First of all, fantastic script! It really makes certificate tasks so much easier!

For those of us who are requesting certs against a template that has the Issuance Requirements > CA certificate manager approval option enabled, the script fails since the certificate hasn't been approved and issued by the time the script goes to retrieve it.

My attempts fail with the following output:

C:\Users\ADMINI~1\AppData\Local\Temp\TESTCERT.cer
Request-Certificate.ps1: certreq -accept command failed

Has there been any consideration on ways to work around this, either by pausing the script until the requester presses a key, running a loop to check for cert approval every 30s or allow the script to be re-run at a later time with a 'retrieve and complete issuance' switch?

I have attempted to mess around with pausing the flow and even just trying to complete the certificate issuance in the computer's certlm but, while it sees the certificates in Certificate Enrollment Requests certificate store, the retrieval option just sees them all as "Enrollment Pending" even though they have been approved for issuance by the CA.

This code uses the legacy provider for requesting keys. While many MS CS services are configured to use this provider one should move to Microsoft Software Key Storage Provider (KSP) for all new deployments.

I suggest to add the KSP provider as default and add a "-legacy" switch.

https://www.pkisolutions.com/understanding-microsoft-crypto-providers/ - PKI Solutions have a nice overview of the various providers available.

$CAs = [System.DirectoryServices.DirectorySearcher]:: new($searchBase,'objectClass=pKIEnrollmentService').FindAll()#

This command is giving below error ,

C:\Users\Administrator\Desktop\cert_new.ps1 : Method invocation failed because [System.DirectoryServices.DirectorySearcher] does not contain a method named 'new'.
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,cert_new.ps1

I've found out, that current code is not compatible with PS7 slightly.

Changing
$certbytes | Set-Content -Encoding Byte -Path $pfxPath -ea Stop
to
$certbytes | Set-Content -AsByteStream -Path $pfxPath -ea Stop

Fixed the issue for me.
Please consider changing it in repository.

During Execution of script, we are getting the below error :

Template Name not found .

But are having the template name as EX : xxxx Web Server .

Kindly help .

While executing the script I encouter the error message below:

"The system cannot find the file specified
C:\xxxxx\temp\Server.cer"

I check in the temp folder and I have 3 files:

• xx.rsp
• tmp92A3.tmp
• tmp92A4.tmp

I think the issue is where the script is not renaming the temp file to Server.cer

Any help would be appreciated.

First certificate in the .csv chain executes perfectly. Every fourth certificate in the csv chain executes perfectly. All other entries in the chain fail to submit because they "Certificate Request Processor: The system cannot find the file specified. 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)" can't find the .tmp file. Looking in %LOCALAPPDATA%\Temp the requisite .tmp file for the request is not present. Every 3rd certificate request in the .csv opens an explorer window.

Presented with a CSV of:

CN
S2TESTR001
S2TESTR002
S2TESTR003
S2TESTR004
S2TESTR005
S2TESTR006
S2TESTR007
S2TESTR008
S2TESTR009
S2TESTR010
S2TESTR011
S2TESTR012
S2TESTR013
S2TESTR014
S2TESTR0015

the 1st, 5th, 9th, and 13th (every fourth) execute, all of the others inbetween fail with '.tmp' not found.

Import-Csv .\file.csv -UseCulture | .\Request-Certificate.ps1 -verbose -TemplateName "MyCustomMachineTemplate" -Export -ExportPath "C:\TEMP" -Password "password" -CAName "ca.myserver.com\MYCANAME"

When using CSV list, CAName gets updated with certreq's -config argument after first execution, thus any following entries will fail with invalid CAName given to the certreq.

Please add following fixup starting @ line 367:

+       $CANameArg = ""
        if (!$CAName -eq "") {
-           $CAName = " -config `"$CAName`""
+           $CANameArg = " -config `"$CAName`""
        }

-       Write-Debug "certreq -submit$CAName `"$req`" `"$cer`""
-       Invoke-Expression -Command "certreq -submit$CAName `"$req`" `"$cer`""
+       Write-Debug "certreq -submit$CANameArg `"$req`" `"$cer`""
+       Invoke-Expression -Command "certreq -submit$CANameArg `"$req`" `"$cer`""

The following line is converting the SAN array to a string,

$SAN = "DNS=$CN" + $SAN #Add CN as first SAN entry

and can be fixed by making the modification,

$SAN += "DNS=$CN" #Add CN as first SAN entry

to preserve the array and prevent it from mangling the SAN in the request.

PSVersion                      5.1.17763.1490
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.17763.1490
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Fantastic script, Does everything I need except for setting a password on the exported PFX file.
I might be missing something but is there anyway to do this?#

Firstly, thank you for this script, it's fantastic!!

At present we are able to use it when passing in the parameters normally, our goal is to use this for a large amount of servers so attempting to test with the Import-CSV is yielding something strange.

At present our CSV is setup as the example:
First row - CN;SAN
Second row - servername;DNS=servername

When we run the commands the cert is generating but being issued to:

@{cn;san=servername;DNS=servername}

The 'Subject' shows that same name, and there is no SAN listed. Quite perplexed as to why it would be doing this as it definitely is working when passing those values in directly via the parameters.

Thanks in advance!

Requesting a cert for ".what.ever" works, when trying to save ".what.ever.rsp" or "*.what.ever.pfx"

After the execution of the script, the certificate is getting installed and we can see manually in the MMC console , but not able export it and located export path

Hi,

I'm trying to use the script to generate user certificates. As the script only works in the Machine/Device store I get a popup that context conflicts with user context.

Is it possible to add a switch for user/machine context?

gr,
Tom

Hi,

Firstly thanks for this awesome script.

I would like to know of the best way to run this on several machines using the Invoke-Command command and using a CSV as a source for the list of remote computers.