Restriction on CertView with template not working
Hi there,
we're currently querying our certificate services database with a powershell script, which uses the ICertView2-COM-Object (http://msdn.microsoft.com/en-us/library/windows/desktop/aa385439(v=vs.85).aspx)
I am trying to use $CaView.SetRestriction() to filter out certificates of a certain template, but without luck so far. I tried all the available choices (e.g. definining lower 0x2 and upper boundaries 0x10 for filtering, and also with an 0x1 for EQUAL)
CaView = New-Object -ComObject CertificateAuthority.View $CaView.OpenConnection("hostname.domain.local\SomeCA")$Properties = "RequestID", "RequesterName", "CommonName", "NotBefore", "NotAfter", "SerialNumber", "CertificateTemplate" $CaView.SetResultColumnCount($properties.Count) $Properties | %{$CAView.SetResultColumn($CAView.GetColumnIndex($False,$_))} $RColumn = $CAView.GetColumnIndex($False, "NotAfter") $LColumn = $CAView.GetColumnIndex($False, "CommonName")$TColumn = $CAView.GetColumnIndex($False, "CertificateTemplate")$CaView.SetRestriction($LColumn, 0x2, 0, "SomeCA-Xchg") $CaView.SetRestriction($RColumn, 0x10, 0, [datetime]::Now) $CaView.SetRestriction($RColumn, 0x2, 0, [datetime]::Now.AddDays($args[1])) $CaView.SetRestriction($TColumn, 0x2, 0, "1.2.3.4.5.6.232314.412343.456435.555434") $Row = $CaView.OpenView()
Maybe someone can enlighten me, as I have no idea what's going wrong :(
Kind regards,
MMF
May 30th, 2012 8:52am
you can try my PowerShell PKI module: http://pspki.codeplex.com/
The following syntax could be used:
Get-CA ca01.domain.com | Get-IssuedRequest -Filter "CertificateTemplate -eq CAExchange"
for additional information you may refer to online documentation (on project main page).My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
Free Windows Admin Tool Kit Click here and download it now
May 30th, 2012 11:09am
Hi Vadims,
your work is awesome, sadly I didn't find it before. I will try to sort it out with your module :)
Thanks,
MMF
June 4th, 2012 2:18am
Hi Vadims,
your work is awesome, sadly I didn't find it before. I will try to sort it out with your module :)
Thanks,
MMF
Free Windows Admin Tool Kit Click here and download it now
June 4th, 2012 2:21am
Unfortunately, even if I use
Get-IssuingRequests -Property *, the property CertificateTemplate is always null.
I do not know, why it's working in your examples, but not in my case.
The Module is really great, helped me a lot :)
Thanks and kind regards,
MMF
June 5th, 2012 1:48am
Unfortunately, even if I use
Get-IssuingRequests -Property *, the property CertificateTemplate is always null.
I do not know, why it's working in your examples, but not in my case.
The Module is really great, helped me a lot :)
Thanks and kind regards,
MMF
Free Windows Admin Tool Kit Click here and download it now
June 5th, 2012 1:51am
My guess was that you need to obtain all issued certificates based on a specific certificate template. Please clarify, if I'm wrong here. Look at the following output (as it works on my lab CA) against CA Exchange template:
PS C:\> Get-CA dc1* | Get-IssuedRequest -Filter "CertificateTemplate -eq CAExchange" | ft -a
RequestID Request.RequesterName CommonName NotBefore NotAfter SerialNumber ConfigSt
ring
--------- --------------------- ---------- --------- -------- ------------ --------
17 CONTOSO\DC1$ Contoso CA-Xchg 2009.03.16. 6:56:31 2009.04.20. 7:06:31 11cba4b4000000000011 DC1.c...
28 CONTOSO\DC1$ Contoso CA-Xchg 2009.05.06. 16:43:05 2009.06.10. 16:53:05 10f7bf3400000000001c DC1.c...
35 CONTOSO\DC1$ Contoso CA-Xchg 2009.09.03. 12:41:20 2009.10.08. 12:51:20 6021f6c1000100000023 DC1.c...
37 CONTOSO\DC1$ Contoso CA-Xchg 2010.01.21. 13:00:00 2010.02.25. 13:10:00 161eb082000100000025 DC1.c...
41 CONTOSO\DC1$ Contoso CA-Xchg 2010.03.06. 11:08:45 2010.04.10. 11:18:45 159a246e000100000029 DC1.c...
62 CONTOSO\DC1$ Contoso CA-Xchg 2010.09.11. 16:15:57 2010.10.16. 16:25:57 1767f49000010000003e DC1.c...
65 CONTOSO\DC1$ Contoso CA-Xchg 2010.12.29. 12:06:11 2011.02.02. 12:16:11 44e49729000100000041 DC1.c...
75 CONTOSO\DC1$ Contoso CA-Xchg 2011.09.18. 19:32:22 2011.10.23. 19:42:22 18dd467200010000004b DC1.c...
76 CONTOSO\DC1$ Contoso CA-Xchg 2011.11.04. 16:02:44 2011.12.09. 16:12:44 743576f900010000004c DC1.c...
87 CONTOSO\DC1$ Contoso CA-Xchg 2012.05.30. 17:30:41 2012.07.04. 17:40:41 5fe142ca000100000057 DC1.c...
PS C:\>
or against WebServer template and including template property (I removed other properties from the output by using Select-Object cmdlet):
PS C:\> Get-CA dc1* | Get-IssuedRequest -Filter "CertificateTemplate -eq WebServer" -Property "CertificateTempla
te" | Select requestid, certificatetemplate
RequestID CertificateTemplate
--------- -------------------
29 WebServer
33 WebServer
60 WebServer
61 WebServer
PS C:\>
If the property is still empty (after you try these examples), then there is something really wrong in your configuration.
