Quantcast
Channel: Public Key Infrastructure PowerShell module
Viewing all 729 articles
Browse latest View live

Edited Unassigned: Cannot convert value "ca.example.com" to type "PKI.CertificateServices.CertificateAuthority" [93]

May 5, 2016, 9:44 am
$
0
0
PS PKI 3.1.0

I managed to get some code working beautifully on my Windows 7 SP1 workstation, but it throws an error when I try to run it locally on my Windows Server 2012 R2 standalone root certificate authority. I think I've narrowed it down to the one line below. I'm so close...so close!

It throws an error on server ca.example.com: Windows Server 2012 R2 (domain-joined standalone root CA)

```
Import-Module PsPKI
$CertificateRequestResponse = Submit-CertificateRequest -CertificationAuthority "ca.example.com" -Path "\\fs.example.com\path\to\certificates\CertReq.csr"
Submit-CertificateRequest : Cannot process argument transformation on parameter 'CertificationAuthority'. Cannot convert value "ca.example.com" to type
"PKI.CertificateServices.CertificateAuthority". Error: "There is no such object on the server.
"
At line:2 char:81
+ ... ationAuthority "ca.example.com" -Path "\\fs.example.com\path\to\certi ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Submit-CertificateRequest], ParameterBindingArgumentTransformationException
+ FullyQualifiedErrorId : ParameterArgumentTransformationError,Submit-CertificateRequest

$CertificateRequestResponse
```

It works fine on workstation wx.example.com: Windows 7 SP1 (domain-joined workstation with RSAT)

```
Import-Module PsPKI
$CertificateRequestResponse = Submit-CertificateRequest -CertificationAuthority "ca.example.com" -Path "\\fs.example.com\path\to\certificates\CertReq.csr"
$CertificateRequestResponse


CertificationAuthority : PKI.CertificateServices.CertificateAuthority
RequestID : 22
Status : UnderSubmission
Certificate :
ErrorInformation : Taken Under Submission
```
Search

New Post: [PKI.CertificateServices.CertificateAuthority]::GetCA("Name","*") doesn't work on 2012R2

May 5, 2016, 9:46 am

Commented Unassigned: Maintain backwards compatibility and/or upgrade log [94]

May 5, 2016, 10:04 am
$
0
0
Hello,

For future releases of the module and underlying .NET libraries, would it be possible to maintain backwards compatibility and, when not possible (technically or not), provide an UPGRADE file listing all compatibility breaks and how to fix them?

I maintain some scripts and modules relying on PSPKI for my company and for each release I have some incompatibilities that I have to trace down. Fixing them is even more complicated when the scripts are not centrally stored and executed instead directly on colleagues' workstations where they may not all have the same module version installed.

I understand this requires extra work for you and the module and libraries are provided without any warranty on backwards compatibility but it is more and more used in professional environments where long term compatibility is mandatory.

Best regards,
Jordan
Comments: I got your point. I'll try to do all my best here. Though, I have to make additional learning about the subject.

New Post: You should publish this on powershell gallery

May 5, 2016, 12:27 pm
$
0
0
You should publish this on powershell gallery

Created Unassigned: Get-CertificateRequest bug in 3.2.5 [96]

May 14, 2016, 6:30 am
$
0
0
Hello Camelot,

Looks like there was a regression in X509CertificateRequest in release 3.2.5.
Every time I try to instantiate a PKCS#10 since this release I get an error in the constructor "Invalid data".
Downgrading to 3.1 and everything works again as expected.

I tried with several CSRs and all result in this error.
Jordan

Commented Unassigned: Get-CertificateRequest bug in 3.2.5 [96]

May 15, 2016, 10:56 am
$
0
0
Hello Camelot,

Looks like there was a regression in X509CertificateRequest in release 3.2.5.
Every time I try to instantiate a PKCS#10 since this release I get an error in the constructor "Invalid data".
Downgrading to 3.1 and everything works again as expected.

