PSPKI icon indicating copy to clipboard operation
PSPKI copied to clipboard

Published 20 hours ago verified publisher icon PKISolutions

How does Get-IssuedRequest -Filter actually work?

Open darkrhyes opened this issue 1 year ago • 3 comments

I am using Get-IssuedRequest with a Filter switch and it keeps saying the format is invalid in a specific way.

Get-IssuedRequest -Filter "CommonName -notcontains ABCCompany"

Reply:

Line |
  17 |                  throw "Malformed filter: '$line'"
     |                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Malformed filter: 'CommonName -Notcontains ABCCompany'

What exact qualifiers does the Filter switch allow? `

I have only been able to use "NotAfter -gt" and everything else as a filter has thrown an error.

The examples show: Get-CertificationAuthority -Name MyCA | Get-IssuedRequest -Filter "CertificateTemplate -eq WebServer", "CommonName -eq www.company.com"

which is what I am doing with just the Commoname property and -notcontains. Also I did try -ne which gave me the same error.

darkrhyes avatar Sep 30 '24 18:09 darkrhyes

Did you check cmdlet built-in help?

PS C:\> man Get-IssuedRequest -Parameter Filter

-Filter <String[]>
    Specifies the query filter to restrict output objects to ones that matches query filter rule. Query filter rule con
    sist of three components: <RequestProperty>, <comparison operator> and <value>. Query filter is composed in the fol
    lowing format: "<RequestProperty> <comparison operator> <value>" where:
    <RequestProperty> - is a certificate request property name. To retrieve valid property list run Get-CertificationAu
    thorityDbSchema command.
    <comparison operator> - specifies the logical operator of the data-query qualifier for the column.
    <value> - specifies the data query qualifier applied to the certificate request property.

    Possible operators are:
    -eq (equal to) - the value in the <value> field equals to a value stored in the certificate request property.
    -le (less or equal to) - the value in the <value> field is less or equal to a value stored in the certificate reque
    st property. See below about operator behavior with string qualifiers.
    -lt (less than) - the value in the <value> field is less then a value stored in the certificate request property. S
    ee below about operator behavior with string qualifiers.
    -ge (greater or equal to) - the value in the <value> field is greater or equal to a value stored in the certificate
     request property. See below about operator behavior with string qualifiers.
    -gt (greater than) - the value in the <value> field is greater than a value stored in the certificate request prope
    rty. See below about operator behavior with string qualifiers.

    There are special rules when processing the following operators: '-ge', '-gt', '-le' and '-lt' with string qualifie
    rs. In this case, CA server performs binary comparison between strings (column value and qualifier value). For exam
    ple, "A" is less than "B" ("A" is placed before "B", therefore "B" is greater than "A"), "AC" is greater than "AB",
     "ABC" is less than "BRC".
    If column value length is larger than qualifier string, a wild card is virtually added to the query qualifier value
    . For example, column value is "a large string" and qualifier value is "a large", then column value is greater than
     qualifier value. In other words, "AA" > "A" and "A" < "AA".

    An example of the filter: Request.RequesterName -eq domain\username
    this filter returnes requests that were requested by 'domain\username' user account. See examples section for more
    filter examples.

    You can specify multiple filters. All filters are applied to requests with logical AND operator. This means that ou
    tput requests must match all filters.

    Note: wildcard characters are not supported.

    Note: if 'RequestID' parameter is specified, all filters are ignored.

    Required?                    false
    Position?                    5
    Default value
    Accept pipeline input?       false
    Accept wildcard characters?  false





PS C:\>

Also, Get-Help Get-IssuedRequest -Online will open you a web version of this help. There you can find allowed operators and how these operators work with string filter qualifiers. Basically, there is no -ne, -contains or -notcontains operators.

Crypt32 avatar Oct 01 '24 07:10 Crypt32

Interesting. Thank you. I didn't realize it might not support "-ne" or "-notcontains".

I ended doing a "-ge" with one of the values than a standard filter against the collected array to remove the values I didn't want.

Thanks again.

darkrhyes avatar Oct 01 '24 15:10 darkrhyes

I didn't realize it might not support "-ne" or "-notcontains".

This limitation came from underlying DB query engine. Look for SeekOperator parameter that lists supported by underlying query engine operators: https://learn.microsoft.com/en-us/windows/win32/api/certview/nf-certview-icertview-setrestriction.

Crypt32 avatar Oct 01 '24 15:10 Crypt32