Comments on this page are supposed to improve article content and no technical support is provided. For technical questions, please visit project home page at: GitHub
Vadims Podāns
Vadims Podāns 23.08.2018 19:57 (GMT+2) New-SelfSignedCertificateEx

> EKU was wrong because my S.O language is not English, so the EKU's friendly name must be written using the S.O's language

it is correct, OIDs are localizable. One workaround is to use OID values instead of friendly names.

> Non-initialized Object (translated error message)

Did you made any modifications in the script? Also, I would suggest to review error, or submit it on GitHub (this page is not support portal, it is used only for documentation quality issues).

To read the error, run the command that raises error, then investigate $Error variable:

$error[0].innerexception.psbase

This command will reveal some useful information for debugging. You can submit this information on GitHub.

Marc Esteve
Marc Esteve 23.08.2018 12:01 (GMT+2) New-SelfSignedCertificateEx

I'm sorry about the multiple posts :( I'd rather edit a previous one, but I think there's not an option for this.

EKU was wrong because my S.O language is not English, so the EKU's friendly name must be written using the S.O's language :)

I could found the translation by using OIDs, doing:

$OID = New-Object -ComObject X509Enrollment.CObjectID
$OID.InitializeFromValue('1.3.6.1.5.5.7.3.1')

$OID2 = New-Object -ComObject X509Enrollment.CObjectID
$OID2.InitializeFromValue('1.3.6.1.5.5.7.3.2')

Nevertheless, I now find another problem which is so generic that doesn't give me any clue:

Non-initialized Object (translated error message)

New-SelfsignedCertificateEx : Objeto no inicializable (Excepción de HRESULT: 0x80040007 (OLE_E_BLANK))
At line:3 char:1
+ New-SelfsignedCertificateEx `
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [New-SelfSignedCertificateEx], COMException
    + FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,New-SelfSignedCertificateEx

 

Marc Esteve
Marc Esteve 23.08.2018 11:29 (GMT+2) New-SelfSignedCertificateEx

I forgot to tell that I checked that Remote System Administration Tools was install.

I tried generating the certificate either in a Server 2008 R2 and a Server 2012, with WFM 5.1 and the aforementioned tools.

I also tried to run an example from Get-help New-SelfSignedCertificateEx -Examples

New-SelfsignedCertificateEx -Subject "CN=www.domain.com" -EKU "Server Authentication", "Client authentication" `
     -KeyUsage "KeyEcipherment, DigitalSignature" -SAN "sub.domain.com","www.domain.com","192.168.1.1" `
     -StoreLocation "LocalMachine" -ProviderName "Microsoft Software Key Storage Provider" -AlgorithmName ecdsa_p256 `
     -KeyLength 256 -SignatureAlgorithm sha256

and got the same EKU-related error.

Marc Este
Marc Este 23.08.2018 10:08 (GMT+2) New-SelfSignedCertificateEx

Hello Vadims,

good to see you moved the code from TechNet gallery to GitHub.

Trying to run this, from an example on securing DSC mof files,

New-SelfsignedCertificateEx `
    -Subject "CN=${ENV:ComputerName}" `
    -EKU "Server Authentication" `
    -KeyUsage 'KeyEncipherment, DataEncipherment' `
    -SAN ${ENV:ComputerName} `
    -FriendlyName 'DSC Credential Encryption certificate' `
    -Exportable `
    -StoreLocation 'LocalMachine' `
    -KeyLength 2048 `
    -ProviderName 'Microsoft Enhanced Cryptographic Provider v1.0' `
    -AlgorithmName 'RSA' `
    -SignatureAlgorithm 'SHA256'

I stumble into an error regarding EnhancedKeyUsage (EKU) parameter which states:

ForEach-Object : CertEnroll::CObjectId::InitializeFromValue: Incorrect parameter

and points to line 89 C:\Program Files\WindowsPowerShell\Modules\PSPKI\3.3.0.0\Client\New-SelfSignedCertificateEx.ps1

+ $EnhancedKeyUsage | ForEach-Object

I cannot see why EKU value "Server Authentication" is wrong

Any help is very much appreciated.

Greetings

 

Kav
Kav 07.08.2018 16:10 (GMT+2) New-SelfSignedCertificateEx

Thank you so much for this!!! MS has unfortunately left Win server 2012R2 high and dry and not provided it the new fully featured new-selfsignedcertificate cmdlet (Win10 and server 2016 only), this is a brilliant solution :)