I tried with several CSRs and all result in this error.
Jordan
Comments: Thank you so much for report. I found and fixed this issue. Probably, very soon I'll publish a patch (3.2.6) that will solve bugs found since 3.2.5

New Post: Exception calling "ResubmitRequest" with "2" argument(s)

May 17, 2016, 12:55 pm
$
0
0
PS PKI 3.2.5

This code snippet throws an error when running it locally on a Windows Server 2012 R2 domain-joined standalone root certificate authority. The same code works on Windows 7 SP1 domain-joined workstation with RSAT.

Request 49's status is "taken under submission" and is waiting for approval before running this snippet.
Import-Module PsPKI
Import-Module ActiveDirectory

$Script:CA = "ca.example.com"

Function Handle-Error {
    Param (
        [PSObject]$Error
    )
    Process {
        $Error[0].Exception.InnerException.Message
        $Error[0].Exception.InnerException.StackTrace
    }
}

Write-Host "# Approve pending CSR: Get-PendingRequest"
Try {
    $CertificateRequest = Get-PendingRequest -CertificationAuthority $Script:CA -RequestID 49
    $CertificateRequest
} Catch {
    Handle-Error -Error $Error[0]
}

Write-Host "# Approve pending CSR: Approve-CertificateRequest"
Try {
    $ApprovalResponse = Approve-CertificateRequest -Request $CertificateRequest
    $ApprovalResponse
} Catch {
    Handle-Error -Error $Error[0]
}
Output for Windows Server 2012 R2 domain-joined standalone root certificate authority
# Approve pending CSR: Get-PendingRequest


RequestID             : 49
Request.RequesterName : EXAMPLE\user
Request.SubmittedWhen : 5/17/2016 7:29:48 PM
Request.CommonName    : Test User
CertificateTemplate   : 
RowId                 : 49
ConfigString          : ca.example.com\CA
Table                 : Request

# Approve pending CSR: Approve-CertificateRequest
WARNING: Unable to issue request with ID = '49'
Exception calling "ResubmitRequest" with "2" argument(s): "CCertAdmin::ResubmitRequest: Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)"
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PsPKI\Server\Approve-CertificateRequest.ps1:16 char:5
+                 $DM = $CertAdmin.ResubmitRequest($Request.ConfigString,$Request.RequestID)
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : ComMethodTargetInvocation
Output for Windows 7 SP1 domain-joined workstation with RSAT
# Approve pending CSR: Get-PendingRequest


RequestID             : 49
Request.RequesterName : EXAMPLE\user
Request.SubmittedWhen : 05/17/2016 07:29:48 PM
Request.CommonName    : Test User
CertificateTemplate   : 
RowId                 : 49
ConfigString          : ca.example.com\CA
Table                 : Request

# Approve pending CSR: Approve-CertificateRequest
The certificate '49' was issued.'

New Post: Programmatically sign a PKCS#10 request with an officer certificate

May 18, 2016, 5:54 am
$
0
0
Hello Camelot!

Just in case you're ever interested in this, note that the error mentioned above with the CSignerCertificate seems to be caused by a bug with my 3rd-party smart card CSP (which might never be fixed unfortunately...)
With any other software signing certificate I am able to embed PKCS#10 in PKCS#7 files and sign them.

If you have time some day and want to take a look (I'd understand if you don't of course!), my problem would probably be solved if we could translate IX509CertificateRequestPkcs7::InitializeFromInnerRequest into pure .NET code since I have no problem using the same smart card certificate when using the System.Security.Cryptography.Pkcs.CmsSigner class.
This is what I tried unsuccessfully in my first post but unfortunately I don't know enough the internal structure of PKCS files to get it working.

It would be a good addition to the .NET library in my opinion :D
Best regards,
Jordan
Search

Created Unassigned: Remove-DatabaseRow works on 08R2 CA but not 12R2 CA [97]

May 24, 2016, 12:51 pm
$
0
0
PSPKI 3.0.0

WS08R2 CA
Import-Module PSPKI
Get-CertificationAuthority "WVSXXXXX.support.xxxxxxxxxx.org" | Get-FailedRequest | Remove-DatabaseRow

Deleted request row with ID = 6745147.
Deleted request row with ID = 6745148.
Deleted request row with ID = 6745149.
Deleted request row with ID = 6745150.
Deleted request row with ID = 6745151.
Deleted request row with ID = 6745152.

