Hello
I have a couple of questions/issues with PSPKI 2.6 and wondered if you could help/explain please, thanks
I have a Windows 2003 R2 SP2 Enterprise CA, with PowerShell v2.0 installed on the CA. I downloaded and installed your module. When I import the module it imports OK, but I receive the following two error messages at the console
PS C:> Import-Module pspki
Update-TypeData : The following error occurred while loading the extended type data file:
Microsoft.PowerShell, C:\Documents and Settings\adm.ernie.brant\My Documents\WindowsPowerShell\Modules\pspki\PSPKI.Typ
s.ps1xml : File skipped because it was already present from "Microsoft.PowerShell".
At C:\Documents and Settings\adm.ernie.brant\My Documents\WindowsPowerShell\Modules\pspki\PSPKI.psm1:207 char:17
Microsoft.PowerShell, C:\Documents and Settings\adm.ernie.brant\My Documents\WindowsPowerShell\Modules\pspki\PSPKI.For
at.ps1xml : File skipped because it was already present from "Microsoft.PowerShell".
At C:\Documents and Settings\adm.ernie.brant\My Documents\WindowsPowerShell\Modules\pspki\PSPKI.psm1:208 char:19
I am having issues with the Submit-CertificateRequest cmdlet and in particular the
-Attribute <String[]>
Specifies optional attributes which are passed along with the request and are used by Certification Authority to construct the certificate. The following syntax is used:
<AttributeName>:<AttributeValue>
where <AttributeName> is an attribute name and <AttributeValue> is the value of the attribute. This command accepts multiple attributes.
For example, Enterprise CAs require certificate template information in the request, however, not all applications adds this information to the request (for example, Internet Information Service console, Exchange Management Console, non-Microsoft tools and other). In this case you can pass certificate template as attribute:
CertificateTemplate:WebServer
where 'CertificateTemplate' is attribute name and 'WebServer' is attribute value (in a given example it is certificate template common name).
A colleague sent me a CSR (base64) as they want a code signing cert, so I though rather than go to http://MyCAServer/certsrv I would try using PowerShell to submit the CSR using these modules.
So I already have an active template “Code Signing” (e.g. the standard template) which if I use via the url I can get a code signing cert back when I give it the above CSR (although the issues to comes back as the AD user logged in rather than the common name/subject name the user said he entered when creating the CSR with his unix type tool, CSR attached)
I can use Get-CertificationAuthority and Get-CertificateTemplate no problems (although I do get a couple of errors returned with the latter, but this does not appear to be with the template I am interested in using as this is returned OK)
So I enter the following at the PowerShell prompt
Submit-CertificateRequest –CA (Get-CertificationAuthority)-Path C:\Temp\MyCSR.CSR –Attribute CertificateTemplate:”Code Signing”
I have also tried
$X = “CertificateTemplate:Code Signing”
Submit-CertificateRequest –CA (Get-CertificationAuthority)-Path C:\Temp\MyCSR.CSR –Attribute $X
Unfortunately I get the same error each time which is
CertificationAuthority : PKI.CertificateServices.CertificateAuthority
RequestID : 718
Status : Denied
Certificate :
ErrorInformation : Denied by Policy Module 0x80094800, The request was for a certificate template that is not supported by the Certificate Services policy: Code Signing.
I am logged in a Domain Admin/Local Admin to the Server and I have Full Rights to the Template in question. Can you please tell me where I am going wrong please?
Thanks very much in advance, I have ordered a book I thought I would start with something a bit more basic (but with good reviews) e.g. this one then move on to the one you recommended after that.
All the best
Ernie
I have a couple of questions/issues with PSPKI 2.6 and wondered if you could help/explain please, thanks
I have a Windows 2003 R2 SP2 Enterprise CA, with PowerShell v2.0 installed on the CA. I downloaded and installed your module. When I import the module it imports OK, but I receive the following two error messages at the console
PS C:> Import-Module pspki
Update-TypeData : The following error occurred while loading the extended type data file:
Microsoft.PowerShell, C:\Documents and Settings\adm.ernie.brant\My Documents\WindowsPowerShell\Modules\pspki\PSPKI.Typ
s.ps1xml : File skipped because it was already present from "Microsoft.PowerShell".
