Hi there, we're currently querying our certificate services database with a powershell script, which uses the ICertView2-COM-Object (http://msdn.microsoft.com/en-us/library/windows/desktop/aa385439(v=vs.85).aspx) I am trying to use $CaView.SetRestriction() to filter out certificates of a certain template, but without luck so far. I tried all the available choices (e.g. definining lower 0x2 and upper boundaries 0x10 for filtering, and also with an 0x1 for EQUAL) CaView = New-Object -ComObject CertificateAuthority.View $CaView.OpenConnection("hostname.domain.local\SomeCA")$Properties = "RequestID", "RequesterName", "CommonName", "NotBefore", "NotAfter", "SerialNumber", "CertificateTemplate" $CaView.SetResultColumnCount($properties.Count) $Properties | %{$CAView.SetResultColumn($CAView.GetColumnIndex($False,$_))} $RColumn = $CAView.GetColumnIndex($False, "NotAfter") $LColumn = $CAView.GetColumnIndex($False, "CommonName")$TColumn = $CAView.GetColumnIndex($False, "CertificateTemplate")$CaView.SetRestriction($LColumn, 0x2, 0, "SomeCA-Xchg") $CaView.SetRestriction($RColumn, 0x10, 0, [datetime]::Now) $CaView.SetRestriction($RColumn, 0x2, 0, [datetime]::Now.AddDays($args[1])) $CaView.SetRestriction($TColumn, 0x2, 0, "1.2.3.4.5.6.232314.412343.456435.555434") $Row = $CaView.OpenView() Maybe someone can enlighten me, as I have no idea what's going wrong :( Kind regards, MMF

you can try my PowerShell PKI module: http://pspki.codeplex.com/ The following syntax could be used: Get-CA ca01.domain.com | Get-IssuedRequest -Filter "CertificateTemplate -eq CAExchange" for additional information you may refer to online documentation (on project main page).My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Hi Vadims, your work is awesome, sadly I didn't find it before. I will try to sort it out with your module :) Thanks, MMF

Hi Vadims, your work is awesome, sadly I didn't find it before. I will try to sort it out with your module :) Thanks, MMF

Unfortunately, even if I use Get-IssuingRequests -Property *, the property CertificateTemplate is always null. I do not know, why it's working in your examples, but not in my case. The Module is really great, helped me a lot :) Thanks and kind regards, MMF

Unfortunately, even if I use Get-IssuingRequests -Property *, the property CertificateTemplate is always null. I do not know, why it's working in your examples, but not in my case. The Module is really great, helped me a lot :) Thanks and kind regards, MMF

My guess was that you need to obtain all issued certificates based on a specific certificate template. Please clarify, if I'm wrong here. Look at the following output (as it works on my lab CA) against CA Exchange template: PS C:\> Get-CA dc1* | Get-IssuedRequest -Filter "CertificateTemplate -eq CAExchange" | ft -a RequestID Request.RequesterName CommonName NotBefore NotAfter SerialNumber ConfigSt ring --------- --------------------- ---------- --------- -------- ------------ -------- 17 CONTOSO\DC1$ Contoso CA-Xchg 2009.03.16. 6:56:31 2009.04.20. 7:06:31 11cba4b4000000000011 DC1.c... 28 CONTOSO\DC1$ Contoso CA-Xchg 2009.05.06. 16:43:05 2009.06.10. 16:53:05 10f7bf3400000000001c DC1.c... 35 CONTOSO\DC1$ Contoso CA-Xchg 2009.09.03. 12:41:20 2009.10.08. 12:51:20 6021f6c1000100000023 DC1.c... 37 CONTOSO\DC1$ Contoso CA-Xchg 2010.01.21. 13:00:00 2010.02.25. 13:10:00 161eb082000100000025 DC1.c... 41 CONTOSO\DC1$ Contoso CA-Xchg 2010.03.06. 11:08:45 2010.04.10. 11:18:45 159a246e000100000029 DC1.c... 62 CONTOSO\DC1$ Contoso CA-Xchg 2010.09.11. 16:15:57 2010.10.16. 16:25:57 1767f49000010000003e DC1.c... 65 CONTOSO\DC1$ Contoso CA-Xchg 2010.12.29. 12:06:11 2011.02.02. 12:16:11 44e49729000100000041 DC1.c... 75 CONTOSO\DC1$ Contoso CA-Xchg 2011.09.18. 19:32:22 2011.10.23. 19:42:22 18dd467200010000004b DC1.c... 76 CONTOSO\DC1$ Contoso CA-Xchg 2011.11.04. 16:02:44 2011.12.09. 16:12:44 743576f900010000004c DC1.c... 87 CONTOSO\DC1$ Contoso CA-Xchg 2012.05.30. 17:30:41 2012.07.04. 17:40:41 5fe142ca000100000057 DC1.c... PS C:\> or against WebServer template and including template property (I removed other properties from the output by using Select-Object cmdlet): PS C:\> Get-CA dc1* | Get-IssuedRequest -Filter "CertificateTemplate -eq WebServer" -Property "CertificateTempla te" | Select requestid, certificatetemplate RequestID CertificateTemplate --------- ------------------- 29 WebServer 33 WebServer 60 WebServer 61 WebServer PS C:\> If the property is still empty (after you try these examples), then there is something really wrong in your configuration. My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Yes, you guessed right (although I'd like to not include some templates). But - if I get all certificates, only a subset includes a meaningful template. Most of them are just empty. I think the OID-container got screwed up, as I do not see the information included in most templates :( We are also having problems with the date-conversion, which makes it impossible (at least with my poor PS-knowledge) to use it. I am converting the dates to reflect the format in the CA-database, but so far no luck get-date ((get-date).adddays($warningTime)) -format g Kind regards, MMF