PS D:\DATA\Powershell>




WS12R2 CA
Import-Module PSPKI
Get-CertificationAuthority "WVSYYYYY.support.xxxxxxxxxx.org" | Get-FailedRequest | Remove-DatabaseRow

WARNING: Non-request or non-CRL table row removal is not supported. ID='402'
WARNING: Non-request or non-CRL table row removal is not supported. ID='403'
WARNING: Non-request or non-CRL table row removal is not supported. ID='5'
WARNING: Non-request or non-CRL table row removal is not supported. ID='247'
WARNING: Non-request or non-CRL table row removal is not supported. ID='248'
WARNING: Non-request or non-CRL table row removal is not supported. ID='349'
WARNING: Non-request or non-CRL table row removal is not supported. ID='366'
WARNING: Non-request or non-CRL table row removal is not supported. ID='367'




Please ADVISE!

Created Unassigned: Exception calling "ResubmitRequest" with "2" argument(s) [98]

June 3, 2016, 8:14 am
$
0
0
PS PKI 3.2.5

This code snippet throws an error when running it locally on a Windows Server 2012 R2 domain-joined standalone root certificate authority. The same code works on Windows 7 SP1 domain-joined workstation with RSAT.

In this example, request 49's status is "taken under submission" and is waiting for approval before executing.

```
Import-Module PsPKI
Import-Module ActiveDirectory

$Script:CA = "ca.example.com"

Function Handle-Error {
Param (
[PSObject]$Error
)
Process {
$Error[0].Exception.InnerException.Message
$Error[0].Exception.InnerException.StackTrace
}
}

Write-Host "# Approve pending CSR: Get-PendingRequest"
Try {
$CertificateRequest = Get-PendingRequest -CertificationAuthority $Script:CA -RequestID 49
$CertificateRequest
} Catch {
Handle-Error -Error $Error[0]
}

Write-Host "# Approve pending CSR: Approve-CertificateRequest"
Try {
$ApprovalResponse = Approve-CertificateRequest -Request $CertificateRequest
$ApprovalResponse
} Catch {
Handle-Error -Error $Error[0]
}
```

Output for Windows Server 2012 R2 domain-joined standalone root certificate authority

```
# Approve pending CSR: Get-PendingRequest


RequestID : 49
Request.RequesterName : EXAMPLE\user
Request.SubmittedWhen : 5/17/2016 7:29:48 PM
Request.CommonName : Test User
CertificateTemplate :
RowId : 49
ConfigString : ca.example.com\CA
Table : Request

# Approve pending CSR: Approve-CertificateRequest
WARNING: Unable to issue request with ID = '49'
Exception calling "ResubmitRequest" with "2" argument(s): "CCertAdmin::ResubmitRequest: Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)"
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PsPKI\Server\Approve-CertificateRequest.ps1:16 char:5
+ $DM = $CertAdmin.ResubmitRequest($Request.ConfigString,$Request.RequestID)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : ComMethodTargetInvocation
```

Output for Windows 7 SP1 domain-joined workstation with RSAT

```
# Approve pending CSR: Get-PendingRequest


RequestID : 49
Request.RequesterName : EXAMPLE\user
Request.SubmittedWhen : 05/17/2016 07:29:48 PM
Request.CommonName : Test User
CertificateTemplate :
RowId : 49
ConfigString : ca.example.com\CA
Table : Request

# Approve pending CSR: Approve-CertificateRequest
The certificate '49' was issued.'
```

Commented Unassigned: Exception calling "ResubmitRequest" with "2" argument(s) [98]

June 4, 2016, 6:17 am
$
0
0
PS PKI 3.2.5

This code snippet throws an error when running it locally on a Windows Server 2012 R2 domain-joined standalone root certificate authority. The same code works on Windows 7 SP1 domain-joined workstation with RSAT.

