PSPKI
PSPKI copied to clipboard
Least User Privileges
Is there any documentation outlining least user privileges for each cmdlet? I'm finding that many tasks fail to execute if the account does not have "issue and manage certificates" rights on the CA. Is there any way to request a certificate from a CA without needing to grant the account full rights to manage the CA? The account already has read/enroll rights to the template in question.
Is there any documentation outlining least user privileges for each cmdlet?
no, there is no such documentation.
I'm finding that many tasks fail to execute if the account does not have "issue and manage certificates" rights on the CA.
which ones? Can you provide specific examples?
Get-CertificationAuthority returns "IsAccessible"=False which causes any commands leveraging the results returned by this command to fail.
PS C:\Users\> Get-CertificationAuthority -Name $CA
DisplayName ComputerName IsAccessible ServiceStatus Type
----------- ------------ ------------ ------------- ----
IssuingCA03 Servername... False Running Enterprise Subordinate CA
Get-CATemplate returns an error that the specified certification authority is unavailable.
PS C:\Users\> (get-CATemplate -CertificationAuthority "servername.server.org").Templates | ?{$_.Name -like "*$Template*"}
New-Object : Exception calling ".ctor" with "1" argument(s): "Specified Certification Authority 'IssuingCA03' is unavailable."
At C:\Program Files\WindowsPowerShell\Modules\PSPKI\3.7.2\Server\Get-CATemplate.ps1:14 char:4
+ New-Object PKI.CertificateServices.CATemplate -ArgumentLi ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [New-Object], MethodInvocationException
+ FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand
Submit-CertificateRequest fails with a cryptic 'Server' is a ReadOnly Property error.
PS C:\Users\> Submit-CertificateRequest -path C:\temp\adlds.csr -CertificationAuthority "server.name.org" -Attribute "CertificateTemplate:NDES"
Submit-CertificateRequest : 'Server' is a ReadOnly property.
At line:1 char:1
+ Submit-CertificateRequest -path C:\temp\adlds.csr -CertificationAutho ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Submit-CertificateRequest], RuntimeException
+ FullyQualifiedErrorId : PropertyAssignmentException,Submit-CertificateRequest
It is a bug. There is an unnecessary check for CA admin permission.
First issue (certificate template reading) is fixed. I'm investigating second issue and will update the issue when fix it.
Both issues are now resolved. Fix will be added to next PSPKI release
Would it be possible to build a pre/beta release module for this? I'm running into this issue and unfortunately don't have access to VS to rebuild the library
Both issues are now resolved. Fix will be added to next PSPKI release
I see you stated you have fixed the issue I am having here but I don't see a link to get the updated cmdlet. As you may know, there is/was no next PSPKI release yet. The paid support version is still 3.7.2 without this fix in it. Are you able to send me the fixed versions?
Hi @Crypt32,
I'm also experiencing the error below (in 3.7.2). Is there a new build available I'm not aware of?
Submit-CertificateRequest : 'Server' is a ReadOnly property.
thx for the very handy module and greatly appreciate!
Fixed in v4.0.0