PSPKI icon indicating copy to clipboard operation
PSPKI copied to clipboard

Published 20 hours ago verified publisher icon PKISolutions

Get-CertificationAuthority -Enterprise gives a wrong result

Open miasik opened this issue 3 years ago • 5 comments 

PS C:\Users\QQQ> Get-CertificationAuthority -Enterprise

PS C:\Users\QQQ> Get-CertificationAuthority

DisplayName                              ComputerName              IsAccessible ServiceStatus Type                     
-----------                              ------------              ------------ ------------- ----                     
XXXXXXXXXX Issuing 06                    SSSSSSSSSSSSSSSSSSSS.com  True         Running       Enterprise Subordinate CA

PS C:\Users\QQQ> Get-CertificationAuthority | Get-EnterprisePKIHealthStatus

Name                  Status Childs                                      
----                  ------ ------                                      
XXXXXXXXXX Issuing 06     Ok {XXXXXXXXXX Issuing 06, SSSSSSSSSS Root 02}

The command with the key "-Enterprise" gives no result, but one Enterprise Subordinate CA exists in our domain.

miasik avatar Dec 27 '21 13:12 miasik

Do you get any result when using -Standalone switch instead? In test domain, I have a mix of Enterprise and Standalone CAs and the -Enterprise switch works for me as expected, returns only enterprise CAs in the forest.

Crypt32 avatar Jan 16 '22 11:01 Crypt32

I can't perform such a test. We have some domains and all of them have domain issuing CA. We have only one standalone root CA without domain. Something has happened and that problem converted to another one. The same query has been giving the right result now but it takes about 7 minutes. изображение Running Connect-CertificationAuthority also takes the same time. I have such problems with the tool only in one domain. All others work normal. Actually I think this domain also works fine itself. I'll be happy to find our bug and help you to improve your tool!

miasik avatar Jan 17 '22 09:01 miasik

There are a lot of things you may need to test before you can find the root cause of this. Please, test how much time take these commands:

[SysadminsLV.PKI.Management.ActiveDirectory.DsPkiContainer]::GetAdPkiContainer("Enroll").EnrollmentServers

$CertConfig = New-Object SysadminsLV.PKI.Dcom.Implementations.CertConfigD
$CertConfig.EnumConfigEntries()

if they are fast enough, you will have to debug SysadminsLV.PKI.dll library in Visual Studio to find out which internal call cause delays.

Crypt32 avatar Jan 17 '22 10:01 Crypt32

They finished immediately. It appears like I have to learn how to debug dll in VC :-( I hope I'll do it soon.

miasik avatar Jan 17 '22 10:01 miasik

Library sources are here: https://github.com/PKISolutions/pkix.net download them to Visual Studio, add either a CLI application as host application, or create unit test project and test [PKI.CertificateServices.CertificateAuthority]::Connect() method. Set breakpoints and debug it line by line.

One thing you should know: debug an x64 process, because CA management interfaces doesn't exist for x86 platform (Visual Studio defaults to x86 when debugging).

Crypt32 avatar Jan 17 '22 12:01 Crypt32