In this example, request 49's status is "taken under submission" and is waiting for approval before executing.

```
Import-Module PsPKI
Import-Module ActiveDirectory

$Script:CA = "ca.example.com"

Function Handle-Error {
Param (
[PSObject]$Error
)
Process {
$Error[0].Exception.InnerException.Message
$Error[0].Exception.InnerException.StackTrace
}
}

Write-Host "# Approve pending CSR: Get-PendingRequest"
Try {
$CertificateRequest = Get-PendingRequest -CertificationAuthority $Script:CA -RequestID 49
$CertificateRequest
} Catch {
Handle-Error -Error $Error[0]
}

Write-Host "# Approve pending CSR: Approve-CertificateRequest"
Try {
$ApprovalResponse = Approve-CertificateRequest -Request $CertificateRequest
$ApprovalResponse
} Catch {
Handle-Error -Error $Error[0]
}
```

Output for Windows Server 2012 R2 domain-joined standalone root certificate authority

```
# Approve pending CSR: Get-PendingRequest


RequestID : 49
Request.RequesterName : EXAMPLE\user
Request.SubmittedWhen : 5/17/2016 7:29:48 PM
Request.CommonName : Test User
CertificateTemplate :
RowId : 49
ConfigString : ca.example.com\CA
Table : Request

# Approve pending CSR: Approve-CertificateRequest
WARNING: Unable to issue request with ID = '49'
Exception calling "ResubmitRequest" with "2" argument(s): "CCertAdmin::ResubmitRequest: Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)"
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PsPKI\Server\Approve-CertificateRequest.ps1:16 char:5
+ $DM = $CertAdmin.ResubmitRequest($Request.ConfigString,$Request.RequestID)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : ComMethodTargetInvocation
```

Output for Windows 7 SP1 domain-joined workstation with RSAT

```
# Approve pending CSR: Get-PendingRequest


RequestID : 49
Request.RequesterName : EXAMPLE\user
Request.SubmittedWhen : 05/17/2016 07:29:48 PM
Request.CommonName : Test User
CertificateTemplate :
RowId : 49
ConfigString : ca.example.com\CA
Table : Request

# Approve pending CSR: Approve-CertificateRequest
The certificate '49' was issued.'
```

Comments: Are you using the same account on both systems? It appears that you don't.

New Post: Programmatically sign a PKCS#10 request with an officer certificate

June 4, 2016, 6:23 am
$
0
0
Can you elaborate this point:
If you have time some day and want to take a look (I'd understand if you don't of course!), my problem would probably be solved if we could translate IX509CertificateRequestPkcs7::InitializeFromInnerRequest into pure .NET code
do you mean to convert existing PKCS10 request to PKCS7?

Commented Unassigned: Remove-DatabaseRow works on 08R2 CA but not 12R2 CA [97]

June 4, 2016, 6:31 am
$
0
0
PSPKI 3.0.0

WS08R2 CA
Import-Module PSPKI
Get-CertificationAuthority "WVSXXXXX.support.xxxxxxxxxx.org" | Get-FailedRequest | Remove-DatabaseRow

Deleted request row with ID = 6745147.
Deleted request row with ID = 6745148.
Deleted request row with ID = 6745149.
Deleted request row with ID = 6745150.
Deleted request row with ID = 6745151.
Deleted request row with ID = 6745152.

PS D:\DATA\Powershell>




WS12R2 CA
Import-Module PSPKI
Get-CertificationAuthority "WVSYYYYY.support.xxxxxxxxxx.org" | Get-FailedRequest | Remove-DatabaseRow

WARNING: Non-request or non-CRL table row removal is not supported. ID='402'
WARNING: Non-request or non-CRL table row removal is not supported. ID='403'
WARNING: Non-request or non-CRL table row removal is not supported. ID='5'
WARNING: Non-request or non-CRL table row removal is not supported. ID='247'
WARNING: Non-request or non-CRL table row removal is not supported. ID='248'
WARNING: Non-request or non-CRL table row removal is not supported. ID='349'
WARNING: Non-request or non-CRL table row removal is not supported. ID='366'
WARNING: Non-request or non-CRL table row removal is not supported. ID='367'




Please ADVISE!

Comments: This was an issue with PSPKI v3.0 and was already reported: https://pspki.codeplex.com/workitem/76 it was resolved in PSPKI v3.1 and newer versions.