yes, it is most likely that your OID container is corrupted. I'm aware about the date and time formats and have corresponding issue thread: http://pspki.codeplex.com/discussions/281033 At this time I have no idea what to do with this issue.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

yes, it is most likely that your OID container is corrupted. I'm aware about the date and time formats and have corresponding issue thread: http://pspki.codeplex.com/discussions/281033 At this time I have no idea what to do with this issue.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

That's not so bad at the moment. Do you know how to recreate the OID containers? Because that's what's bad at the moment :D MMF

That's not so bad at the moment. Do you know how to recreate the OID containers? Because that's what's bad at the moment :D MMF

I don't know, unfortunately. If you have a backup of Active Directory you can perform OID container's authoritative restore.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

I don't know, unfortunately. If you have a backup of Active Directory you can perform OID container's authoritative restore.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Quite simple btw - maybe it's useful for someone: import-module activedirectory $temp = Get-ADObject -Filter {ObjectClass -eq "msPKI-Enterprise-Oid" -and msPKI-Cert-Template-OID -eq "<SOMEOID>"} -IncludeDeletedObjects -Property * -searchBase 'CN=Configuration,DC=CONTOSO,DC=COM' Restore-ADObject $temp

Quite simple btw - maybe it's useful for someone: import-module activedirectory $temp = Get-ADObject -Filter {ObjectClass -eq "msPKI-Enterprise-Oid" -and msPKI-Cert-Template-OID -eq "<SOMEOID>"} -IncludeDeletedObjects -Property * -searchBase 'CN=Configuration,DC=CONTOSO,DC=COM' Restore-ADObject $temp

I'm aware about the date and time formats and have corresponding issue thread: http://pspki.codeplex.com/discussions/281033 At this time I have no idea what to do with this issue. My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki I think you're doing some kind of datetime-conversion in your module. Both our client and PKI are on regional settings for germany, but the output of the module is as follows: System-Output: Dienstag, 5. Juni 2012 14:59:34 Module-Output: WARNING: Specified pattern 'NotAfter -le 06/15/2012 14:59:34' is not valid! And the database shows: 05.06.2012 11:48:12 Same as with: get-date ((get-date).adddays($warningTime)) -format g

I'm aware about the date and time formats and have corresponding issue thread: http://pspki.codeplex.com/discussions/281033 At this time I have no idea what to do with this issue. My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki I think you're doing some kind of datetime-conversion in your module. Both our client and PKI are on regional settings for germany, but the output of the module is as follows: System-Output: Dienstag, 5. Juni 2012 14:59:34 Module-Output: WARNING: Specified pattern 'NotAfter -le 06/15/2012 14:59:34' is not valid! And the database shows: 05.06.2012 11:48:12 Same as with: get-date ((get-date).adddays($warningTime)) -format g

can you contact me via email? I need more details about the issue to be able to fix it. Thanks!My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

can you contact me via email? I need more details about the issue to be able to fix it. Thanks!My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki