X509CRL2.GetNextPublish() fails with v3.2.5 [95]

Hello Camelot,

The GetNextPublish() method of X509CRL2 fails with the following error since I upgraded to PSPKI 3.2.5:
```
Exception calling "GetNextPublish" with "0" argument(s): "ASN1 bad tag value met."
```

Note that, like it is documented, I expect this method to work whether the CRL contains a NextPublish extension or not (I have both cases).

Best regards,
Jordan
Comments: This is a copy-paste issue. Unfortunately, due to source control change between TFS and GitHub I can't tell when the bug appeared. I fixed this bug in the source code. How can I deliver the updated version?

↧

Commented Unassigned: X509CRL2.GetNextPublish() fails with v3.2.5 [95]

May 4, 2016, 12:04 am

≫ Next: New Post: [PKI.CertificateServices.CertificateAuthority]::GetCA("Name","*") doesn't work on 2012R2

≪ Previous: Commented Unassigned: X509CRL2.GetNextPublish() fails with v3.2.5 [95]

Hello Camelot,

The GetNextPublish() method of X509CRL2 fails with the following error since I upgraded to PSPKI 3.2.5:
```
Exception calling "GetNextPublish" with "0" argument(s): "ASN1 bad tag value met."
```

Note that, like it is documented, I expect this method to work whether the CRL contains a NextPublish extension or not (I have both cases).

Best regards,
Jordan
Comments: Except on my dev computer, I cannot deploy unreleased versions to my servers and my colleagues so if it is possible, I would prefer something like a 3.2.6 release. Thanks!

↧

New Post: [PKI.CertificateServices.CertificateAuthority]::GetCA("Name","*") doesn't work on 2012R2

May 5, 2016, 9:04 am

≫ Next: New Post: [PKI.CertificateServices.CertificateAuthority]::GetCA("Name","*") doesn't work on 2012R2

≪ Previous: Commented Unassigned: X509CRL2.GetNextPublish() fails with v3.2.5 [95]

Either with name or * the class returns nothing.

↧

New Post: [PKI.CertificateServices.CertificateAuthority]::GetCA("Name","*") doesn't work on 2012R2

May 5, 2016, 9:12 am

≫ Next: New Post: [PKI.CertificateServices.CertificateAuthority]::GetCA("Name","*") doesn't work on 2012R2

≪ Previous: New Post: [PKI.CertificateServices.CertificateAuthority]::GetCA("Name","*") doesn't work on 2012R2

Can you provide more details about your environment?

↧

New Post: [PKI.CertificateServices.CertificateAuthority]::GetCA("Name","*") doesn't work on 2012R2

May 5, 2016, 9:35 am

≫ Next: Reopened Unassigned: Cannot convert value "ca.example.com" to type "PKI.CertificateServices.CertificateAuthority" [93]

≪ Previous: New Post: [PKI.CertificateServices.CertificateAuthority]::GetCA("Name","*") doesn't work on 2012R2

It's just a 2012R2 server that the commands don't work on.

I can use get-ca fine on my w7 machine and from a 2008 server.

Exception calling "GetCA" with "2" argument(s): "CCertConfig::GetField: The parameter is incorrect. 0x80070057 (WIN32:
87 ERROR_INVALID_PARAMETER)"
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSPKI\Server\Get-CertificationAuthority.ps1:14 char:20

"__ComputerSet" {[PKI.CertificateServices.CertificateAuthority]::GetCA("Server ...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- CategoryInfo : NotSpecified: (:) [], MethodInvocationException
- FullyQualifiedErrorId : ArgumentException

↧

Reopened Unassigned: Cannot convert value "ca.example.com" to type "PKI.CertificateServices.CertificateAuthority" [93]

May 5, 2016, 9:44 am

≫ Next: Edited Unassigned: Cannot convert value "ca.example.com" to type "PKI.CertificateServices.CertificateAuthority" [93]

≪ Previous: New Post: [PKI.CertificateServices.CertificateAuthority]::GetCA("Name","*") doesn't work on 2012R2

PS PKI 3.1.0

I managed to get some code working beautifully on my Windows 7 SP1 workstation, but it throws an error when I try to run it locally on my Windows Server 2012 R2 standalone root certificate authority. I think I've narrowed it down to the one line below. I'm so close...so close!

It throws an error on server ca.example.com: Windows Server 2012 R2 (domain-joined standalone root CA)

```
Import-Module PsPKI
$CertificateRequestResponse = Submit-CertificateRequest -CertificationAuthority "ca.example.com" -Path "\\fs.example.com\path\to\certificates\CertReq.csr"
Submit-CertificateRequest : Cannot process argument transformation on parameter 'CertificationAuthority'. Cannot convert value "ca.example.com" to type
"PKI.CertificateServices.CertificateAuthority". Error: "There is no such object on the server.
"
At line:2 char:81
+ ... ationAuthority "ca.example.com" -Path "\\fs.example.com\path\to\certi ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Submit-CertificateRequest], ParameterBindingArgumentTransformationException
+ FullyQualifiedErrorId : ParameterArgumentTransformationError,Submit-CertificateRequest

$CertificateRequestResponse
```

It works fine on workstation wx.example.com: Windows 7 SP1 (domain-joined workstation with RSAT)

```
Import-Module PsPKI
$CertificateRequestResponse = Submit-CertificateRequest -CertificationAuthority "ca.example.com" -Path "\\fs.example.com\path\to\certificates\CertReq.csr"
$CertificateRequestResponse

CertificationAuthority : PKI.CertificateServices.CertificateAuthority
RequestID : 22
Status : UnderSubmission
Certificate :
ErrorInformation : Taken Under Submission
```

↧