Commented Unassigned: Exception calling "ResubmitRequest" with "2" argument(s) [98]

June 6, 2016, 6:56 am
$
0
0
PS PKI 3.2.5

This code snippet throws an error when running it locally on a Windows Server 2012 R2 domain-joined standalone root certificate authority. The same code works on Windows 7 SP1 domain-joined workstation with RSAT.

In this example, request 49's status is "taken under submission" and is waiting for approval before executing.

```
Import-Module PsPKI
Import-Module ActiveDirectory

$Script:CA = "ca.example.com"

Function Handle-Error {
Param (
[PSObject]$Error
)
Process {
$Error[0].Exception.InnerException.Message
$Error[0].Exception.InnerException.StackTrace
}
}

Write-Host "# Approve pending CSR: Get-PendingRequest"
Try {
$CertificateRequest = Get-PendingRequest -CertificationAuthority $Script:CA -RequestID 49
$CertificateRequest
} Catch {
Handle-Error -Error $Error[0]
}

Write-Host "# Approve pending CSR: Approve-CertificateRequest"
Try {
$ApprovalResponse = Approve-CertificateRequest -Request $CertificateRequest
$ApprovalResponse
} Catch {
Handle-Error -Error $Error[0]
}
```

Output for Windows Server 2012 R2 domain-joined standalone root certificate authority

```
# Approve pending CSR: Get-PendingRequest


RequestID : 49
Request.RequesterName : EXAMPLE\user
Request.SubmittedWhen : 5/17/2016 7:29:48 PM
Request.CommonName : Test User
CertificateTemplate :
RowId : 49
ConfigString : ca.example.com\CA
Table : Request

# Approve pending CSR: Approve-CertificateRequest
WARNING: Unable to issue request with ID = '49'
Exception calling "ResubmitRequest" with "2" argument(s): "CCertAdmin::ResubmitRequest: Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)"
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PsPKI\Server\Approve-CertificateRequest.ps1:16 char:5
+ $DM = $CertAdmin.ResubmitRequest($Request.ConfigString,$Request.RequestID)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : ComMethodTargetInvocation
```

Output for Windows 7 SP1 domain-joined workstation with RSAT

```
# Approve pending CSR: Get-PendingRequest


RequestID : 49
Request.RequesterName : EXAMPLE\user
Request.SubmittedWhen : 05/17/2016 07:29:48 PM
Request.CommonName : Test User
CertificateTemplate :
RowId : 49
ConfigString : ca.example.com\CA
Table : Request

# Approve pending CSR: Approve-CertificateRequest
The certificate '49' was issued.'
```

Comments: I was definitely using two accounts but I get the same result when I use the account that worked on my workstation on the server (tried it just now). ``` C:\Users\ag-admin\Desktop\test (2).ps1 # Approve pending CSR: Get-PendingRequest RequestID : 50 Request.RequesterName : EXAMPLE\user Request.SubmittedWhen : 6/6/2016 1:41:43 PM Request.CommonName : Test User CertificateTemplate : RowId : 50 ConfigString : ca.example.com\CA Table : Request # Approve pending CSR: Approve-CertificateRequest WARNING: Unable to issue request with ID = '50' Exception calling "ResubmitRequest" with "2" argument(s): "CCertAdmin::ResubmitRequest: Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)" At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PsPKI\Server\Approve-CertificateRequest.ps1:16 char:5 + $DM = $CertAdmin.ResubmitRequest($Request.ConfigString,$Request.RequestID) + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : ComMethodTargetInvocation ```

New Post: Programmatically sign a PKCS#10 request with an officer certificate

June 6, 2016, 7:04 am
$
0
0
Yes, in order to sign it with an officer certificate.
Since it is not possible to directly sign a PKCS#10 and the CertEnroll API is not usable with my 3rd party CSP (well it may be resolved sooner rather than later finally because the vendor has provided a fix already, I'm now waiting for an official release), mimicking it in .NET would do the trick.

