Certificate Templates, Add-CATemplate problems

This topic contains 1 reply, has 1 voice, and was last updated by Profile photo of Stephen Small Stephen Small 1 year, 1 month ago.

  • Author
    Posts
  • #33059
    Profile photo of Stephen Small
    Stephen Small
    Participant

    Here's a script I mangled from Technet
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/347acc93-8352-4535-ab1a-23ebd49eea22/duplicate-certificate-template-edit-and-publish-it?forum=winserverpowershell

    I'm having trouble on the last part where I call 'Add-CATemplate' If I run the script as is, the template get's created, but will not publish. I have to got to the templates MMC and refresh for the add-template command to work.

    Add-CATemplate : The "deploy-WebServer" template does not exist in the domain.
    At I:\scripts\WebServer-Template.ps1:79 char:1
    + Add-CATemplate -Name 'deploy-WebServer' -force
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (deploy-WebServer:String) [Add-CATemplate], InvalidTemplateException
        + FullyQualifiedErrorId : InvalidTemplate,Microsoft.CertificateServices.Administration.Commands.CA.AddCATemplateCommand

    Is there a way to refresh the list powershell-magically?

    $ConfigContext = ([ADSI]"LDAP://RootDSE").ConfigurationNamingContext 
    $ADSI = [ADSI]"LDAP://CN=Certificate Templates,CN=Public Key Services,CN=Services,$ConfigContext" 
    
    $NewTempl = $ADSI.Create("pKICertificateTemplate", "CN=deploy-WebServer") 
    $NewTempl.put("distinguishedName","CN=deploy-WebServer,CN=Certificate Templates,CN=Public Key Services,CN=Services,$ConfigContext") 
    # and put other atributes that you need 
    
    $NewTempl.put("flags","131649")
    $NewTempl.put("displayName","deploy-WebServer")
    $NewTempl.put("revision","100")
    $NewTempl.put("pKIDefaultKeySpec","1")
    $NewTempl.SetInfo()
    
    $NewTempl.put("pKIMaxIssuingDepth","0")
    $NewTempl.put("pKICriticalExtensions","2.5.29.15")
    $NewTempl.put("pKIExtendedKeyUsage","1.3.6.1.5.5.7.3.1")
    $NewTempl.put("pKIDefaultCSPs","1,Microsoft RSA SChannel Cryptographic Provider")
    $NewTempl.put("msPKI-RA-Signature","0")
    $NewTempl.put("msPKI-Enrollment-Flag","8")
    $NewTempl.put("msPKI-Private-Key-Flag","16842768")
    $NewTempl.put("msPKI-Certificate-Name-Flag","1")
    $NewTempl.put("msPKI-Minimal-Key-Size","2048")
    $NewTempl.put("msPKI-Template-Schema-Version","2")
    $NewTempl.put("msPKI-Template-Minor-Revision","2")
    $NewTempl.put("msPKI-Cert-Template-OID","1.3.6.1.4.1.311.21.8.7183632.6046387.16009101.13536898.4471759.164.5869043.12046343")
    $NewTempl.put("msPKI-Certificate-Application-Policy","1.3.6.1.5.5.7.3.1")
    
    $NewTempl.SetInfo()
    
    $WATempl = $ADSI.psbase.children | where {$_.displayName -match "Subordinate Certification Authority"}
    
    #before
    $NewTempl.pKIExpirationPeriod = $WATempl.pKIExpirationPeriod
    $NewTempl.pKIOverlapPeriod = $WATempl.pKIOverlapPeriod
    $NewTempl.SetInfo()
    
    $WATempl2 = $ADSI.psbase.children | where {$_.displayName -match "Web Server"}
    
    
    $NewTempl.pKIKeyUsage = $WATempl2.pKIKeyUsage
    $NewTempl.SetInfo()
    $NewTempl | select *
    
    $acl = $NewTempl.psbase.ObjectSecurity
    $acl | select -ExpandProperty Access
    
    #Set new
    $AdObj = New-Object System.Security.Principal.NTAccount("Authenticated Users")
    $identity = $AdObj.Translate([System.Security.Principal.SecurityIdentifier])
    $adRights = "ReadProperty, ExtendedRight, GenericExecute"
    $type = "Allow"
    
    $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($identity,$adRights,$type)
    $NewTempl.psbase.ObjectSecurity.SetAccessRule($ACE)
    $NewTempl.psbase.commitchanges()
    
    $AdObj = New-Object System.Security.Principal.NTAccount("deploy\Administrator")
    $identity = $AdObj.Translate([System.Security.Principal.SecurityIdentifier])
    $adRights = "GenericAll"
    $type = "Allow"
    
    $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($identity,$adRights,$type)
    $NewTempl.psbase.ObjectSecurity.SetAccessRule($ACE)
    $NewTempl.psbase.commitchanges()
    
    sleep 5
    
    
    Stop-Service CertSvc
    
    sleep 5
    
    Start-Service CertSvc
    
    sleep 5
    
    Get-CATemplate
    
    Add-CATemplate -Name 'deploy-WebServer' -force 
  • #33080
    Profile photo of Stephen Small
    Stephen Small
    Participant

    Got it. I just had to wait. Credit goes here:

    I added this to my script:

    $templates = $adsi | select -ExpandProperty Children 
    
    $templates.distinguishedName
    
    
    if ([bool]($templates.distinguishedName -match "CN=deploy-WebServer,CN=Certificate Templates,CN=Public Key Services,CN=Services,$ConfigContext") -eq 'True'){
    
    Add-CATemplate -Name 'deploy-WebServer' -force
    }
    
    
    
    $Stoploop = $false
    [int]$Retrycount = "0"
     
    do {
    	try {
    		if ([bool]($templates.distinguishedName -match "CN=deploy-WebServer,CN=Certificate Templates,CN=Public Key Services,CN=Services,$ConfigContext") -eq 'True'){
                Add-CATemplate -Name 'deploy-WebServer' -force
                }
    
    		Write-Host "Template Publish Successfully-"
    		$Stoploop = $true
    		}
    	catch {
    		if ($Retrycount -gt 30){
    			Write-Host "Could not Publish Template after 3 retrys."
    			$Stoploop = $true
    		}
    		else {
    			Write-Host "Could not Publish Template, retrying in 30 seconds..."
    			Start-Sleep -Seconds 30
    			$Retrycount = $Retrycount + 1
    		}
    	}
    }
    While ($Stoploop -eq $false)
    

You must be logged in to reply to this topic.