PSPKI
PSPKI copied to clipboard
PKISolutions
Exception when executing Add-OnlineResponderRevocationConfiguration
When I execute the example code for Add-OnlineResponderRevocationConfiguration:
$CA = Get-CertificationAuthority "xyz.com" -Enterprise
Connect-OnlineResponder "xyz.com" | Add-OnlineResponderRevocationConfiguration -Name "Example Org v1.1" -CA $ca | Set-OnlineResponderRevocationConfiguration
-SigningCertTemplate "OcspResponseSigning"
-SigningFlag "Silent, SigningCertAutoRenewal, ForceDelegatedCert, AutoDiscoverSigninCert, ResponderIdKeyHash, SigningCertAutoEnrollment"
-BaseCrlUrl "http://cdp2.example.com/exca.crl","http://cdp3.example.com/exca.crl"
-DeltaCrlUrl "http://cdp2.example.com/exca+.crl","http://cdp3.example.com/exca+.crl"
-HashAlgorithm (New-Object System.Security.Cryptography.Oid2 "sha256", $true)
I get the following error:
Set-OnlineResponderRevocationConfiguration : Cannot process argument transformation on parameter 'SigningFlag'. Cannot convert value "Silent, SigningCertAutoRenewal, ForceDelegatedCert,
AutoDiscoverSigninCert, ResponderIdKeyHash, SigningCertAutoEnrollment" to type "SysadminsLV.PKI.Management.CertificateServices.OcspSigningFlag". Error: "Unable to match the identifier name
Silent, SigningCertAutoRenewal, ForceDelegatedCert, AutoDiscoverSigninCert, ResponderIdKeyHash, SigningCertAutoEnrollment to a valid enumerator name. Specify one of the following enumerator
names and try again:
None, Silent, UseCaCert, SigningCertAutoRenewal, ForceDelegatedCert, AutoDiscoverSigningCert, ManualSigningCert, ResponderIdKeyHash, ResponderIdCertName, AllowNonce,
SigningCertAutoEnrollment"
At line:4 char:18
+ ... SigningFlag "Silent, SigningCertAutoRenewal, ForceDelegatedCert, Auto ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Set-OnlineRespo...onConfiguration], ParameterBindingArgumentTransformationException
+ FullyQualifiedErrorId : ParameterArgumentTransformationError,Set-OnlineResponderRevocationConfiguration
I played around with directly specify SysadminsLV.PKI.Management.CertificateServices.OcspSigningFlag enum values. But no luck until now. Is this a bug?
It is not a bug, it is a typo in your enum values:
AutoDiscoverSigninCert
must be
AutoDiscoverSigningCert
with g letter after Signin.
Thank you very much for checking and the quick feedback.
I copied the code from the documentation here: https://www.pkisolutions.com/tools/pspki/Add-OnlineResponderRevocationConfiguration/. The typo is also in the example.
If I call the example command without the parameter -SigningServer it asks for the value for -SigningServer. The Get-CA command in the example is with the -Enterprise parameter and a value for -SigningCertTemplate is specified. This does require also the -SigningServer to be specified or am I wrong?
If I call the example command without the parameter
-SigningServerit asks for the value for-SigningServer. The Get-CA command in the example is with the-Enterpriseparameter and a value for-SigningCertTemplateis specified. This does require also the-SigningServerto be specified or am I wrong?
it is because -SigningCertTemplate parameter is specified. If you specify certificate template, then it is assumed that Enterprise CA must be used, thus -SigningServer is required and vice versa. If your CA is not Enterprise (Standalone or 3rd party), then you omit both parameters, -SigningCertTemplate and -SigningServer.
Thank you for the details and all your great work.
This means the example under https://www.pkisolutions.com/tools/pspki/Add-OnlineResponderRevocationConfiguration/ needs the -SigningServer parameter to be added.