I haven't tested with something else than a PKCS#10 but in that case, InitializeFromInnerRequest works well and create a PKCS#7 object ready to be signed. Unfortunately, my .NET attempt in the very first post is not the right way to do it.
Search

Commented Unassigned: Exception calling "ResubmitRequest" with "2" argument(s) [98]

June 14, 2016, 11:28 am
$
0
0
PS PKI 3.2.5

This code snippet throws an error when running it locally on a Windows Server 2012 R2 domain-joined standalone root certificate authority. The same code works on Windows 7 SP1 domain-joined workstation with RSAT.

In this example, request 49's status is "taken under submission" and is waiting for approval before executing.

```
Import-Module PsPKI
Import-Module ActiveDirectory

$Script:CA = "ca.example.com"

Function Handle-Error {
Param (
[PSObject]$Error
)
Process {
$Error[0].Exception.InnerException.Message
$Error[0].Exception.InnerException.StackTrace
}
}

Write-Host "# Approve pending CSR: Get-PendingRequest"
Try {
$CertificateRequest = Get-PendingRequest -CertificationAuthority $Script:CA -RequestID 49
$CertificateRequest
} Catch {
Handle-Error -Error $Error[0]
}

Write-Host "# Approve pending CSR: Approve-CertificateRequest"
Try {
$ApprovalResponse = Approve-CertificateRequest -Request $CertificateRequest
$ApprovalResponse
} Catch {
Handle-Error -Error $Error[0]
}
```

Output for Windows Server 2012 R2 domain-joined standalone root certificate authority

```
# Approve pending CSR: Get-PendingRequest


RequestID : 49
Request.RequesterName : EXAMPLE\user
Request.SubmittedWhen : 5/17/2016 7:29:48 PM
Request.CommonName : Test User
CertificateTemplate :
RowId : 49
ConfigString : ca.example.com\CA
Table : Request

# Approve pending CSR: Approve-CertificateRequest
WARNING: Unable to issue request with ID = '49'
Exception calling "ResubmitRequest" with "2" argument(s): "CCertAdmin::ResubmitRequest: Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)"
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PsPKI\Server\Approve-CertificateRequest.ps1:16 char:5
+ $DM = $CertAdmin.ResubmitRequest($Request.ConfigString,$Request.RequestID)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : ComMethodTargetInvocation
```

Output for Windows 7 SP1 domain-joined workstation with RSAT

```
# Approve pending CSR: Get-PendingRequest


RequestID : 49
Request.RequesterName : EXAMPLE\user
Request.SubmittedWhen : 05/17/2016 07:29:48 PM
Request.CommonName : Test User
CertificateTemplate :
RowId : 49
ConfigString : ca.example.com\CA
Table : Request

# Approve pending CSR: Approve-CertificateRequest
The certificate '49' was issued.'
```

Comments: What does the code library do when it runs on a CA server that it doesn't do when it runs on an RSAT client? It must be doing something extra. This works on Win7, but not on a 2012_R2 domain-joined standalone root CA (same account is used on both). This is a standard AD account with delegated full permissions to the OU in which both the client and server are contained; and it's a member of the local administrators group on both the client and server. This is an awesome project, and I appreciate all the work you put into it!

Commented Unassigned: Exception calling "ResubmitRequest" with "2" argument(s) [98]

June 14, 2016, 11:52 am
$
0
0
PS PKI 3.2.5

This code snippet throws an error when running it locally on a Windows Server 2012 R2 domain-joined standalone root certificate authority. The same code works on Windows 7 SP1 domain-joined workstation with RSAT.

In this example, request 49's status is "taken under submission" and is waiting for approval before executing.

```
Import-Module PsPKI
Import-Module ActiveDirectory

$Script:CA = "ca.example.com"

Function Handle-Error {
Param (
[PSObject]$Error
)
Process {
$Error[0].Exception.InnerException.Message
$Error[0].Exception.InnerException.StackTrace
}
}

Write-Host "# Approve pending CSR: Get-PendingRequest"
Try {
$CertificateRequest = Get-PendingRequest -CertificationAuthority $Script:CA -RequestID 49
$CertificateRequest
} Catch {
Handle-Error -Error $Error[0]
}

Write-Host "# Approve pending CSR: Approve-CertificateRequest"
Try {
$ApprovalResponse = Approve-CertificateRequest -Request $CertificateRequest
$ApprovalResponse
} Catch {
Handle-Error -Error $Error[0]
}
```