My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
June 5th, 2012 6:08am
Yes, you guessed right (although I'd like to not include some templates).
But - if I get all certificates, only a subset includes a meaningful template. Most of them are just empty. I think the OID-container got screwed up, as I do not see the information included in most templates :(
We are also having problems with the date-conversion, which makes it impossible (at least with my poor PS-knowledge) to use it.
I am converting the dates to reflect the format in the CA-database, but so far no luck
get-date ((get-date).adddays($warningTime)) -format g
Kind regards,
MMF
Free Windows Admin Tool Kit Click here and download it now
June 5th, 2012 6:19am
yes, it is most likely that your OID container is corrupted.
I'm aware about the date and time formats and have corresponding issue thread:
http://pspki.codeplex.com/discussions/281033
At this time I have no idea what to do with this issue.My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
June 5th, 2012 6:31am
yes, it is most likely that your OID container is corrupted.
I'm aware about the date and time formats and have corresponding issue thread:
http://pspki.codeplex.com/discussions/281033
At this time I have no idea what to do with this issue.My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
Free Windows Admin Tool Kit Click here and download it now
June 5th, 2012 6:34am
That's not so bad at the moment. Do you know how to recreate the OID containers? Because that's what's bad at the moment :D
MMF
June 5th, 2012 6:40am
That's not so bad at the moment. Do you know how to recreate the OID containers? Because that's what's bad at the moment :D
MMF
Free Windows Admin Tool Kit Click here and download it now
June 5th, 2012 6:42am
I don't know, unfortunately. If you have a backup of Active Directory you can perform OID container's authoritative restore.My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
June 5th, 2012 7:00am
I don't know, unfortunately. If you have a backup of Active Directory you can perform OID container's authoritative restore.My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
Free Windows Admin Tool Kit Click here and download it now
June 5th, 2012 7:03am
Quite simple btw - maybe it's useful for someone:
import-module activedirectory
$temp = Get-ADObject -Filter {ObjectClass -eq "msPKI-Enterprise-Oid" -and msPKI-Cert-Template-OID -eq "<SOMEOID>"}
-IncludeDeletedObjects -Property * -searchBase 'CN=Configuration,DC=CONTOSO,DC=COM'
Restore-ADObject $temp
June 5th, 2012 8:41am
Quite simple btw - maybe it's useful for someone:
import-module activedirectory
$temp = Get-ADObject -Filter {ObjectClass -eq "msPKI-Enterprise-Oid" -and msPKI-Cert-Template-OID -eq "<SOMEOID>"}
-IncludeDeletedObjects -Property * -searchBase 'CN=Configuration,DC=CONTOSO,DC=COM'
Restore-ADObject $temp
Free Windows Admin Tool Kit Click here and download it now
June 5th, 2012 8:44am
I'm aware about the date and time formats and have corresponding issue thread:
http://pspki.codeplex.com/discussions/281033
At this time I have no idea what to do with this issue.
My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
I think you're doing some kind of datetime-conversion in your module. Both our client and PKI are on regional settings for germany, but the output of the module is as follows:
System-Output: Dienstag, 5. Juni 2012 14:59:34
Module-Output: WARNING: Specified pattern 'NotAfter -le 06/15/2012
14:59:34' is not valid!
And the database shows: 05.06.2012 11:48:12
Same as with: get-date ((get-date).adddays($warningTime)) -format g
June 5th, 2012 9:02am
I'm aware about the date and time formats and have corresponding issue thread:
http://pspki.codeplex.com/discussions/281033
At this time I have no idea what to do with this issue.
My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
I think you're doing some kind of datetime-conversion in your module. Both our client and PKI are on regional settings for germany, but the output of the module is as follows:
System-Output: Dienstag, 5. Juni 2012 14:59:34
Module-Output: WARNING: Specified pattern 'NotAfter -le 06/15/2012
14:59:34' is not valid!
And the database shows: 05.06.2012 11:48:12
Same as with: get-date ((get-date).adddays($warningTime)) -format g
Free Windows Admin Tool Kit Click here and download it now
June 5th, 2012 9:05am
can you contact me via email? I need more details about the issue to be able to fix it.
Thanks!My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
June 5th, 2012 9:33am
can you contact me via email? I need more details about the issue to be able to fix it.
Thanks!My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
Free Windows Admin Tool Kit Click here and download it now
June 5th, 2012 9:36am