At C:\Documents and Settings\adm.ernie.brant\My Documents\WindowsPowerShell\Modules\pspki\PSPKI.psm1:207 char:17
-
Update-TypeData <<<< $PSScriptRoot\PSPKI.Types.ps1xml
- CategoryInfo : InvalidOperation: (:) [Update-TypeData], RuntimeException
-
FullyQualifiedErrorId : TypesXmlUpdateException,Microsoft.PowerShell.Commands.UpdateTypeDataCommand
Microsoft.PowerShell, C:\Documents and Settings\adm.ernie.brant\My Documents\WindowsPowerShell\Modules\pspki\PSPKI.For
at.ps1xml : File skipped because it was already present from "Microsoft.PowerShell".
At C:\Documents and Settings\adm.ernie.brant\My Documents\WindowsPowerShell\Modules\pspki\PSPKI.psm1:208 char:19
-
Update-FormatData <<<< $PSScriptRoot\PSPKI.Format.ps1xml
- CategoryInfo : InvalidOperation: (:) [Update-FormatData], RuntimeException
-
FullyQualifiedErrorId : FormatXmlUpateException,Microsoft.PowerShell.Commands.UpdateFormatDataCommand
I am having issues with the Submit-CertificateRequest cmdlet and in particular the
-Attribute <String[]>
Specifies optional attributes which are passed along with the request and are used by Certification Authority to construct the certificate. The following syntax is used:
<AttributeName>:<AttributeValue>
where <AttributeName> is an attribute name and <AttributeValue> is the value of the attribute. This command accepts multiple attributes.
For example, Enterprise CAs require certificate template information in the request, however, not all applications adds this information to the request (for example, Internet Information Service console, Exchange Management Console, non-Microsoft tools and other). In this case you can pass certificate template as attribute:
CertificateTemplate:WebServer
where 'CertificateTemplate' is attribute name and 'WebServer' is attribute value (in a given example it is certificate template common name).
A colleague sent me a CSR (base64) as they want a code signing cert, so I though rather than go to http://MyCAServer/certsrv I would try using PowerShell to submit the CSR using these modules.
So I already have an active template “Code Signing” (e.g. the standard template) which if I use via the url I can get a code signing cert back when I give it the above CSR (although the issues to comes back as the AD user logged in rather than the common name/subject name the user said he entered when creating the CSR with his unix type tool, CSR attached)
I can use Get-CertificationAuthority and Get-CertificateTemplate no problems (although I do get a couple of errors returned with the latter, but this does not appear to be with the template I am interested in using as this is returned OK)
So I enter the following at the PowerShell prompt
Submit-CertificateRequest –CA (Get-CertificationAuthority)-Path C:\Temp\MyCSR.CSR –Attribute CertificateTemplate:”Code Signing”
I have also tried
$X = “CertificateTemplate:Code Signing”
Submit-CertificateRequest –CA (Get-CertificationAuthority)-Path C:\Temp\MyCSR.CSR –Attribute $X
Unfortunately I get the same error each time which is
CertificationAuthority : PKI.CertificateServices.CertificateAuthority
RequestID : 718
Status : Denied
Certificate :
ErrorInformation : Denied by Policy Module 0x80094800, The request was for a certificate template that is not supported by the Certificate Services policy: Code Signing.
I am logged in a Domain Admin/Local Admin to the Server and I have Full Rights to the Template in question. Can you please tell me where I am going wrong please?
Thanks very much in advance, I have ordered a book I thought I would start with something a bit more basic (but with good reviews) e.g. this one then move on to the one you recommended after that.
All the best
Ernie