Output for Windows Server 2012 R2 domain-joined standalone root certificate authority

```
# Approve pending CSR: Get-PendingRequest


RequestID : 49
Request.RequesterName : EXAMPLE\user
Request.SubmittedWhen : 5/17/2016 7:29:48 PM
Request.CommonName : Test User
CertificateTemplate :
RowId : 49
ConfigString : ca.example.com\CA
Table : Request

# Approve pending CSR: Approve-CertificateRequest
WARNING: Unable to issue request with ID = '49'
Exception calling "ResubmitRequest" with "2" argument(s): "CCertAdmin::ResubmitRequest: Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)"
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PsPKI\Server\Approve-CertificateRequest.ps1:16 char:5
+ $DM = $CertAdmin.ResubmitRequest($Request.ConfigString,$Request.RequestID)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : ComMethodTargetInvocation
```

Output for Windows 7 SP1 domain-joined workstation with RSAT

```
# Approve pending CSR: Get-PendingRequest


RequestID : 49
Request.RequesterName : EXAMPLE\user
Request.SubmittedWhen : 05/17/2016 07:29:48 PM
Request.CommonName : Test User
CertificateTemplate :
RowId : 49
ConfigString : ca.example.com\CA
Table : Request

# Approve pending CSR: Approve-CertificateRequest
The certificate '49' was issued.'
```

Comments: > What does the code library do when it runs on a CA server that it doesn't do when it runs on an RSAT client? It must be doing something extra. actually, it does nothing. `Approve-CertificateRequest` command is pure PowerShell script. Just out of curiosity: did you run PS console on CA server in elevated mode? When you call the method remotely, all assigned priveleges are enabled, while in local calls they may be reduced by UAC.

Commented Unassigned: Exception calling "ResubmitRequest" with "2" argument(s) [98]

June 14, 2016, 2:37 pm
$
0
0
PS PKI 3.2.5

This code snippet throws an error when running it locally on a Windows Server 2012 R2 domain-joined standalone root certificate authority. The same code works on Windows 7 SP1 domain-joined workstation with RSAT.

In this example, request 49's status is "taken under submission" and is waiting for approval before executing.

```
Import-Module PsPKI
Import-Module ActiveDirectory

$Script:CA = "ca.example.com"

Function Handle-Error {
Param (
[PSObject]$Error
)
Process {
$Error[0].Exception.InnerException.Message
$Error[0].Exception.InnerException.StackTrace
}
}

Write-Host "# Approve pending CSR: Get-PendingRequest"
Try {
$CertificateRequest = Get-PendingRequest -CertificationAuthority $Script:CA -RequestID 49
$CertificateRequest
} Catch {
Handle-Error -Error $Error[0]
}

Write-Host "# Approve pending CSR: Approve-CertificateRequest"
Try {
$ApprovalResponse = Approve-CertificateRequest -Request $CertificateRequest
$ApprovalResponse
} Catch {
Handle-Error -Error $Error[0]
}
```

Output for Windows Server 2012 R2 domain-joined standalone root certificate authority

```
# Approve pending CSR: Get-PendingRequest


RequestID : 49
Request.RequesterName : EXAMPLE\user
Request.SubmittedWhen : 5/17/2016 7:29:48 PM
Request.CommonName : Test User
CertificateTemplate :
RowId : 49
ConfigString : ca.example.com\CA
Table : Request

# Approve pending CSR: Approve-CertificateRequest
WARNING: Unable to issue request with ID = '49'
Exception calling "ResubmitRequest" with "2" argument(s): "CCertAdmin::ResubmitRequest: Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)"
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PsPKI\Server\Approve-CertificateRequest.ps1:16 char:5
+ $DM = $CertAdmin.ResubmitRequest($Request.ConfigString,$Request.RequestID)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : ComMethodTargetInvocation
```

Output for Windows 7 SP1 domain-joined workstation with RSAT

```
# Approve pending CSR: Get-PendingRequest


RequestID : 49
Request.RequesterName : EXAMPLE\user
Request.SubmittedWhen : 05/17/2016 07:29:48 PM
Request.CommonName : Test User
CertificateTemplate :
RowId : 49
ConfigString : ca.example.com\CA
Table : Request

# Approve pending CSR: Approve-CertificateRequest
The certificate '49' was issued.'
```

Comments: UAC strikes again! You are a genius! Thank you!

