Armando 06.04.2021 21:59 (GMT+3) Root CA certificate renewal

Thanks for your responce. I renewed the certificate with a new key.

When I run, certutil -dspublish XXXCA(2).crl

I get:

PS C:\Windows\system32\certsrv\certenroll> certutil -dspublish vcuCA(2).crl
DecodeFile returned The system cannot find the file specified. 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
DecodeFile returned The system cannot find the file specified. 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
Could not load Certificate or CRL from file (The system cannot find the file specified. 0x80070002 (WIN32: 2 ERROR_FILE_
CertUtil: -dsPublish command FAILED: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
CertUtil: The system cannot find the file specified.

On pkiview:

CDP Location #1 Unable to Download the the ldap location url string.

DeltaCRL Locaiton#1 Unable To Download and the location url string.

From what I know, the cert server is 2016, but at one point the cert server was 2018 and got migrated over. 

I have search and search and do not find the correct instructions on how to proceed. I was hoping someone here has any idea or has experience the same issue.

When I right click on the new cert and look at it's properties, the URL=http:// points to the old server, under the CRL Dirstribution Points.

please help, the existing cert expires end of this month.


criffo 05.04.2021 17:30 (GMT+3) Efficient way to get AD user membership recursively with PowerShell

Hi Stanvy,

Excellent I didn't know about this LDAP_MATCHING_RULE_IN_CHAIN

Very practical but still; it is a comparaison until last parent to control if user is a nested member of a group or serie of groups by DN property

Is there a way to get the tree of an adboject memberships; starting form the object and get results from other forests as well ?

Thank you in advance

Actually I did that using the ldapsearcher class but I admit it is quite a long script (avaimabme opn github Criffo : getadobjectmemberof custom)

Actually we needed for users review and memberhips based on a reference user even if we could use the get=adprincipal ... we needed to find any multile memeberships by group depencies in cas of example cross nodes netsing

Peter Johnson
Peter Johnson 05.04.2021 08:52 (GMT+3) Manage pending certificate requests in ADCS with PowerShell

Hi Vadims,

I'm trying to view the SAN of a pending request (that was signed with a 'certificate request agent' certificate and submitted on behalf of another user).

This step errors out for me:

req = New-Object System.Security.Cryptography.X509CertificateRequests.X509CertificateRequest(,$reqbytes)

With the following error:

Exception calling ".ctor" with "1" argument(s): "ASN1 bad tag value met."


I am able to successfully dump the request using 'certutil -dump'; it's only with X509CertificateRequest that I get an error.

Could you kindly look into this?


p.s. X509CertificateRequest works fine if it's a regular CSR that was not signed by a 'certificate request agent'.

(I'm trying to do enroll on behalf here, and need to verify the SAN)


Thank you!

David Cross
David Cross 02.04.2021 22:34 (GMT+3) 34 PKI & ADCS Whitepapers You Must Read

A great collection of some of my papers from almost 20 years ago!  The memories...

Jon Pennycook
Jon Pennycook 31.03.2021 19:34 (GMT+3) Export and import certificate templates with PowerShell

Never mind - I see "Existing OID reuse is not supported" in the Description of the Import- script.