Least User Privileges

[SinnGit]

Is there any documentation outlining least user privileges for each cmdlet? I'm finding that many tasks fail to execute if the account does not have "issue and manage certificates" rights on the CA. Is there any way to request a certificate from a CA without needing to grant the account full rights to manage the CA? The account already has read/enroll rights to the template in question.

[Crypt32]

Is there any documentation outlining least user privileges for each cmdlet?

no, there is no such documentation.

I'm finding that many tasks fail to execute if the account does not have "issue and manage certificates" rights on the CA.

which ones? Can you provide specific examples?

[SinnGit]

Get-CertificationAuthority returns "IsAccessible"=False which causes any commands leveraging the results returned by this command to fail.

PS C:\Users\> Get-CertificationAuthority -Name $CA

DisplayName                              ComputerName              IsAccessible ServiceStatus Type                     
-----------                              ------------              ------------ ------------- ----                     
IssuingCA03                     Servername...               False        Running       Enterprise Subordinate CA

Get-CATemplate returns an error that the specified certification authority is unavailable.

PS C:\Users\> (get-CATemplate -CertificationAuthority "servername.server.org").Templates | ?{$_.Name -like "*$Template*"}
New-Object : Exception calling ".ctor" with "1" argument(s): "Specified Certification Authority 'IssuingCA03' is unavailable."
At C:\Program Files\WindowsPowerShell\Modules\PSPKI\3.7.2\Server\Get-CATemplate.ps1:14 char:4
+             New-Object PKI.CertificateServices.CATemplate -ArgumentLi ...
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [New-Object], MethodInvocationException
    + FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand

Submit-CertificateRequest fails with a cryptic 'Server' is a ReadOnly Property error.

PS C:\Users\> Submit-CertificateRequest -path C:\temp\adlds.csr -CertificationAuthority "server.name.org" -Attribute "CertificateTemplate:NDES"
Submit-CertificateRequest : 'Server' is a ReadOnly property.
At line:1 char:1
+ Submit-CertificateRequest -path C:\temp\adlds.csr -CertificationAutho ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Submit-CertificateRequest], RuntimeException
    + FullyQualifiedErrorId : PropertyAssignmentException,Submit-CertificateRequest

[Crypt32]

It is a bug. There is an unnecessary check for CA admin permission.

[Crypt32]

First issue (certificate template reading) is fixed. I'm investigating second issue and will update the issue when fix it.

[Crypt32]

Both issues are now resolved. Fix will be added to next PSPKI release

[warrenrees]

Would it be possible to build a pre/beta release module for this? I'm running into this issue and unfortunately don't have access to VS to rebuild the library

[darkrhyes]

Both issues are now resolved. Fix will be added to next PSPKI release

I see you stated you have fixed the issue I am having here but I don't see a link to get the updated cmdlet. As you may know, there is/was no next PSPKI release yet. The paid support version is still 3.7.2 without this fix in it. Are you able to send me the fixed versions?

[dje-git]

Hi @Crypt32, I'm also experiencing the error below (in 3.7.2). Is there a new build available I'm not aware of? Submit-CertificateRequest : 'Server' is a ReadOnly property.

thx for the very handy module and greatly appreciate!

[Crypt32]

Fixed in v4.0.0