Commented Unassigned: Exception calling "ResubmitRequest" with "2" argument(s) [98]

June 16, 2016, 8:54 am
$
0
0
PS PKI 3.2.5

This code snippet throws an error when running it locally on a Windows Server 2012 R2 domain-joined standalone root certificate authority. The same code works on Windows 7 SP1 domain-joined workstation with RSAT.

In this example, request 49's status is "taken under submission" and is waiting for approval before executing.

```
Import-Module PsPKI
Import-Module ActiveDirectory

$Script:CA = "ca.example.com"

Function Handle-Error {
Param (
[PSObject]$Error
)
Process {
$Error[0].Exception.InnerException.Message
$Error[0].Exception.InnerException.StackTrace
}
}

Write-Host "# Approve pending CSR: Get-PendingRequest"
Try {
$CertificateRequest = Get-PendingRequest -CertificationAuthority $Script:CA -RequestID 49
$CertificateRequest
} Catch {
Handle-Error -Error $Error[0]
}

Write-Host "# Approve pending CSR: Approve-CertificateRequest"
Try {
$ApprovalResponse = Approve-CertificateRequest -Request $CertificateRequest
$ApprovalResponse
} Catch {
Handle-Error -Error $Error[0]
}
```

Output for Windows Server 2012 R2 domain-joined standalone root certificate authority

```
# Approve pending CSR: Get-PendingRequest


RequestID : 49
Request.RequesterName : EXAMPLE\user
Request.SubmittedWhen : 5/17/2016 7:29:48 PM
Request.CommonName : Test User
CertificateTemplate :
RowId : 49
ConfigString : ca.example.com\CA
Table : Request

# Approve pending CSR: Approve-CertificateRequest
WARNING: Unable to issue request with ID = '49'
Exception calling "ResubmitRequest" with "2" argument(s): "CCertAdmin::ResubmitRequest: Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)"
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PsPKI\Server\Approve-CertificateRequest.ps1:16 char:5
+ $DM = $CertAdmin.ResubmitRequest($Request.ConfigString,$Request.RequestID)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : ComMethodTargetInvocation
```

Output for Windows 7 SP1 domain-joined workstation with RSAT

```
# Approve pending CSR: Get-PendingRequest


RequestID : 49
Request.RequesterName : EXAMPLE\user
Request.SubmittedWhen : 05/17/2016 07:29:48 PM
Request.CommonName : Test User
CertificateTemplate :
RowId : 49
ConfigString : ca.example.com\CA
Table : Request

# Approve pending CSR: Approve-CertificateRequest
The certificate '49' was issued.'
```

Comments: Glad to hear this!

New Post: Error importing PSPKI module {Write-ErrorMessage -Source "CAPIUnavailable"}

July 13, 2016, 7:19 am
$
0
0
Hello

I received a brand new HP laptop from work, with Windows 7 x64 (until we upgrade to W10) and downloaded and installed PSPKI.

When I try to import PSPKI I receive the following error

Write-ErrorMessage : Exception of type 'Microsoft.PowerShell.Commands.WriteErrorException' was thrown.
At C:\Program Files\Sysadmins LV\PowerShell\Modules\pspki\PSPKI.psm1:122 char:9
  • catch {Write-ErrorMessage -Source "CAPIUnavailable"}
  • ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : NotImplemented: (:) [Write-Error], WriteErrorException
    • FullyQualifiedErrorId : NotImplementedException,Write-ErrorMessage
I have my PowerShell prompt open as an administrator of the laptop

I then removed PSPKI and installed an earlier version but received the same error

therefore I am wondering of it some thing to do with a new TPM in the laptop or something missing from the Windows 7 build on the new laptop,

Any advise most welcome as I kind or rely on this excellent module these days :)

Thanks very much
Ernie
Viewing all 729 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>