goateepfe / adcstemplate Goto Github PK

In ADCS, PKI administrators may define custom application policies (MSFT analogue of Enhanced Key Usage extension) and certificate policies. When exporting certificate template, it might be reasonable to export custom OIDs (non-standard) as well and register them in target forest if they are absent.

• Application policies are smple OID<=>VALUE mappings.
• Certificate policy OIDs are same OID<=>VALUE mappings, but contain additional policy qualifiers:
  -- CPS (certificate practices statement) location URL
  -- Short description (user notice)

Both are optional, but at least one policy qualifier must be specified. ADCS does not allow empty policies.

When exporting certificate template, it is considered a duplicate and revision number should not be exported as is, instead, they shall be updated as follows:

-- Revision DS attribute is set to 100.
-- msPKI-Template-Minor-Revision DS attribute is incremented by 1.

Depending on desired template schema version, msPKI-Template-Schema-Version attribute must be set to either, 2, 3 or 4. This should be is user-provided value.

This is because you shall not import V1 (msPKI-Template-Minor-Revision=1) certificate templates. Only custom templates can be imported.

Your .psm1 file contains the following code that assigns imported/generated certificate template to all enterprise CAs in the forest. However, the relevant code part contains this line:

Set-ADObject -Identity $CA.DistinguishedName -Add @{certificateTemplates=$DisplayName} -Server $Server

Certificate templates are referenced by common name (CN attribute), not by DisplayName attribute.

the property msPKI-Supersede-Templates is not set in the New-ADCSTemplate command.

I will try to implement this and create a merge request

You have a function Get-RandomHex that generates random HEX for OID entry name in OID container. Actually, these OIDs are not truly random, their name depend on actual OID value and generated as follows:

OID entry name format: [X.Y]
Where X -- is first 16 (up to) characters of last OID arc. If last arc length exceeds 16 characters, it is stripped to 16 characters.
Where Y -- is MD5 hash calculated over unicode OID value string.

This technique is used in order to support O(1) OID lookup instead of enumerating all OID entries in OID container.

Your .psm1 file contains the following code that assigns imported/generated certificate template to all enterprise CAs in the forest:

#region ISSUE
If ($Publish) {
    ### WARNING: Issues on all available CAs. Test in your environment.
    $EnrollmentPath = "CN=Enrollment Services,CN=Public Key Services,CN=Services,$ConfigNC"
    $CAs = Get-ADObject -SearchBase $EnrollmentPath -SearchScope OneLevel -Filter * -Server $Server
    ForEach ($CA in $CAs) {
        Set-ADObject -Identity $CA.DistinguishedName -Add @{certificateTemplates=$DisplayName} -Server $Server
    }
}
#endregion

This code part should be removed from *.psm1 file. There is compatibility dependency for certificate template based on CA version. Reasons are:

Not all certificate templates are supported by all CAs in the forest. For example, Windows Server 2003 Standard Edition and Windows Server 2008 Standard Edition CAs support V1 version templates only. Windows Server 2003 Enterprise and Datacenter Editions support only V1 and V2 templates. Windows Server 2008 Enterprise and Datacenter editions support V1, V2 and V3 templates only. Windows Server 2008 R2-based CAs (any edition) support V1, V2 and V3 certificate templates. Only Windows Server 2012-based CAs do support V1-V4 templates by default. This means that you have to make either conditional version checking to add certificate templates or remove the code completely. It is a bit complicated stuff, so I think it is better to remove this part completely.

Template version is determined by SchemaVersion attribute.

From Twitter:
gael @gaelcolas
You're missing a .gitignore to exclude files such as .DS_Store :)

Hi,

I encountered an issue when creating a template.
The msPKI-RA-Application-Policies attribute would not get filled.

It seems that this has been fixed in the code in this repository, but the Powershell Gallery does not reflect that change.

So I needed to manually download the files from this module to get things working.

The PSGallery version matches the one in the .psd1 file. Just the code is different.

The module (especially it's DSC part) cannot be used in Azure Automation, as ADCSTemplate.psm1 starts with a line that contains #requires -Version 5.0 -Modules ActiveDirectory

Function should offer parameters for either -ALL or for publishing to a specific array of CA name, not all the CAs as in the 1.0 version.

Get-ADCSTemplate -DisplayName Foo | Remove-ADCSTemplate
Export-ADCSTemplate -DisplayName Foo | New-ADCSTemplate -DisplayName Foo2

Hi,

Here is my issue:
I create a template, then: Export-ADCSTemplate -DisplayName "Web Server Template" > .\webservertemplate.json

After that, I delete the template from the server and run:
New-ADCSTemplate -DisplayName 'Web Server Template' -JSON (Get-Content .\webservertemplate.json -Raw) -Identity "Contoso\DC$"

Then I issue the certificate. All good so far.
But when I now request this certificate and try to enroll it I get:

Active Directory Certificate Services denied request 11 because The requested certificate template is not supported by this CA. 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE). The request was for CONTOSO\DC$. Additional information: Denied by Policy Module 0x80094800, The request was for a certificate template that is not supported by the Active Directory Certificate Services policy: 1.3.6.1.4.1.311.21.8.9859221.16429217.5656198.9359005.7585435.138.94555984.49861486.

Certificate enrollment for Local system failed to enroll for a WebServerTemplate certificate with request ID 11 from dc.Contoso.Azure\Contoso Certificate Authority (The requested certificate template is not supported by this CA. 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE)).

I guess something goes broken during this export/import

Hi

The exported value "msPKI-RA-Application-Policies" will not imported with New-ADCSTemplate. After I add in ADCSTemplate.psm1 a new line after #327:

'msPKI-RA-Application-Policies',

it works.

gruss ivo

Hi,

I'm trying to automate building dev/test environments and we need a PKI solution.
We are using Server 2022.

I can successfully export and create using the JSON files, but when I try to use the certificate, I get the error in the image.
"The request was for a certificate template that is not supported by the Active Directory Services policy"
"The requested certificate template is not supported by this CA 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE)

Looking at the template in AD with ADSIEdit, I noticed the property "msPKI-RA-Application-Policies" isn't populated on the imported template. The expected value is in the JSON.

If I copy the value from the template I exported from, into the new template missing the values, the new template works.

Hi,

I'm using the module in an automated build of dev/test environments, using ADCSTemplate through DSC.
Everything works fine, templates are imported and published in the CA.
We import 18 templates (copy of prod) and everything (AD, CA etc) is built from scratch on Server 2022 in Azure.

But quite randomly, some of the templates just doesn't work. I can see them at all, when trying to request them using Certificate MMC (certlm.msc and certmgr.msc) as I can with the working.
Which ones fail is completely random, every time I deploy the complete environment.

Turns out the attribute msPKI-Cert-Template-OID isn't populated, with the forest OID on some of the newly imported templates.

Searching for all newly imported templates, in an AD + CA installed overnight.

From the template in AD - missing the forest OID.

I made a simple DSC function using the 'Script' resource, to look for templates matching our naming and where msPKI-Cert-Template-OID starts with a dot.
Then I add the missing forest OID and then they work ;-)