Hi Vadims - Thanks for this post. I have a question on cross forest enrollment.
We have two way trust between the resource (has the root and issuing CA) and account forest. I am trying to copy one template from resource to account forest running pkisync.ps1 but get write error. I can see template created in account forest but its incomplete. The account used has full permissions on Certificate Template and OID containers in AD. I also tried creating the template manually directly on account forest with same name and properties but the server in account forest cant see the template in MMC for enrollment. It is unavailable and error is "The requested certificate template is not supported by this CA. A valid certification...."
The template in resource forest is added to the issuing CA and being used for enrollment by servers in resource forst. When creating manually the oid is different to one in resource forest. Does the oid need to be same between resource and account forest in this case?
You are a hero, thank you so much for posting this code, I have been trying to figure out a way to do this and I was unable to do so. I had to make a few small changes to get it working under powershell 5.0 on Windows 10 21H2, however after these changes were made it works flawlessly.
The changes which I made were below:
Change 1:
I changed line 41 to this (As Per Daniel in an above comment) :
$Thumbprint = $CertMapping[$ComboBox.SelectedItem]
$cert = $Certs.Find("FindByThumbprint", $Thumbprint, $false)[0]
$status = Set-AuthenticodeSignature -FilePath $file.FullName -Certificate $cert -TimestampServer $Timestamp -HashAlgorith SHA256
Change 2:
Declare $cert as a global variable to make the "view certificate" button work. Signing works without this but viewing the cert does not.
Hello Shiva, please check updated version. There was a bug in the script and I believe it is now fixed.
Hi,
Really appreciate sharing this info. I am using this example to convert a private key but in this case, the length of the key is 3072 and it is ending an error when executing the following code:
[byte[]]$bitLen2 = Invoke-Expression 0x$([int]$bitLen.Substring(2,2))
Cannot convert value "0C" to type "System.Int32". Error: "Input string was not in a correct format."
At C:\Users\kirashiv\Documents\CertRequest\codesign_2022\CertModule.ps1:231 char:47
+ ... byte[]]$bitLen1 = Invoke-Expression 0x$([int]$bitLen.Substring(0,2))
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvalidCastFromStringToInteger
0x : The term '0x' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is
correct and try again.
At line:1 char:1
+ 0x
+ ~~
+ CategoryInfo : ObjectNotFound: (0x:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
Can you please advise what can be done to add support for increased key length?
Regards,
-Shiva
Do applications work after both the signer certificate and timestamp certificate expire?
Who is responsible to renew timestamp certificate?